Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
github
/
spring-security
peilaus alkaen https://github.com/spring-projects/spring-security
2
0
Fork 0
Tiedostot Ongelmat 0 Wiki
Puu: 8407c9ebee
Haarat Tagit
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
integrations
/
concurrency.adoc

concurrency.adoc 8.4 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. [[concurrency]]
    2. 

  2. = Concurrency Support
    3. 

  3. 

  4. In most environments, Security is stored on a per-`Thread` basis.
    5. 

  5. This means that when work is done on a new `Thread`, the `SecurityContext` is lost.
    6. 

  6. Spring Security provides some infrastructure to help make this much easier to manage.
    7. 

  7. Spring Security provides low-level abstractions for working with Spring Security in multi-threaded environments.
    8. 

  8. In fact, this is what Spring Security builds on to integrate with xref:servlet/integrations/servlet-api.adoc#servletapi-start-runnable[`AsyncContext.start(Runnable)`] and xref:servlet/integrations/mvc.adoc#mvc-async[Spring MVC Async Integration].
    9. 

  9. 

  10. == DelegatingSecurityContextRunnable
    11. 

  11. 

  12. One of the most fundamental building blocks within Spring Security's concurrency support is the `DelegatingSecurityContextRunnable`.
    13. 

  13. It wraps a delegate `Runnable` to initialize the `SecurityContextHolder` with a specified `SecurityContext` for the delegate.
    14. 

  14. It then invokes the delegate `Runnable`, ensuring to clear the `SecurityContextHolder` afterwards.
    15. 

  15. The `DelegatingSecurityContextRunnable` looks something like this:
    16. 

  16. 

  17. [source,java]
    18. 

  18. ----
    19. 

  19. public void run() {
    20. 

  20. try {
    21. 

  21. 	SecurityContextHolder.setContext(securityContext);
    22. 

  22. 	delegate.run();
    23. 

  23. } finally {
    24. 

  24. 	SecurityContextHolder.clearContext();
    25. 

  25. }
    26. 

  26. }
    27. 

  27. ----
    28. 

  28. 

  29. While very simple, it makes it seamless to transfer the `SecurityContext` from one `Thread` to another.
    30. 

  30. This is important since, in most cases, the `SecurityContextHolder` acts on a per-`Thread` basis.
    31. 

  31. For example, you might have used Spring Security's xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[`<global-method-security>`] support to secure one of your services.
    32. 

  32. You can now transfer the `SecurityContext` of the current `Thread` to the `Thread` that invokes the secured service.
    33. 

  33. The following example show how you might do so:
    34. 

  34. 

  35. [source,java]
    36. 

  36. ----
    37. 

  37. Runnable originalRunnable = new Runnable() {
    38. 

  38. public void run() {
    39. 

  39. 	// invoke secured service
    40. 

  40. }
    41. 

  41. };
    42. 

  42. 

  43. SecurityContext context = SecurityContextHolder.getContext();
    44. 

  44. DelegatingSecurityContextRunnable wrappedRunnable =
    45. 

  45. 	new DelegatingSecurityContextRunnable(originalRunnable, context);
    46. 

  46. 

  47. new Thread(wrappedRunnable).start();
    48. 

  48. ----
    49. 

  49. 

  50. The preceding code:
    51. 

  51. 

  52. * Creates a `Runnable` that invokes our secured service.
    53. 

  53. Note that it is not aware of Spring Security.
    54. 

  54. * Obtains the `SecurityContext` that we wish to use from the `SecurityContextHolder` and initializes the `DelegatingSecurityContextRunnable`.
    55. 

  55. * Uses the `DelegatingSecurityContextRunnable` to create a `Thread`.
    56. 

  56. * Starts the `Thread` we created.
    57. 

  57. 

  58. Since it is common to create a `DelegatingSecurityContextRunnable` with the `SecurityContext` from the `SecurityContextHolder`, there is a shortcut constructor for it.
    59. 

  59. The following code has the same effect as the preceding code:
    60. 

  60. 

  61. 

  62. [source,java]
    63. 

  63. ----
    64. 

  64. Runnable originalRunnable = new Runnable() {
    65. 

  65. public void run() {
    66. 

  66. 	// invoke secured service
    67. 

  67. }
    68. 

  68. };
    69. 

  69. 

  70. DelegatingSecurityContextRunnable wrappedRunnable =
    71. 

  71. 	new DelegatingSecurityContextRunnable(originalRunnable);
    72. 

  72. 

  73. new Thread(wrappedRunnable).start();
    74. 

  74. ----
    75. 

  75. 

  76. The code we have is simple to use, but it still requires knowledge that we are using Spring Security.
    77. 

  77. In the next section we will take a look at how we can utilize `DelegatingSecurityContextExecutor` to hide the fact that we are using Spring Security.
    78. 

  78. 

  79. == DelegatingSecurityContextExecutor
    80. 

  80. 

  81. In the previous section, we found that it was easy to use the `DelegatingSecurityContextRunnable`, but it was not ideal since we had to be aware of Spring Security to use it.
    82. 

  82. Now we look at how `DelegatingSecurityContextExecutor` can shield our code from any knowledge that we are using Spring Security.
    83. 

  83. 

  84. The design of `DelegatingSecurityContextExecutor` is similar to that of `DelegatingSecurityContextRunnable`, except that it accepts a delegate `Executor` instead of a delegate `Runnable`.
    85. 

  85. The following example shows how to use it:
    86. 

  86. 

  87. [source,java]
    88. 

  88. ----
    89. 

