我有一个Spring-MVC应用程序(即我使用的是Spring的调度程序servlet).我也使用Spring Security来验证用户身份.因为我使用Spring的调度程序servlet,所以我不必声明
在我的web.xml中,以便能够使用RequestContextHolder(如果我正确理解文档).
我的问题涉及我的接口org.springframework.security.web.authentication.AuthenticationSuccessHandler的实现:
public class AuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,HttpServletResponse response,Authentication authentication) throws servletexception,IOException {
int timeout = 60*60;
//does work
request.getSession().setMaxInactiveInterval(timeout); //60 minutes
System.out.println("Session timeout of user: " + authentication.getName() + " has been set to: " + timeout + " seconds.");
/*
//does not work
session().setMaxInactiveInterval(timeout); //60 minutes
System.out.println("Session timeout of user: " + request.getUserPrincipal().getName() + " has been set to: " + timeout + " seconds.");
*/
//Now restore the default work flow (SavedRequestAwareAuthenticationSuccessHandler is the default AuthenticationSuccessHandler that Spring uses,// see: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html#form-login-flow-handling )
(new SavedRequestAwareAuthenticationSuccessHandler()).onAuthenticationSuccess(request,response,authentication);
}
public static HttpSession session() {
ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
return attr.getRequest().getSession(true); // true == allow create
}
}
你能解释为什么在上面提到的代码中,RequestContextHolder.currentRequestAttributes()和HttpServletRequest.getUserPrincipal()不起作用(它们在Controller内部工作)?
谢谢!
最佳答案
Spring安全性基于过滤器.这就是为什么你需要定义RequestContextListener的原因,因为当spring-security的内容发生并且没有设置spring请求上下文时,还不会调用dispatcherServlet.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
