blocks|key|2957293|text|这取决于您如何配置它(或者说，您可以配置不同的行为)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2957294|在Web应用程序中，您将使用与SecurityContextPersistenceFilter交互的ThreadLocalSecurityContextHolderStrategy。|offset|length|style|CODE|2957295|SecurityContextPersistenceFilter的Java+Doc开头是：|2957296|2957297|在请求前使用从配置的{@link+SecurityContextHolder}获取的信息填充{@link+SecurityContextRepository}，并在请求完成并清除上下文持有者后将其存储回存储库中。默认情况下，它使用{@+HttpSessionSecurityContextRepository}。有关HttpSession相关配置选项的信息，请参阅此类。|blockquote|2957298|2957299|2957300|顺便说一句:+HttpSessionSecurityContextRepository是SecurityContextRepository的唯一实现(我在默认库中找到)|2957301|它是这样工作的：|2957302|2957303|+HttpSessionSecurityContextRepository使用httpSession+(Key="SPRING_SECURITY_CONTEXT")来存储SecurityContext对象。|unordered-list-item|2957304|2957305|+SecurityContextPersistenceFilter是一个使用SecurityContextRepository+(例如HttpSessionSecurityContextRepository+)来加载和存储SecurityContext对象的过滤器。如果HttpRequest通过了筛选器，筛选器将从存储库中获取SecurityContext并将其放入SecurityContextHolder+(SecurityContextHolder#setContext)+|2957306|中，因为SecurityContextHolder有两个方法setContext和getContext。两者都使用SecurityContextHolderStrategy来指定在set-+and+get-Context方法中到底做了什么。-例如，ThreadLocalSecurityContextHolderStrategy使用本地线程来存储上下文。|2957307|总而言之:用户主体(SecurityContext的元素)存储在HTTP会话中。对于每个请求，都会将其放入您访问它的本地线程中。|2957308|entityMap|0|LINK|mutability|MUTABLE|url|http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.5.RELEASE/spring-security-web-3.0.5.RELEASE.jar!/org/springframework/security/web/context/SecurityContextPersistenceFilter.class?classDetails=ok|1|http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-core/3.0.5.RELEASE/spring-security-core-3.0.5.RELEASE-sources.jar!/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java?format=ok|2|http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.5.RELEASE/spring-security-web-3.0.5.RELEASE-sources.jar!/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java?format=ok^0|0|F|W|1E|14|F|W|0|1E|14|1|0|0|W|0|0|0|0|0|0|0|0|1|10|2D|F|1|10|2|0|0|1|W|12|P|1V|10|33|F|4K|F|5R|W|0|4|L|U|A|15|A|1L|T|3G|14|0|0^^$0|@$1|2|3|4|5|6|7|1G|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1H|8|@$D|1I|E|1J|F|G]|$D|1K|E|1L|F|G]]|9|@$D|1M|E|1N|1|1O]|$D|1P|E|1Q|1|1R]]|A|$]]|$1|H|3|I|5|6|7|1S|8|@$D|1T|E|1U|F|G]]|9|@]|A|$]]|$1|J|3|-4|5|6|7|1V|8|@]|9|@]|A|$]]|$1|K|3|L|5|M|7|1W|8|@]|9|@]|A|$]]|$1|N|3|-4|5|6|7|1X|8|@]|9|@]|A|$]]|$1|O|3|-4|5|6|7|1Y|8|@]|9|@]|A|$]]|$1|P|3|Q|5|6|7|1Z|8|@]|9|@]|A|$]]|$1|R|3|S|5|6|7|20|8|@]|9|@]|A|$]]|$1|T|3|-4|5|6|7|21|8|@]|9|@]|A|$]]|$1|U|3|V|5|W|7|22|8|@$D|23|E|24|F|G]|$D|25|E|26|F|G]]|9|@$D|27|E|28|1|29]]|A|$]]|$1|X|3|-4|5|W|7|2A|8|@]|9|@]|A|$]]|$1|Y|3|Z|5|W|7|2B|8|@$D|2C|E|2D|F|G]|$D|2E|E|2F|F|G]|$D|2G|E|2H|F|G]|$D|2I|E|2J|F|G]|$D|2K|E|2L|F|G]|$D|2M|E|2N|F|G]]|9|@]|A|$]]|$1|10|3|11|5|6|7|2O|8|@$D|2P|E|2Q|F|G]|$D|2R|E|2S|F|G]|$D|2T|E|2U|F|G]|$D|2V|E|2W|F|G]|$D|2X|E|2Y|F|G]]|9|@]|A|$]]|$1|12|3|13|5|6|7|2Z|8|@]|9|@]|A|$]]|$1|14|3|-4|5|6|7|30|8|@]|9|@]|A|$]]]|15|$16|$5|17|18|19|A|$1A|1B]]|1C|$5|17|18|19|A|$1A|1D]]|1E|$5|17|18|19|A|$1A|1F]]]]

