如何在Spring中获取Session Object?

eoigrqb6  于 2024-01-05  发布在  Spring
关注(0)|答案(9)|浏览(172)

我对Spring和Spring安全性比较陌生。
我试图编写一个程序,我需要在服务器端使用Spring安全性对用户进行身份验证,
我得出了以下结论:

  1. public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider{
  2.     @Override
  3.     protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken)
  4.                     throws AuthenticationException
  5.     {
  6.         System.out.println("Method invoked : additionalAuthenticationChecks isAuthenticated ? :"+usernamePasswordAuthenticationToken.isAuthenticated());
  7.     }
  9.     @Override
  10.     protected UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication) throws AuthenticationException 
  11.     {
  12.         System.out.println("Method invoked : retrieveUser");
  13.         //so far so good, i can authenticate user here, and throw exception if not authenticated!!
  14.         //THIS IS WHERE I WANT TO ACCESS SESSION OBJECT
  15.     }
  16. }

字符串
我的用例是,当一个用户被认证时,我需要放置一个属性,如:

  1. session.setAttribute("userObject", myUserObject);


myUserObject是某个类的对象,我可以通过多个用户请求在整个服务器代码中访问它。

spring

9条答案

按热度按时间
zf9nrax1

zf9nrax11#

你的朋友是org.springframework.web.context.request.RequestContextHolder

  1. // example usage
  2. public static HttpSession session() {
  3.     ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
  4.     return attr.getRequest().getSession(true); // true == allow create
  5. }

字符串
这将由标准的spring mvc dispatch servlet填充,但是如果你使用不同的web框架,你必须在web.xml中添加org.springframework.web.filter.RequestContextFilter作为过滤器来管理保持器。

编辑:作为一个附带的问题,你实际上想做什么,我不确定你是否需要在UserDetailsServiceretieveUser方法中访问HttpSession。Spring security将为你在会话中放置UserDetails对象。它可以通过访问SecurityContextHolder来检索:

  1. public static UserDetails currentUserDetails(){
  2.     SecurityContext securityContext = SecurityContextHolder.getContext();
  3.     Authentication authentication = securityContext.getAuthentication();
  4.     if (authentication != null) {
  5.         Object principal = authentication.getPrincipal();
  6.         return principal instanceof UserDetails ? (UserDetails) principal : null;
  7.     }
  8.     return null;
  9. }

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
nzkunb0c

nzkunb0c2#

既然你使用的是Spring,那就坚持使用Spring,不要像其他帖子所说的那样自己动手。
Spring manual说道:
出于安全考虑,您不应该直接与HttpSession交互。这样做根本没有正当理由-始终使用SecurityContextHolder。
访问会话的建议最佳做法是:

  1. Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
  3. if (principal instanceof UserDetails) {
  4.   String username = ((UserDetails)principal).getUsername();
  5. } else {
  6.   String username = principal.toString();
  7. }

字符串
这里的关键是Spring和Spring Security为您做了各种各样的伟大的事情,比如Session Fixation Prevention。这些事情假设您正在使用Spring框架,因为它被设计用于使用。因此,在您的servlet中,使其具有上下文意识并像上面的示例那样访问会话。
如果你只需要在会话作用域中存储一些数据,试着创建一些会话作用域bean,比如this example,让autowire来发挥它的魔力。

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
q8l4jmvw

q8l4jmvw3#

我自己做的utils.它很方便。:)

