Concurrency Support

在大多数环境中,Security 按每个 Thread 进行存储。这意味着在对新的 Thread 执行操作后,SecurityContext 会丢失。Spring Security 提供了一些基础设施,帮助用户使此过程更加轻松。Spring Security 提供低级别的抽象,用于在多线程环境中使用 Spring Security。实际上,Spring Security 通过这种方式集成到 AsyncContext.start(Runnable)Spring MVC Async Integration 中。

In most environments, Security is stored on a per Thread basis. This means that when work is done on a new Thread, the SecurityContext is lost. Spring Security provides some infrastructure to help make this much easier for users. Spring Security provides low level abstractions for working with Spring Security in multi-threaded environments. In fact, this is what Spring Security builds on to integration with AsyncContext.start(Runnable) and Spring MVC Async Integration.

DelegatingSecurityContextRunnable

Spring Security 并发支持中最基本的构建块之一是 DelegatingSecurityContextRunnable。它封装了一个委托 Runnable,以便使用指定 SecurityContext 初始化该委托的 SecurityContextHolder。它随后调用委托 Runnable 以确保随后清除 SecurityContextHolderDelegatingSecurityContextRunnable 类似于以下内容:

One of the most fundamental building blocks within Spring Security’s concurrency support is the DelegatingSecurityContextRunnable. It wraps a delegate Runnable in order to initialize the SecurityContextHolder with a specified SecurityContext for the delegate. It then invokes the delegate Runnable ensuring to clear the SecurityContextHolder afterwards. The DelegatingSecurityContextRunnable looks something like this:

  • Java

  • Kotlin

public void run() {
try {
	SecurityContextHolder.setContext(securityContext);
	delegate.run();
} finally {
	SecurityContextHolder.clearContext();
}
}
fun run() {
    try {
        SecurityContextHolder.setContext(securityContext)
        delegate.run()
    } finally {
        SecurityContextHolder.clearContext()
    }
}

虽然非常简单,但它可以无缝地将 SecurityContext 从一个线程传输到另一个线程。这一点非常重要,因为在大多数情况下,SecurityContextHolder 都是按每个线程进行操作的。例如,您可能已使用 Spring Security 的 <global-method-security> 支持来保护其中一项服务。您现在可以轻松地将当前 ThreadSecurityContext 传输到调用受保护服务的 Thread。以下是一个可供参考的示例,说明您如何执行此操作:

While very simple, it makes it seamless to transfer the SecurityContext from one Thread to another. This is important since, in most cases, the SecurityContextHolder acts on a per Thread basis. For example, you might have used Spring Security’s <global-method-security> support to secure one of your services. You can now easily transfer the SecurityContext of the current Thread to the Thread that invokes the secured service. An example of how you might do this can be found below:

  • Java

  • Kotlin

Runnable originalRunnable = new Runnable() {
public void run() {
	// invoke secured service
}
};

SecurityContext context = SecurityContextHolder.getContext();
DelegatingSecurityContextRunnable wrappedRunnable =
	new DelegatingSecurityContextRunnable(originalRunnable, context);

new Thread(wrappedRunnable).start();
val originalRunnable = Runnable {
    // invoke secured service
}
val context: SecurityContext = SecurityContextHolder.getContext()
val wrappedRunnable = DelegatingSecurityContextRunnable(originalRunnable, context)

Thread(wrappedRunnable).start()

上面的代码执行以下步骤:

The code above performs the following steps:

  • Creates a Runnable that will be invoking our secured service. Notice that it is not aware of Spring Security

  • Obtains the SecurityContext that we wish to use from the SecurityContextHolder and initializes the DelegatingSecurityContextRunnable

  • Use the DelegatingSecurityContextRunnable to create a Thread

  • Start the Thread we created

由于使用 SecurityContextHolder 中的 SecurityContext 创建 DelegatingSecurityContextRunnable 非常常见,因此它有一个快捷的构造函数。以下代码与上面的代码相同:

Since it is quite common to create a DelegatingSecurityContextRunnable with the SecurityContext from the SecurityContextHolder there is a shortcut constructor for it. The following code is the same as the code above:

  • Java

  • Kotlin

Runnable originalRunnable = new Runnable() {
public void run() {
	// invoke secured service
}
};

DelegatingSecurityContextRunnable wrappedRunnable =
	new DelegatingSecurityContextRunnable(originalRunnable);

new Thread(wrappedRunnable).start();
val originalRunnable = Runnable {
    // invoke secured service
}

val wrappedRunnable = DelegatingSecurityContextRunnable(originalRunnable)

Thread(wrappedRunnable).start()

我们编写的代码使用起来很简单,但它仍然需要知道我们正在使用 Spring Security。在下一节中,我们将了解如何利用 DelegatingSecurityContextExecutor 来隐藏我们正在使用 Spring Security 的事实。

The code we have is simple to use, but it still requires knowledge that we are using Spring Security. In the next section we will take a look at how we can utilize DelegatingSecurityContextExecutor to hide the fact that we are using Spring Security.

DelegatingSecurityContextExecutor

在上一部分中,我们发现使用 DelegatingSecurityContextRunnable 非常简单,但它并不是理想的,因为我们必须了解 Spring Security 才能使用它。让我们看看 DelegatingSecurityContextExecutor 如何让我们的代码无需任何有关我们使用 Spring Security 的知识。

In the previous section we found that it was easy to use the DelegatingSecurityContextRunnable, but it was not ideal since we had to be aware of Spring Security in order to use it. Let’s take a look at how DelegatingSecurityContextExecutor can shield our code from any knowledge that we are using Spring Security.

