我使用Spring Security进行用户身份验证，但SecurityContext的是空当在不登录的用户。

在我的web.xml我有：

 <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
</filter-mapping>

在我的security.xml我有

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:http="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- Static resources such as CSS and JS files are ignored by Spring Security -->
    <security:http pattern="/resources/**" security="none" />

    <security:http use-expressions="true">
        <!-- Enables Spring Security CSRF protection -->
        <security:csrf/>
        <!-- Configures the form login -->
        <security:form-login
                login-page="/login"
                login-processing-url="/login/authenticate"
                authentication-failure-url="/login?error=bad_credentials"
                username-parameter="username"
                password-parameter="password"/>
        <!-- Configures the logout function -->
        <security:logout
                logout-url="/logout"
                logout-success-url="/home"
                delete-cookies="JESSIONID"/>

        <security:intercept-url pattern="/**" method="GET" access="permitAll"/>
        <security:intercept-url pattern="/user/register" method="POST" access="permitAll"/>

        <!-- These operations are protected. -->
        <security:intercept-url pattern="/product/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
        <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
        <security:access-denied-handler error-page="/login"/>

        <!-- Adds social authentication filter to the Spring Security filter chain. -->
        <security:custom-filter ref="socialAuthenticationFilter" before="PRE_AUTH_FILTER" />
    </security:http>

...其他配置...

在那里我得到空的代码是：

HttpSession session = request.getSession(true);
SecurityContext securityContext =(SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication authentication = securityContext.getAuthentication();
user = (Object) authentication.getPrincipal();

但我得到在没有用户登录空SecurityContext的 。任何帮助，我做错了

从http://docs.spring.io/spring-security/site/docs/3.0.x/reference/anonymous.html ：

...请注意，没有谁是“匿名认证”用户和未认证用户之间没有真正概念上的差异。 Spring Security的匿名认证只是给您配置访问控制属性的更方便的方法 。 调用Servlet API的调用，如getCallerPrincipal，例如，仍然会返回null，即使实际上没有在SecurityContextHolder中的匿名认证对象。

还有其他一些情况，其中匿名认证是有用的，当一个审计拦截器查询SecurityContextHolder来确定哪些主要负责给定的操作，例如。 类可以，如果他们知道SecurityContextHolder里总是包含一个Authentication对象，永远不能为null更有力撰写。

因此，像一个设置（也引用页）：

<bean id="anonymousAuthFilter"
  class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
  <property name="key" value="foobar"/>
  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
  class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
  <property name="key" value="foobar"/>
</bean>

..和调整你的security.xml条目从：

permitAll

..至：

ROLE_ANONYMOUS

应提供你总是用Securitycontext / Authentication对象（但不一定与“校长”）。