Spring Security:多个 ThreadLocal 中有相同的 SecurityContext 实例,这是如何工作的?
我有一些关于 Spring Security 3.0.5 和 SecurityContext 的问题。首先,我尝试总结一下我所知道的:
- SecurityContextHolder在请求之间存储SecurityContext
- ,SecurityContext存储在HttpSession中
- 请求开始:SecurityContextHolder从HttpSession获取SecurityContext
请求结束:SecurityContextHolder将SecurityContext放入HttpSession
在请求期间,在服务器上,SecurityContextHolder 使用ThreadLocal。在应用程序的任何地方(同一请求),都可以访问SecurityContext
现在我的问题......
-->两个请求:SecurityContext 实例将被共享
这是如何工作的?我的意思是,SecurityContextHolder 对每个请求使用 ThreadLocal。 2 个请求 = 2 个 ThreadLocals
每个请求执行: getSessionAttribute (SecurityContext) from HttpSession 如果他们在 SecurityContext 上工作会发生什么?所有 ThreadLocal 中的 SecurityContext 是否都发生了变化?
据我所知:是的(??)
这是如何工作的?他们如何在同一个实例上工作?我的意思是,我真的无法想象具有两个不同 ThreadLocal 的两个不同线程如何在同一个实例上工作?
API(线程本地): 该类提供线程局部变量。这些变量与其正常对应变量的不同之处在于,访问一个变量(通过其 get 或 set 方法)的每个线程都有其自己的、独立初始化的变量副本。
我的意思是,就是这样:复制!也许我错了,两个线程不可能在同一个 SecurityContext 上工作?但 Spring Security 文档是这么说的!
如果有人能向我解释这一点那就太好了:-) 谢谢!
Ive some questions about Spring Security 3.0.5 and the SecurityContext. First of all, Ill try to conclude what I know:
- SecurityContextHolder stores SecurityContext
- Between Request, SecurityContext is stored in HttpSession
- Begin of Request: SecurityContextHolder gets SecurityContext from HttpSession
End of Request: SecurityContextHolder puts SecurityContext in HttpSession
During the Request, on the server, SecurityContextHolder uses a ThreadLocal. Everywhere in the application (same request), the SecurityContext can be accessed
Now my question....
--> Two Requests: the SecurityContext-instance will be shared
How does this work? I mean, SecurityContextHolder uses a ThreadLocal for Each Request.
2 Request = 2 ThreadLocals
Each request does: getSessionAttribute (SecurityContext) from HttpSession
What happens if they work on the SecurityContext? Is the SecurityContext changed in all ThreadLocals?
As far as I know: yes (??)
How does this work? How can they work on the same instance? I mean, I really cant imagine how two different threads with two different ThreadLocals can work on the same instance?
API (ThreadLocal):
This class provides thread-local variables. These variables differ from their normal counterparts in that each thread that accesses one (via its get or set method) has its own, independently initialized copy of the variable.
I mean, thats it: copy! maybe Im wrong and its not possible for two threads to work on the same SecurityContext? But Spring Security Documentation says so!
Would be great if someone could explain that to me :-) Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
每个线程都有自己的 ThreadLocal 值,但没有什么可以阻止这些值相等。因此,在这种情况下,多个线程将引用同一个
SecurityContext实例。通常这不是问题,但如果你想修改安全上下文,你可以启用防御性复制,请参阅 SEC -356。
Each thread has its own value of
ThreadLocal, but nothing prevents these values from being equal. So, in this case multiple thread would have references to the same instance ofSecurityContext.Usually it's not a problem, but if you want to modify security context, you can enable defensive copying, see SEC-356.