  1. package samples.utils;
  3. import java.util.Arrays;
  4. import java.util.Collection;
  5. import java.util.Locale;
  7. import javax.servlet.ServletContext;
  8. import javax.servlet.http.HttpServletRequest;
  9. import javax.servlet.http.HttpSession;
  10. import javax.sql.DataSource;
  12. import org.slf4j.Logger;
  13. import org.slf4j.LoggerFactory;
  14. import org.springframework.beans.factory.NoSuchBeanDefinitionException;
  15. import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
  16. import org.springframework.context.ApplicationContext;
  17. import org.springframework.context.ApplicationEventPublisher;
  18. import org.springframework.context.MessageSource;
  19. import org.springframework.core.convert.ConversionService;
  20. import org.springframework.core.io.ResourceLoader;
  21. import org.springframework.core.io.support.ResourcePatternResolver;
  22. import org.springframework.ui.context.Theme;
  23. import org.springframework.util.ClassUtils;
  24. import org.springframework.web.context.request.RequestContextHolder;
  25. import org.springframework.web.context.request.ServletRequestAttributes;
  26. import org.springframework.web.context.support.WebApplicationContextUtils;
  27. import org.springframework.web.servlet.LocaleResolver;
  28. import org.springframework.web.servlet.ThemeResolver;
  29. import org.springframework.web.servlet.support.RequestContextUtils;
  31. /**
  32.  * SpringMVC通用工具
  33.  * 
  34.  * @author 应卓([email protected])
  35.  *
  36.  */
  37. public final class WebContextHolder {
  39.     private static final Logger LOGGER = LoggerFactory.getLogger(WebContextHolder.class);
  41.     private static WebContextHolder INSTANCE = new WebContextHolder();
  43.     public WebContextHolder get() {
  44.         return INSTANCE;
  45.     }
  47.     private WebContextHolder() {
  48.         super();
  49.     }
  51.     // --------------------------------------------------------------------------------------------------------------
  53.     public HttpServletRequest getRequest() {
  54.         ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
  55.         return attributes.getRequest();
  56.     }
  58.     public HttpSession getSession() {
  59.         return getSession(true);
  60.     }
  62.     public HttpSession getSession(boolean create) {
  63.         return getRequest().getSession(create);
  64.     }
  66.     public String getSessionId() {
  67.         return getSession().getId();
  68.     }
  70.     public ServletContext getServletContext() {
  71.         return getSession().getServletContext();    // servlet2.3
  72.     }
  74.     public Locale getLocale() {
  75.         return RequestContextUtils.getLocale(getRequest());
  76.     }
  78.     public Theme getTheme() {
  79.         return RequestContextUtils.getTheme(getRequest());
  80.     }
  82.     public ApplicationContext getApplicationContext() {
  83.         return WebApplicationContextUtils.getWebApplicationContext(getServletContext());
  84.     }
  86.     public ApplicationEventPublisher getApplicationEventPublisher() {
  87.         return (ApplicationEventPublisher) getApplicationContext();
  88.     }
  90.     public LocaleResolver getLocaleResolver() {
  91.         return RequestContextUtils.getLocaleResolver(getRequest());
  92.     }
  94.     public ThemeResolver getThemeResolver() {
  95.         return RequestContextUtils.getThemeResolver(getRequest());
  96.     }
  98.     public ResourceLoader getResourceLoader() {
  99.         return (ResourceLoader) getApplicationContext();
  100.     }
  102.     public ResourcePatternResolver getResourcePatternResolver() {
  103.         return (ResourcePatternResolver) getApplicationContext();
  104.     }
  106.     public MessageSource getMessageSource() {
  107.         return (MessageSource) getApplicationContext();
  108.     }
  110.     public ConversionService getConversionService() {
  111.         return getBeanFromApplicationContext(ConversionService.class);
  112.     }
  114.     public DataSource getDataSource() {
  115.         return getBeanFromApplicationContext(DataSource.class);
  116.     }
  118.     public Collection<String> getActiveProfiles() {
  119.         return Arrays.asList(getApplicationContext().getEnvironment().getActiveProfiles());
  120.     }
  122.     public ClassLoader getBeanClassLoader() {
  123.         return ClassUtils.getDefaultClassLoader();
  124.     }
  126.     private <T> T getBeanFromApplicationContext(Class<T> requiredType) {
  127.         try {
  128.             return getApplicationContext().getBean(requiredType);
  129.         } catch (NoUniqueBeanDefinitionException e) {
  130.             LOGGER.error(e.getMessage(), e);
  131.             throw e;
  132.         } catch (NoSuchBeanDefinitionException e) {
  133.             LOGGER.warn(e.getMessage());
  134.             return null;
  135.         }
  136.     }
  138. }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
sbtkgmzw

sbtkgmzw4#

实际上,即使会话在HttpSessionLisener上被销毁,您也可以通过执行以下操作从会话中访问信息:

