从AuthenticationSuccessHandler访问RequestContextHolder和HttpServletRequest.getUserPrincipal()

时间:2011-09-30 02:08:50

标签: spring authentication spring-mvc spring-security

我有一个Spring-MVC应用程序(即我正在使用Spring的调度程序servlet)。我也使用Spring Security来验证用户身份。因为我使用Spring的调度程序servlet,所以我不必声明

  <listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
  </listener>

在我的web.xml中,以便能够使用RequestContextHolder(如果我正确理解文档)。

我的问题涉及我对接口org.springframework.security.web.authentication.AuthenticationSuccessHandler

的实现
public class AuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {

        int timeout = 60*60;

        //does work
        request.getSession().setMaxInactiveInterval(timeout); //60 minutes
        System.out.println("Session timeout of user: " + authentication.getName() + " has been set to: " + timeout + " seconds.");

        /*
        //does not work
        session().setMaxInactiveInterval(timeout); //60 minutes
        System.out.println("Session timeout of user: " + request.getUserPrincipal().getName() + " has been set to: " + timeout + " seconds.");
        */

        //now restore the default work flow (SavedRequestAwareAuthenticationSuccessHandler is the default AuthenticationSuccessHandler that Spring uses,
        // see: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html#form-login-flow-handling )
        (new SavedRequestAwareAuthenticationSuccessHandler()).onAuthenticationSuccess(request, response, authentication);
    }

    public static HttpSession session() {
        ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
        return attr.getRequest().getSession(true); // true == allow create
    }
}

你能解释为什么在上面提到的代码中,RequestContextHolder.currentRequestAttributes()HttpServletRequest.getUserPrincipal()不起作用(它们在Controller中工作)?

谢谢!

1 个答案:

答案 0 :(得分:4)

Spring安全性是基于过滤器的。这就是为什么你需要定义RequestContextListener的原因,因为当spring-security的内容发生并且没有设置spring请求上下文时,还不会调用DispatcherServlet。