Spring Security从3.0.0.RELEASE升级到3.1.0.RELEASE - 当身份验证为空时,不再将SecurityContext存储到HttpSession

时间:2017-07-13 19:50:12

标签: spring-security

在我们的应用程序中,如果帐户被锁定,则会在登录页面上向用户显示一条消息。消息可以根据存储在上下文中的与用户相关的一些设置(从数据库中提取)而变化。所以在登录页面上我们有

AgentProfile agentProfile = ((WUSecurityContext) SecurityContextHolder.getContext()).getAgentProfile();

使用Spring Security 3.0.0.RELEASE这种方法有效。用户尝试登录,抛出了LockedException,Context中的身份验证设置为null,SecurityContext存储在HttpSession中。

以下是来自 HttpSessionSecurityContextRepository 版本3.0.0.RELEASE

的代码 
    void saveContext(SecurityContext context) {
        if(HttpSessionSecurityContextRepository.this.authenticationTrustResolver.isAnonymous(context.getAuthentication())) {
            if(HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                HttpSessionSecurityContextRepository.this.logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession. ");
            }

        } else {
            HttpSession httpSession = this.request.getSession(false);
            if(httpSession == null) {
                httpSession = this.createNewSessionIfAllowed(context);
            }

            if(httpSession != null && context.hashCode() != this.contextHashBeforeChainExecution) {
                httpSession.setAttribute("SPRING_SECURITY_CONTEXT", context);
                if(HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                    HttpSessionSecurityContextRepository.this.logger.debug("SecurityContext stored to HttpSession: \'" + context + "\'");
                }
            }

        }
    }

然而,saveContext中的代码已更改,现在包括检查以查看身份验证是否为空( if(authentication!= null&& ...),这会阻止SecurityContext的存储在HttpSession中

HttpSessionSecurityContextRepository 版本3.1.0.RELEASE 

   protected void saveContext(SecurityContext context) {
        Authentication authentication = context.getAuthentication();
        HttpSession httpSession = this.request.getSession(false);
        if(authentication != null && !HttpSessionSecurityContextRepository.this.authenticationTrustResolver.isAnonymous(authentication)) {
            if(httpSession == null) {
                httpSession = this.createNewSessionIfAllowed(context);
            }

            if(httpSession != null && (this.contextChanged(context) || httpSession.getAttribute(HttpSessionSecurityContextRepository.this.springSecurityContextKey) == null)) {
                httpSession.setAttribute(HttpSessionSecurityContextRepository.this.springSecurityContextKey, context);
                if(HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                    HttpSessionSecurityContextRepository.this.logger.debug("SecurityContext stored to HttpSession: \'" + context + "\'");
                }
            }

        } else {
            if(HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                HttpSessionSecurityContextRepository.this.logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
            }

            if(httpSession != null) {
                httpSession.removeAttribute(HttpSessionSecurityContextRepository.this.springSecurityContextKey);
            }

        }
    }

我不知道该怎么做。试图覆盖它并使其像版本3.0.0中那样工作.RELEASE感觉它可能是错误的做法。但是,如果我在登录页面的上下文中没有可用的用户信息,那么我将如何显示自定义消息?非常感谢任何帮助。

0 个答案:

没有答案
相关问题
最新问题