  1. public void sessionDestroyed(HttpSessionEvent hse) {
  2.     SecurityContextImpl sci = (SecurityContextImpl) hse.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
  3.     // be sure to check is not null since for users who just get into the home page but never get authenticated it will be
  4.     if (sci != null) {
  5.         UserDetails cud = (UserDetails) sci.getAuthentication().getPrincipal();
  6.         // do whatever you need here with the UserDetails
  7.     }
  8.  }

字符串
或者你也可以在任何有HttpSession对象的地方访问信息,比如:

  1. SecurityContextImpl sci = (SecurityContextImpl) session().getAttribute("SPRING_SECURITY_CONTEXT");


最后一个假设你有这样的东西:

  1. HttpSession sesssion = ...; // can come from request.getSession(false);

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
1u4esq0p

1u4esq0p5#

在我的场景中,我像这样将HttpSession注入到CustomAuthenticationProvider类中

  1. public class CustomAuthenticationProvider extends  AbstractUserDetailsAuthenticationProvider{
  3.     @Autowired 
  4.     private HttpSession httpSession;
  6.     @Override
  7.     protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken)
  8.              throws AuthenticationException
  9.     {
  10.         System.out.println("Method invoked : additionalAuthenticationChecks isAuthenticated ? :"+usernamePasswordAuthenticationToken.isAuthenticated());
  11.     }
  13.     @Override
  14.     protected UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication) throws AuthenticationException 
  15.     {
  16.         System.out.println("Method invoked : retrieveUser");
  17.         //so far so good, i can authenticate user here, and throw exception 
  18. if not authenticated!!
  19.         //THIS IS WHERE I WANT TO ACCESS SESSION OBJECT
  20.         httpSession.setAttribute("userObject", myUserObject);
  21.     }
  22. }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
91zkwejq

91zkwejq6#

我尝试与下一个代码和工作出色

  1. import org.springframework.security.core.Authentication;
  2.     import org.springframework.security.core.context.SecurityContextHolder;
  3.     import org.springframework.stereotype.Controller;
  4.     import org.springframework.ui.ModelMap;
  5.     import org.springframework.web.bind.annotation.RequestMapping;
  6.     import org.springframework.web.bind.annotation.RequestMethod;
  8.     /**
  9.      * Created by jaime on 14/01/15.
  10.      */
  12.     @Controller
  13.     public class obteinUserSession {
  14.         @RequestMapping(value = "/loginds", method = RequestMethod.GET)
  15.         public String UserSession(ModelMap modelMap) {
  16.             Authentication auth = SecurityContextHolder.getContext().getAuthentication();
  17.             String name = auth.getName();
  18.             modelMap.addAttribute("username", name);
  19.             return "hellos " + name;
  20.         }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
g9icjywg

g9icjywg7#

如果你需要的只是User的详细信息,对于 Spring Version 4.x,你可以使用Spring提供的@AuthenticationPrincipal@EnableWebSecurity标签,如下所示。
安全配置类:

  1. @Configuration
  2. @EnableWebSecurity
  3. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  4.    ...
  5. }

字符串
控制器方法:

  1. @RequestMapping("/messages/inbox")
  2. public ModelAndView findMessagesForUser(@AuthenticationPrincipal User user) {
  3.     ...
  4. }

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
jljoyd4f

jljoyd4f8#

  1. ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
  2. attr.getSessionId();

字符串

赞(0)分享  回复(0)举报  2024-01-05
vptzau2j

vptzau2j9#

  1. String token = (String) pageContext.findAttribute("TOKEN");
  2.     if (token.equals(null)) {
  3.         System.out.println("No pasar");
  4.     } else {
  5.         System.out.println("Excelente llego");
  6.     }

字符串

赞(0)分享  回复(0)举报  2024-01-05
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com