It depends on how you configured it (or lets say, you can configure a different behaviour).

In a Web application you will use the <a href="http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-core/3.0.5.RELEASE/spring-security-core-3.0.5.RELEASE-sources.jar!/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java?format=ok" rel="noreferrer"><code>ThreadLocalSecurityContextHolderStrategy</code></a> which interacts with <a href="http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.5.RELEASE/spring-security-web-3.0.5.RELEASE.jar!/org/springframework/security/web/context/SecurityContextPersistenceFilter.class?classDetails=ok" rel="noreferrer"><code>SecurityContextPersistenceFilter</code></a>.

The Java Doc of <code>SecurityContextPersistenceFilter</code> starts with:

<blockquote>
 Populates the {@link
 SecurityContextHolder} with
 information obtained from the
 configured {@link
 SecurityContextRepository} prior to
 the request and stores it back in the
 repository once the request has
 completed and clearing the context
 holder. By default it uses an {@link
 HttpSessionSecurityContextRepository}.
 See this class for information
 HttpSession related
 configuration options.
</blockquote>

Btw: HttpSessionSecurityContextRepository is the only implementation of SecurityContextRepository (I have found in the default libs)

It works like this:

<ul>
<li>The <a href="http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.5.RELEASE/spring-security-web-3.0.5.RELEASE-sources.jar!/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java?format=ok" rel="noreferrer"><code>HttpSessionSecurityContextRepository</code></a> uses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store an <code>SecurityContext</code> Object.</li>
<li>The <code>SecurityContextPersistenceFilter</code> is an filter that uses an <code>SecurityContextRepository</code> for example the <code>HttpSessionSecurityContextRepository</code> to load and store <code>SecurityContext</code> Objects. If an HttpRequest passes the filter, the filter get the <code>SecurityContext</code> from the repository and put it in the SecurityContextHolder (<code>SecurityContextHolder#setContext</code>) </li>
<li>The <code>SecurityContextHolder</code> has two methods <code>setContext</code> and <code>getContext</code>. Both uses a <code>SecurityContextHolderStrategy</code> to specify what exactly is done in the set- and get-Context methods. - For example the <code>ThreadLocalSecurityContextHolderStrategy</code> uses a thread local to store the context.</li>
</ul>

So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.

Is the Userprincipal I retrieve from <code>SecurityContextHolder</code> bound to requests or to sessions?

<code>UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();</code>

This is the way I access the currently logged in user. Will this invalidate if the current session is destroyed?

Spring security's SecurityContextHolder: session or request bound?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我从SecurityContextHolder检索的用户主体是绑定到请求还是绑定到会话？UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();这是我访...

Spring security的SecurityContextHolder:绑定会话还是绑定请求？-腾讯云开发者社区-腾讯云

问Spring security的SecurityContextHolder:绑定会话还是绑定请求？
EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Spring security的SecurityContextHolder:绑定会话还是绑定请求？EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Spring security的SecurityContextHolder:绑定会话还是绑定请求？
EN