Spring Spring SseEmitter 的安全身份验证对象为空
Spring Security Authentication object is null for Spring SseEmitter
我有一个 Spring 控制器方法调用 SseEmitter 将服务器发送的事件推送到浏览器。从浏览器,javascript 为 SSE url 创建 EventSource 是从主页 运行。主页本身需要使用 Spring 基于安全表单的身份验证完成的身份验证。因此,登录页面在成功验证后将指向 home-page.However 服务器发送事件方法中的验证对象为 null。我知道我不正确的 Spring 安全配置导致了这个问题,但不知道如何解决!!
以下是我使用的安全配置
@Configuration
@EnableWebMvcSecurity
public class UCFSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
@Qualifier("epUser")
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationSuccessHandler successHandler;
....
....
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").authenticated()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.htm").failureUrl("/error.htm")
.loginProcessingUrl("/spring_sec_auth.htm")
.usernameParameter("username").passwordParameter("password").permitAll()
.successHandler(successHandler)
.and()
.logout()
//.logoutSuccessUrl("/login.htm?logout")
.invalidateHttpSession(true)
.and().csrf().disable();
}
....
....
}
The SSE method below calls userActivityFeed() in
UserActivityService which uses Authentication object from SecurityContextHolder.getContext().getAuthentication() which throws an NPE!!!
@Controller
public class UserActivityController {
@Autowired
private UserActivityService userActivityService;
@RequestMapping("/userActivity")
public ResponseBodyEmitter activityFeed() {
final SseEmitter emitter = new SseEmitter();
ExecutorService service = Executors.newSingleThreadExecutor();
service.execute(() -> {
try {
emitter.send(userActivityService.userActivityFeed() , MediaType.TEXT_PLAIN);
Thread.sleep(UCFConstants.USR_ACTV_REFRESH_PERIOD);
} catch (Exception e) {
e.printStackTrace();
emitter.completeWithError(e);
return;
}
emitter.complete();
});
service.shutdown();
return emitter;
}
}
Javascript 创建 SSE EventSource 对象
<script type="text/javascript">
var source = new EventSource("/MyApp/rest/userActivity");
source.onmessage = function(event) {
document.getElementById("result").innerHTML += event.data
+ "<br>";
};
</script>
我的申请web.xml
<servlet-mapping>
<servlet-name>MyApp</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MyApp</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
查看 SecurityContextHolder.getContext() 实施。在幕后,它使用 ThreadLocalSecurityContextHolderStrategy 策略来保存您当前的安全上下文。这意味着当前安全上下文只能从请求线程获得。而你的 userActivityFeed() 实际上是在单独的线程中执行的,这就是你在调用 SecurityContextHolder.getContext().getAuthentication().
时得到 NPE 的原因
为了完成所有这些工作,您可以在控制器方法中更早地获取当前用户并将其传递给 userActivityFeed()。
我有一个 Spring 控制器方法调用 SseEmitter 将服务器发送的事件推送到浏览器。从浏览器,javascript 为 SSE url 创建 EventSource 是从主页 运行。主页本身需要使用 Spring 基于安全表单的身份验证完成的身份验证。因此,登录页面在成功验证后将指向 home-page.However 服务器发送事件方法中的验证对象为 null。我知道我不正确的 Spring 安全配置导致了这个问题,但不知道如何解决!!
以下是我使用的安全配置
@Configuration
@EnableWebMvcSecurity
public class UCFSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
@Qualifier("epUser")
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationSuccessHandler successHandler;
....
....
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").authenticated()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.htm").failureUrl("/error.htm")
.loginProcessingUrl("/spring_sec_auth.htm")
.usernameParameter("username").passwordParameter("password").permitAll()
.successHandler(successHandler)
.and()
.logout()
//.logoutSuccessUrl("/login.htm?logout")
.invalidateHttpSession(true)
.and().csrf().disable();
}
....
....
}
The SSE method below calls
userActivityFeed()inUserActivityServicewhich uses Authentication object fromSecurityContextHolder.getContext().getAuthentication()which throws an NPE!!!
@Controller
public class UserActivityController {
@Autowired
private UserActivityService userActivityService;
@RequestMapping("/userActivity")
public ResponseBodyEmitter activityFeed() {
final SseEmitter emitter = new SseEmitter();
ExecutorService service = Executors.newSingleThreadExecutor();
service.execute(() -> {
try {
emitter.send(userActivityService.userActivityFeed() , MediaType.TEXT_PLAIN);
Thread.sleep(UCFConstants.USR_ACTV_REFRESH_PERIOD);
} catch (Exception e) {
e.printStackTrace();
emitter.completeWithError(e);
return;
}
emitter.complete();
});
service.shutdown();
return emitter;
}
}
Javascript 创建 SSE EventSource 对象
<script type="text/javascript">
var source = new EventSource("/MyApp/rest/userActivity");
source.onmessage = function(event) {
document.getElementById("result").innerHTML += event.data
+ "<br>";
};
</script>
我的申请web.xml
<servlet-mapping>
<servlet-name>MyApp</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MyApp</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
查看 SecurityContextHolder.getContext() 实施。在幕后,它使用 ThreadLocalSecurityContextHolderStrategy 策略来保存您当前的安全上下文。这意味着当前安全上下文只能从请求线程获得。而你的 userActivityFeed() 实际上是在单独的线程中执行的,这就是你在调用 SecurityContextHolder.getContext().getAuthentication().
为了完成所有这些工作,您可以在控制器方法中更早地获取当前用户并将其传递给 userActivityFeed()。