Does Acegi/Spring security support getUserPrincipa

2019-04-09 06:08发布

问题:

I need to interface an existing application with Acegi/Spring security.

In order to get started I am looking for one simple piece of information: in this context, will HttpServletRequest.getUserPrincipal() called from my application properly return the username obtained through Spring (as opposed to using Spring-specific objects)? I have Googled conflicting information on this.

I assume that if Acegi is implemented with filters, it is able to overload the Servlet API's getUserPrincipal(), right?

Subsidiary question: if this is not the case by default, is there any way to turn it on?

Thanks,

-Erik

回答1:

As previous user has answer, spring security support the getUserPrincipal and isUserInRole. Here is how spring security does it.

When you configure spring, it can load the following filters:

http://static.springframework.org/spring-security/site/reference/html/ns-config.html#filter-stack

As part of the standard filter configuration the SecurityContextHolderAwareRequestFilter filter is loaded.

Examining the filter @ https://fisheye.springsource.org/browse/spring-security/tags/spring-security-parent-2.0.4/core/src/main/java/org/springframework/security/wrapper/SecurityContextHolderAwareRequestFilter.java?r=2514

You can see it wraps and changes the HttpServletRequest object to the SecurityContextHolderAwareRequestWrapper class which extends HttpServletRequestWrapper which implements HttpServletRequest and feed it back to the standard Servlet Filter doFilter chain. Since spring security filter should be configured as the first filter, all subsequent classes will see the SecurityContextHolderAwareRequestWrapper instead. This includes JSP pages or Servlets behind this filter.

When you make a call to isUserInRole or getUserPrincipal from the JSP page, Servlet or any framework behind this filter, it is calling the HttpServletRequest implementation from Spring Security.



回答2:

If you use the security filter, yes it does. I believe this is the default behavior.

Exactly which class you're getting back depends on your configuration, but they all implement the Principal interface by way of Spring's own org.springframework.security.Authentication interface which extends it.

I've used request.getUserPrincipal() and request.isUserInRole() in a Spring application and it works seamlessly, even within JSPs.



回答3:

I do believe that Spring Security stores this information in the SecurityContext and not in the request though. You could easily write a FilterSecurityInterceptor that can be configured to add this info to the request also.