SecurityContextPersistenceFilter:创建空SecurityContext并设置到SecurityContextHolder
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (request.getAttribute(FILTER_APPLIED) != null) {
// ensure that filter is only applied once per request
chain.doFilter(request, response);
return;
}
final boolean debug = logger.isDebugEnabled();
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
if (forceEagerSessionCreation) {
HttpSession session = request.getSession();
if (debug && session.isNew()) {
logger.debug("Eagerly created session: " + session.getId());
}
}
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request,
response);
/*
1、从SecurityContextRepository中加载SecurityContext。默认的实现类是HttpSessionSecurityContextRepository
也就是从session中加载,如果session中没有,则创建一个空的SecurityContext
*/
SecurityContext contextBeforeChainExecution = repo.loadContext(holder);
try {
//2、将SecurityContext设置到SecurityContextHolder中
SecurityContextHolder.setContext(contextBeforeChainExecution);
chain.doFilter(holder.getRequest(), holder.getResponse());
}
finally {
SecurityContext contextAfterChainExecution = SecurityContextHolder
.getContext();
//3、将SecurityContextHolder里的SecurityContext存在SecurityContextRepository中,方便下次获取
//然后清空SecurityContextHolder里的SecurityContext
SecurityContextHolder.clearContext();
repo.saveContext(contextAfterChainExecution, holder.getRequest(),
holder.getResponse());
request.removeAttribute(FILTER_APPLIED);
if (debug) {
logger.debug("SecurityContextHolder now cleared, as request processing completed");
}
}
}