This is the core code from Anonymousprocessingfilter's method "doFilter":
[code] if (applyAnonymousForThisRequest(request)) {
if (SecurityContextHolder.getContext().getAuthentication() == null) {
SecurityContextHolder.getContext().setAuthentication(createAuthentication(request));
addedToken = true;
if (logger.isDebugEnabled()) {
logger.debug("Populated SecurityContextHolder with anonymous token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
} else {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
}
}[/code]
the applyAnonymousForThisRequest(request) always return true,so if u difined this filter in the fiter chain,the following code will do.it first check weather the SecurityContext is null,if so,it will create an anonymous userdetails(u all konw what it is).see the code
[code]AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, userAttribute.getPassword(),
userAttribute.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
[/code]
the key is for create the keyhash for something, the username and roles(Authorities) is defined in the userAttribute.
[code] <bean id="anonymousProcessingFilter"
class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="changeThis"/>
<property name="userAttribute"
value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>[/code]
This AnonymousAuthenticationToken will then be used in the FilterSecurityInterceptor to filter the url or function.
also notice that:
[code]try {
chain.doFilter(request, response);
} finally {
if (addedToken && removeAfterRequest
&& createAuthentication(request).equals(SecurityContextHolder.getContext().getAuthentication())) {
SecurityContextHolder.getContext().setAuthentication(null);
}
}[/code]
the AnonymousAuthenticationToken all be cleared at end.
[code] if (applyAnonymousForThisRequest(request)) {
if (SecurityContextHolder.getContext().getAuthentication() == null) {
SecurityContextHolder.getContext().setAuthentication(createAuthentication(request));
addedToken = true;
if (logger.isDebugEnabled()) {
logger.debug("Populated SecurityContextHolder with anonymous token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
} else {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
}
}[/code]
the applyAnonymousForThisRequest(request) always return true,so if u difined this filter in the fiter chain,the following code will do.it first check weather the SecurityContext is null,if so,it will create an anonymous userdetails(u all konw what it is).see the code
[code]AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, userAttribute.getPassword(),
userAttribute.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
[/code]
the key is for create the keyhash for something, the username and roles(Authorities) is defined in the userAttribute.
[code] <bean id="anonymousProcessingFilter"
class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="changeThis"/>
<property name="userAttribute"
value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>[/code]
This AnonymousAuthenticationToken will then be used in the FilterSecurityInterceptor to filter the url or function.
also notice that:
[code]try {
chain.doFilter(request, response);
} finally {
if (addedToken && removeAfterRequest
&& createAuthentication(request).equals(SecurityContextHolder.getContext().getAuthentication())) {
SecurityContextHolder.getContext().setAuthentication(null);
}
}[/code]
the AnonymousAuthenticationToken all be cleared at end.
207
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
