ξ Ű ؽ Ʈ 丮 ҽ ص帳 ϴ .
ť Ƽ ؽ Ʈ 丮 ε
http ؽ Ʈ 丮 ҽ ٰ Ű °
public class CookieSecurityContextRepository implements
SecurityContextRepository, InitializingBean {
public static final String SPRING_SECURITY_CONTEXT_KEY =
"SPRING_SECURITY_CONTEXT";
protected final Log logger = LogFactory.getLog(this.getClass());
private Class<? extends SecurityContext> securityContextClass = null;
private boolean disableUrlRewriting = false;
private String cookieName;
private String cookieKey;
private AuthenticationTrustResolver authenticationTrustResolver = new
AuthenticationTrustResolverImpl();
public SecurityContext loadContext(HttpRequestResponseHolder
requestResponseHolder) {
HttpServletRequest request = requestResponseHolder.getRequest();
HttpServletResponse response = requestResponseHolder.getResponse();
Authentication cookie = null;
try {
cookie = getAuthenticationFromCookie(request);
} catch (JsonParseException e) {
logger.error(e);
} catch (JsonMappingException e) {
logger.error(e);
} catch (IOException e) {
logger.error(e);
}
if (cookie == null) {
if (logger.isDebugEnabled()) {
logger.debug("No SecurityContext was available A new one will be created.");
}
return generateNewContext();
}
SecurityContext context = SecurityContextHolder.getContext();
context.setAuthentication(cookie);
requestResponseHolder.setResponse(new
SaveToCookieResponseWrapper(response, context.hashCode()));
return context;
}
private Authentication getAuthenticationFromCookie(HttpServletRequest
request) throws JsonParseException, JsonMappingException, IOException {
logger.debug("getAuthenticationFromCookie");
if (request == null) {
if (logger.isDebugEnabled()) {
logger.debug("No cookie currently exists");
}
return null;
}
Cookie cookie = CookieUtils.getCookieByName(request, cookieName);
if(cookie == null) {
if (logger.isDebugEnabled()) {
logger.debug("No token cookie currently exists");
}
return null;
}
String tokens = CookieUtils.decodeCookie(cookie.getValue(), cookieKey);
logger.debug("CookieName = "+ tokens);
ObjectMapper mapper = new ObjectMapper();
ActionUserDetails user = mapper.readValue(tokens, ActionUserDetails.class);
cookie = CookieUtils.getCookieByName(request, "sign");
if(cookie == null) {
if (logger.isDebugEnabled()) {
logger.debug("No signature cookie currently exists");
}
return null;
}
String credentials = CookieUtils.decodeCookie(cookie.getValue(), cookieKey);
if(credentials == null)
return null;
CookieAuthenticationToken newAuthentication = new
CookieAuthenticationToken(user, credentials, user.getAuthorities());
newAuthentication.setAuthenticated(true);
return newAuthentication;
}
public void saveContext(SecurityContext context, HttpServletRequest
request, HttpServletResponse response) {
}
public boolean containsContext(HttpServletRequest request) {
Cookie cookie = CookieUtils.getCookieByName(request, cookieName);
if (cookie == null) {
return false;
}
if (cookie.getValue().length() == 0) {
return false;
}
return true;
}
/**
* By default, calls {@link SecurityContextHolder#createEmptyContext()} to
* obtain a new context (there should be no context present in the holder
* when this method is called). Using this approach the context creation
* strategy is decided by the {@link SecurityContextHolderStrategy} in use.
* The default implementations will return a new
* <tt>SecurityContextImpl</tt>.
* <p>
* An alternative way of customizing the <tt>SecurityContext</tt>
* implementation is by setting the <tt>securityContextClass</tt> property.
* In this case, the method will attempt to invoke the no-args constructor
* on the supplied class instead and return the created instance.
*
* @return a new SecurityContext instance. Never null.
*/
SecurityContext generateNewContext() {
SecurityContext context = null;
if (securityContextClass == null) {
context = SecurityContextHolder.createEmptyContext();
return context;
}
try {
context = securityContextClass.newInstance();
} catch (Exception e) {
ReflectionUtils.handleReflectionException(e);
}
return context;
}
/**
* Allows the use of session identifiers in URLs to be disabled. Off by
* default.
*
* @param disableUrlRewriting
* set to <tt>true</tt> to disable URL encoding methods in the
* response wrapper and prevent the use of <tt>jsessionid</tt>
* parameters.
*/
public void setDisableUrlRewriting(boolean disableUrlRewriting) {
this.disableUrlRewriting = disableUrlRewriting;
}
public String getCookieName() {
return cookieName;
}
public void setCookieName(String cookieName) {
this.cookieName = cookieName;
}
public String getCookieKey() {
return cookieKey;
}
public void setCookieKey(String cookieKey) {
this.cookieKey = cookieKey;
}
// ~ Inner Classes
//
=========================================================================== =======================
final class SaveToCookieResponseWrapper extends
SaveContextOnUpdateOrErrorResponseWrapper {
private int contextHashBeforeChainExecution;
public SaveToCookieResponseWrapper(HttpServletResponse response, int
contextHashBeforeChainExecution) {
super(response, disableUrlRewriting);
this.contextHashBeforeChainExecution = contextHashBeforeChainExecution;
}
@Override
protected void saveContext(SecurityContext context) {
final Authentication authentication = context.getAuthentication();
// See SEC-776
if (authentication == null ||
authenticationTrustResolver.isAnonymous(authentication)) {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext is empty or anonymous - context will not
be stored.");
}
return;
}
// If HttpSession exists, store current SecurityContextHolder
// contents but only if the SecurityContext has actually changed
// (see JIRA SEC-37)
// We also check that the session contains the context, in case a
// new session has been created (SEC-1561)
if (context.hashCode() != contextHashBeforeChainExecution) {
}
}
}
@Override
public void afterPropertiesSet() throws Exception {
Assert.hasLength(cookieName, "Cookie name cannot be empty or null");
Assert.hasLength(cookieKey, "Cookie key cannot be empty or null");
}
}
2012 02 09 16:37, ڹ :
> ȳ Ͻʴϱ
> ȸ ڹ Դϴ .
> ٸ ƴ϶ ϰ ִµ , ̹ ? û ҽ ϴ
> oauth Ͽ ý ϴµ , access ū ̿ ؼ ʰ ش ϴ±
> ť Ƽ ؼ oauth ι δ ؼ α Ͽ ϰ ־ µ
> ߵ ٲ ؼ Ȳ
> ã ƺ
> spring security
> SecurityContextPersistenceFilter
> SecurityContextHolder
> HttpSessionSecurityContextRepository
> Ŭ Ͽ
> ϸ ȴٰ ϴ
> غ ϴ
> Ȥ ̷ κ غ ź ƴ ϴ
> ֽø ϰڽ ϴ .