DelegatingSecurityContextExecutor 的设计与 DelegatingSecurityContextRunnable 的设计非常相似,不同之处在于它接受委托 Executor,而不是委托 Runnable。你可以看到它可能如何被使用的示例如下:

The design of DelegatingSecurityContextExecutor is very similar to that of DelegatingSecurityContextRunnable except it accepts a delegate Executor instead of a delegate Runnable. You can see an example of how it might be used below:

  • Java

  • Kotlin

SecurityContext context = SecurityContextHolder.createEmptyContext();
Authentication authentication =
	UsernamePasswordAuthenticationToken.authenticated("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER"));
context.setAuthentication(authentication);

SimpleAsyncTaskExecutor delegateExecutor =
	new SimpleAsyncTaskExecutor();
DelegatingSecurityContextExecutor executor =
	new DelegatingSecurityContextExecutor(delegateExecutor, context);

Runnable originalRunnable = new Runnable() {
public void run() {
	// invoke secured service
}
};

executor.execute(originalRunnable);
val context: SecurityContext = SecurityContextHolder.createEmptyContext()
val authentication: Authentication =
    UsernamePasswordAuthenticationToken("user", "doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER"))
context.authentication = authentication

val delegateExecutor = SimpleAsyncTaskExecutor()
val executor = DelegatingSecurityContextExecutor(delegateExecutor, context)

val originalRunnable = Runnable {
    // invoke secured service
}

executor.execute(originalRunnable)

该代码执行以下步骤:

The code performs the following steps:

  • Creates the SecurityContext to be used for our DelegatingSecurityContextExecutor. Note that in this example we simply create the SecurityContext by hand. However, it does not matter where or how we get the SecurityContext (i.e. we could obtain it from the SecurityContextHolder if we wanted).

  • Creates a delegateExecutor that is in charge of executing submitted `Runnable`s

  • Finally we create a DelegatingSecurityContextExecutor which is in charge of wrapping any Runnable that is passed into the execute method with a DelegatingSecurityContextRunnable. It then passes the wrapped Runnable to the delegateExecutor. In this instance, the same SecurityContext will be used for every Runnable submitted to our DelegatingSecurityContextExecutor. This is nice if we are running background tasks that need to be run by a user with elevated privileges.

  • At this point you may be asking yourself "How does this shield my code of any knowledge of Spring Security?" Instead of creating the SecurityContext and the DelegatingSecurityContextExecutor in our own code, we can inject an already initialized instance of DelegatingSecurityContextExecutor.

  • Java

  • Kotlin

@Autowired
private Executor executor; // becomes an instance of our DelegatingSecurityContextExecutor

public void submitRunnable() {
Runnable originalRunnable = new Runnable() {
	public void run() {
	// invoke secured service
	}
};
executor.execute(originalRunnable);
}
@Autowired
lateinit var executor: Executor // becomes an instance of our DelegatingSecurityContextExecutor

fun submitRunnable() {
    val originalRunnable = Runnable {
        // invoke secured service
    }
    executor.execute(originalRunnable)
}

现在,我们的代码不知道 SecurityContext 正在传播到 Thread,然后 originalRunnable 正在运行,然后 SecurityContextHolder 正在清除。在此示例中,将使用同一位用户来运行每个线程。如果我们希望使用 executor.execute(Runnable) 调用时 SecurityContextHolder 中的用户(即当前已登录用户)来处理 originalRunnable,该怎么办?可以从我们的 DelegatingSecurityContextExecutor 构造函数中删除 SecurityContext 参数来实现此目的。例如:

Now our code is unaware that the SecurityContext is being propagated to the Thread, then the originalRunnable is run, and then the SecurityContextHolder is cleared out. In this example, the same user is being used to run each thread. What if we wanted to use the user from SecurityContextHolder at the time we invoked executor.execute(Runnable) (i.e. the currently logged in user) to process originalRunnable? This can be done by removing the SecurityContext argument from our DelegatingSecurityContextExecutor constructor. For example:

  • Java

  • Kotlin

SimpleAsyncTaskExecutor delegateExecutor = new SimpleAsyncTaskExecutor();
DelegatingSecurityContextExecutor executor =
	new DelegatingSecurityContextExecutor(delegateExecutor);
val delegateExecutor = SimpleAsyncTaskExecutor()
val executor = DelegatingSecurityContextExecutor(delegateExecutor)

现在,任何时候执行 executor.execute(Runnable)SecurityContextHolder 都会首先获得 SecurityContext,然后使用该 SecurityContext 创建我们的 DelegatingSecurityContextRunnable。这意味着我们在运行 Runnable 时使用的是与调用 executor.execute(Runnable) 代码时使用的相同用户。

Now anytime executor.execute(Runnable) is executed the SecurityContext is first obtained by the SecurityContextHolder and then that SecurityContext is used to create our DelegatingSecurityContextRunnable. This means that we are running our Runnable with the same user that was used to invoke the executor.execute(Runnable) code.

Spring Security Concurrency Classes

有关对 Java 并发 API 和 Spring Task 抽象的附加集成的信息,请参考 Javadoc。一旦你理解了以前的代码,它们就不言自明了。

Refer to the Javadoc for additional integrations with both the Java concurrent APIs and the Spring Task abstractions. They are quite self-explanatory once you understand the previous code.

  • DelegatingSecurityContextCallable

  • DelegatingSecurityContextExecutor

  • DelegatingSecurityContextExecutorService

  • DelegatingSecurityContextRunnable

  • DelegatingSecurityContextScheduledExecutorService

  • DelegatingSecurityContextSchedulingTaskExecutor

  • DelegatingSecurityContextAsyncTaskExecutor

  • DelegatingSecurityContextTaskExecutor

  • DelegatingSecurityContextTaskScheduler