我覺得SessionManagementFilter注意到了這一問題:
if (!securityContextRepository.containsContext(request)) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
// The user has been authenticated during the current request, so call the session strategy
try {
sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
} catch (SessionAuthenticationException e) {
// The session strategy can reject the authentication
logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
SecurityContextHolder.clearContext();
failureHandler.onAuthenticationFailure(request, response, e);
return;
}
// Eagerly save the security context to make it available for any possible re-entrant
// requests which may occur before the current request completes. SEC-1396.
securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
} else {
// No security context or authentication present. Check for a session timeout
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
if(logger.isDebugEnabled()) {
logger.debug("Requested session ID " + request.getRequestedSessionId() + " is invalid.");
}
if (invalidSessionStrategy != null) {
invalidSessionStrategy.onInvalidSessionDetected(request, response);
return;
}
}
}
}
當然還有更多在這裏比滿足眼睛。該認證被保存在一個ThreadLocal:
在Spring Security,用於存儲請求之間SecurityContext的責任落到了SecurityContextPersistenceFilter,默認存儲上下文HTTP請求之間的一個HttpSession屬性。它會將每個請求的上下文恢復到SecurityContextHolder,並且在請求完成時關鍵地清除SecurityContextHolder。出於安全目的,您不應該直接與HttpSession進行交互。沒有理由這麼做 - 總是使用SecurityContextHolder來代替。
因此,SecurityContextPersistenceFilter負責加載上下文數據(稍後將其擦除),過濾器鏈中的其他模塊將根據此數據做出決定。 (例如,跳過或通過的UserManager服務做認證)
我不是一個SpringSecurity開發商,所以採取這種信息作爲一個受過教育的猜測僅僅:)
感謝您的回覆,我會研究它。 – Chakri