SEC-2299: Document @AuthenticationPrincipal
This commit is contained in:
Rob Winch
parent
5f290ba10f
commit
4a24c81147
|
|
@ -5687,6 +5687,65 @@ Refer to the Javadoc for additional integrations with both the Java concurrent A
|
||||||
|
|
||||||
Spring Security provides a number of optional integrations with Spring MVC. This section covers the integration in further detail.
|
Spring Security provides a number of optional integrations with Spring MVC. This section covers the integration in further detail.
|
||||||
|
|
||||||
|
[[mvc-authentication-principal]]
|
||||||
|
==== @AuthenticationPrincipal
|
||||||
|
|
||||||
|
Spring Security provides ability to automatically resolve the current `Authentication.getPrincipal()` for Spring MVC arguments. This means that you can be entirely decoupled from Spring Security in your Spring MVC layer.
|
||||||
|
|
||||||
|
Consider a situation where a custom `UserDetailsService` that returns an `Object` that implements `UserDetails` and your own `CustomUser` `Object`. The `CustomUser` of the currently authenticated user could be accessed using the following code:
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
import org.springframework.security.web.bind.annotation.AuthenticationPrincipal;
|
||||||
|
|
||||||
|
// ...
|
||||||
|
|
||||||
|
@RequestMapping("/messages/inbox")
|
||||||
|
public ModelAndView findMessagesForUser() {
|
||||||
|
Authentication authentication =
|
||||||
|
SecurityContextHolder.getContext().getAuthentication();
|
||||||
|
CustomUser custom = (CustomUser) authentication == null ? null : authentication.getPrincipal();
|
||||||
|
|
||||||
|
// .. find messags for this user and return them ...
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
As of Spring Security 3.2 we can resolve the argument more directly by adding an annotation. For example:
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
@RequestMapping("/messages/inbox")
|
||||||
|
public ModelAndView findMessagesForUser(@AuthenticationPrincipal CustomUser customUser) {
|
||||||
|
|
||||||
|
// .. find messags for this user and return them ...
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
We can further remove our dependency on Spring Security by making `@AuthenticationPrincipal` a meta annotation on our own annotation. Below we demonstrate how we could do this on an annotation named `@CurrentUser`.
|
||||||
|
|
||||||
|
NOTE: It is important to realize that in order to remove the dependency on Spring Security, it is the consuming application that would create `@CurrentUser`. This step is not strictly required, but assists in isolating your dependency to Spring Security to a more central location.
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
@Target({ElementType.PARAMETER, ElementType.TYPE})
|
||||||
|
@Retention(RetentionPolicy.RUNTIME)
|
||||||
|
@Documented
|
||||||
|
@AuthenticationPrincipal
|
||||||
|
public @interface CurrentUser {}
|
||||||
|
----
|
||||||
|
|
||||||
|
Now that `@CurrentUser` has been specified, we can use it to signal to resolve our `CustomUser` of the currently authenticated user. We have also isolated our dependency on Spring Security to a single file.
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
@RequestMapping("/messages/inbox")
|
||||||
|
public ModelAndView findMessagesForUser(@CurrentUser CustomUser customUser) {
|
||||||
|
|
||||||
|
// .. find messags for this user and return them ...
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
[[mvc-async]]
|
[[mvc-async]]
|
||||||
==== Spring MVC Async Integration
|
==== Spring MVC Async Integration
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue