这是Spring Security中的一个错误吗?Spring Security PreAuthentication checkForPrincipalChanges错误?
org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter 线:134
...
Object principal = getPreAuthenticatedPrincipal(request);
if (checkForPrincipalChanges &&
!currentUser.getName().equals(principal)) {
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
...
难道不应该考虑空preAuthenticatedPrincipal是一个非变化?
我不应该发送preAuthenticatedPrincipal每个请求我应该吗?
不应该有一个检查,看看这个值是否为空?
不应该这个是
Object principal = getPreAuthenticatedPrincipal(request);
if (checkForPrincipalChanges &&
principal!=null &&
!currentUser.getName().equals(principal)) {
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
通知除了主要的!= NULL & &
这被发现弹簧安全网络3.0.2.RELEASE.jar
如果这确实是一个错误,那么我认为我正在通过向我的实现添加以下覆盖来解决它:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (getPreAuthenticatedPrincipal((HttpServletRequest) request) != null) {
super.doFilter(request, response, chain);
} else {
//if the request did not include a preauthenticated principal then we should just continue are merry way down the filter chain
chain.doFilter(request, response);
}
}
让我知道,如果我错了这是一个错误,是否我错过了我的解决方法。
如何启用checkForPrincipalChanges而不必让客户端在每个请求中发送预认证的主体? – Gabriel 2011-03-02 19:55:06