  89. SecurityContext context = SecurityContextHolder.createEmptyContext();
    90. 

  90. Authentication authentication =
    91. 

  91. 	UsernamePasswordAuthenticationToken.authenticated("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER"));
    92. 

  92. context.setAuthentication(authentication);
    93. 

  93. 

  94. SimpleAsyncTaskExecutor delegateExecutor =
    95. 

  95. 	new SimpleAsyncTaskExecutor();
    96. 

  96. DelegatingSecurityContextExecutor executor =
    97. 

  97. 	new DelegatingSecurityContextExecutor(delegateExecutor, context);
    98. 

  98. 

  99. Runnable originalRunnable = new Runnable() {
    100. 

  100. public void run() {
    101. 

  101. 	// invoke secured service
    102. 

  102. }
    103. 

  103. };
    104. 

  104. 

  105. executor.execute(originalRunnable);
    106. 

  106. ----
    107. 

  107. 

  108. This code:
    109. 

  109. 

  110. Note that, in this example, we create the `SecurityContext` by hand.
    111. 

  111. However, it does not matter where or how we get the `SecurityContext` (for example, we could obtain it from the `SecurityContextHolder`).
    112. 

  112. * Creates a `delegateExecutor` that is in charge of executing submitted `Runnable` objects.
    113. 

  113. * Finally, we create a `DelegatingSecurityContextExecutor`, which is in charge of wrapping any `Runnable` that is passed into the `execute` method with a `DelegatingSecurityContextRunnable`.
    114. 

  114. It then passes the wrapped `Runnable` to the `delegateExecutor`.
    115. 

  115. In this case, the same `SecurityContext` is used for every `Runnable` submitted to our `DelegatingSecurityContextExecutor`.
    116. 

  116. This is nice if we run background tasks that need to be run by a user with elevated privileges.
    117. 

  117. * At this point, you may ask yourself, "`How does this shield my code of any knowledge of Spring Security?`" Instead of creating the `SecurityContext` and the `DelegatingSecurityContextExecutor` in our own code, we can inject an already initialized instance of `DelegatingSecurityContextExecutor`.
    118. 

  118. 

  119. Consider the following example:
    120. 

  120. 

  121. [source,java]
    122. 

  122. ----
    123. 

  123. @Autowired
    124. 

  124. private Executor executor; // becomes an instance of our DelegatingSecurityContextExecutor
    125. 

  125. 

  126. public void submitRunnable() {
    127. 

  127. Runnable originalRunnable = new Runnable() {
    128. 

  128. 	public void run() {
    129. 

  129. 	// invoke secured service
    130. 

  130. 	}
    131. 

  131. };
    132. 

  132. executor.execute(originalRunnable);
    133. 

  133. }
    134. 

  134. ----
    135. 

  135. 

  136. Now our code is unaware that the `SecurityContext` is being propagated to the `Thread`, the `originalRunnable` is run, and the `SecurityContextHolder` is cleared out.
    137. 

  137. In this example, the same user is being used to run each thread.
    138. 

  138. What if we wanted to use the user from `SecurityContextHolder` (that is, the currently logged in-user) at the time we invoked `executor.execute(Runnable)` to process `originalRunnable`?
    139. 

  139. You can do so by removing the `SecurityContext` argument from our `DelegatingSecurityContextExecutor` constructor:
    140. 

  140. 

  141. [source,java]
    142. 

  142. ----
    143. 

  143. SimpleAsyncTaskExecutor delegateExecutor = new SimpleAsyncTaskExecutor();
    144. 

  144. DelegatingSecurityContextExecutor executor =
    145. 

  145. 	new DelegatingSecurityContextExecutor(delegateExecutor);
    146. 

  146. ----
    147. 

  147. 

  148. Now, any time `executor.execute(Runnable)` is run, the `SecurityContext` is first obtained by the `SecurityContextHolder` and then that `SecurityContext` is used to create our `DelegatingSecurityContextRunnable`.
    149. 

  149. This means that we are running our `Runnable` with the same user that was used to invoke the `executor.execute(Runnable)` code.
    150. 

  150. 

  151. == Spring Security Concurrency Classes
    152. 

  152. 

  153. See the {security-api-url}index.html[Javadoc] for additional integrations with both the Java concurrent APIs and the Spring Task abstractions.
    154. 

  154. They are self-explanatory once you understand the previous code.
    155. 

  155. 

  156. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextCallable.html[`DelegatingSecurityContextCallable`]
    157. 

  157. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextExecutor.html[`DelegatingSecurityContextExecutor`]
    158. 

  158. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextExecutorService.html[`DelegatingSecurityContextExecutorService`]
    159. 

  159. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextRunnable.html[`DelegatingSecurityContextRunnable`]
    160. 

  160. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextScheduledExecutorService.html[`DelegatingSecurityContextScheduledExecutorService`]
    161. 

  161. * {security-api-url}org/springframework/security/scheduling/DelegatingSecurityContextSchedulingTaskExecutor.html[`DelegatingSecurityContextSchedulingTaskExecutor`]
    162. 

  162. * {security-api-url}org/springframework/security/task/DelegatingSecurityContextAsyncTaskExecutor.html[`DelegatingSecurityContextAsyncTaskExecutor`]
    163. 

  163. * {security-api-url}org/springframework/security/task/DelegatingSecurityContextTaskExecutor.html[`DelegatingSecurityContextTaskExecutor`]
    164. 

  164. * {security-api-url}org/springframework/security/scheduling/DelegatingSecurityContextTaskScheduler.html[`DelegatingSecurityContextTaskScheduler`]
    165.