Home Esplora Aiuto
Registrati Accedi
github
/
spring-security
mirror da https://github.com/spring-projects/spring-security
2
0
Forka 0
File Problemi 0 Wiki
Albero (Tree): 8ad91287d9
Rami (Branch) Tag
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
integrations
/
concurrency.adoc

concurrency.adoc 8.4 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. [[concurrency]]
    2. 

  2. = Concurrency Support
    3. 

  3. 

  4. In most environments, Security is stored on a per-`Thread` basis.
    5. 

  5. This means that when work is done on a new `Thread`, the `SecurityContext` is lost.
    6. 

  6. Spring Security provides some infrastructure to help make this much easier to manage.
    7. 

  7. Spring Security provides low-level abstractions for working with Spring Security in multi-threaded environments.
    8. 

  8. In fact, this is what Spring Security builds on to integrate with xref:servlet/integrations/servlet-api.adoc#servletapi-start-runnable[`AsyncContext.start(Runnable)`] and xref:servlet/integrations/mvc.adoc#mvc-async[Spring MVC Async Integration].
    9. 

  9. 

  10. == DelegatingSecurityContextRunnable
    11. 

  11. 

  12. One of the most fundamental building blocks within Spring Security's concurrency support is the `DelegatingSecurityContextRunnable`.
    13. 

  13. It wraps a delegate `Runnable` to initialize the `SecurityContextHolder` with a specified `SecurityContext` for the delegate.
    14. 

  14. It then invokes the delegate `Runnable`, ensuring to clear the `SecurityContextHolder` afterwards.
    15. 

  15. The `DelegatingSecurityContextRunnable` looks something like this:
    16. 

  16. 

  17. ====
    18. 

  18. [source,java]
    19. 

  19. ----
    20. 

  20. public void run() {
    21. 

  21. try {
    22. 

  22. 	SecurityContextHolder.setContext(securityContext);
    23. 

  23. 	delegate.run();
    24. 

  24. } finally {
    25. 

  25. 	SecurityContextHolder.clearContext();
    26. 

  26. }
    27. 

  27. }
    28. 

  28. ----
    29. 

  29. ====
    30. 

  30. 

  31. While very simple, it makes it seamless to transfer the `SecurityContext` from one `Thread` to another.
    32. 

  32. This is important since, in most cases, the `SecurityContextHolder` acts on a per-`Thread` basis.
    33. 

  33. For example, you might have used Spring Security's xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[`<global-method-security>`] support to secure one of your services.
    34. 

  34. You can now transfer the `SecurityContext` of the current `Thread` to the `Thread` that invokes the secured service.
    35. 

  35. The following example show how you might do so:
    36. 

  36. 

  37. ====
    38. 

  38. [source,java]
    39. 

  39. ----
    40. 

  40. Runnable originalRunnable = new Runnable() {
    41. 

  41. public void run() {
    42. 

  42. 	// invoke secured service
    43. 

  43. }
    44. 

  44. };
    45. 

  45. 

  46. SecurityContext context = SecurityContextHolder.getContext();
    47. 

  47. DelegatingSecurityContextRunnable wrappedRunnable =
    48. 

  48. 	new DelegatingSecurityContextRunnable(originalRunnable, context);
    49. 

  49. 

  50. new Thread(wrappedRunnable).start();
    51. 

  51. ----
    52. 

  52. ====
    53. 

  53. 

  54. The preceding code:
    55. 

  55. 

  56. * Creates a `Runnable` that invokes our secured service.
    57. 

  57. Note that it is not aware of Spring Security.
    58. 

  58. * Obtains the `SecurityContext` that we wish to use from the `SecurityContextHolder` and initializes the `DelegatingSecurityContextRunnable`.
    59. 

  59. * Uses the `DelegatingSecurityContextRunnable` to create a `Thread`.
    60. 

  60. * Starts the `Thread` we created.
    61. 

  61. 

  62. Since it is common to create a `DelegatingSecurityContextRunnable` with the `SecurityContext` from the `SecurityContextHolder`, there is a shortcut constructor for it.
    63. 

  63. The following code has the same effect as the preceding code:
    64. 

  64. 

  65. 

  66. ====
    67. 

  67. [source,java]
    68. 

  68. ----
    69. 

  69. Runnable originalRunnable = new Runnable() {
    70. 

  70. public void run() {
    71. 

  71. 	// invoke secured service
    72. 

  72. }
    73. 

  73. };
    74. 

  74. 

  75. DelegatingSecurityContextRunnable wrappedRunnable =
    76. 

  76. 	new DelegatingSecurityContextRunnable(originalRunnable);
    77. 

  77. 

  78. new Thread(wrappedRunnable).start();
    79. 

  79. ----
    80. 

  80. ====
    81. 

  81. 

  82. The code we have is simple to use, but it still requires knowledge that we are using Spring Security.
    83. 

  83. In the next section we will take a look at how we can utilize `DelegatingSecurityContextExecutor` to hide the fact that we are using Spring Security.
    84. 

  84. 

  85. == DelegatingSecurityContextExecutor
    86. 

  86. 

  87. In the previous section, we found that it was easy to use the `DelegatingSecurityContextRunnable`, but it was not ideal since we had to be aware of Spring Security to use it.
    88. 

  88. Now we look at how `DelegatingSecurityContextExecutor` can shield our code from any knowledge that we are using Spring Security.
    89. 

  89. 

  90. The design of `DelegatingSecurityContextExecutor` is similar to that of `DelegatingSecurityContextRunnable`, except that it accepts a delegate `Executor` instead of a delegate `Runnable`.
    91. 

  91. The following example shows how to use it:
    92. 

  92. 

  93. ====
    94. 

  94. [source,java]
    95. 

  95. ----
    96. 

  96. SecurityContext context = SecurityContextHolder.createEmptyContext();
    97. 

  97. Authentication authentication =
    98. 

  98. 	UsernamePasswordAuthenticationToken.authenticated("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER"));
    99. 

  99. context.setAuthentication(authentication);
    100. 

  100. 

  101. SimpleAsyncTaskExecutor delegateExecutor =
    102. 

  102. 	new SimpleAsyncTaskExecutor();
    103. 

  103. DelegatingSecurityContextExecutor executor =
    104. 

  104. 	new DelegatingSecurityContextExecutor(delegateExecutor, context);
    105. 

  105. 

  106. Runnable originalRunnable = new Runnable() {
    107. 

  107. public void run() {
    108. 

  108. 	// invoke secured service
    109. 

  109. }
    110. 

  110. };
    111. 

  111. 

  112. executor.execute(originalRunnable);
    113. 

  113. ----
    114. 

  114. ====
    115. 

  115. 

  116. This code:
    117. 

  117. 

  118. Note that, in this example, we create the `SecurityContext` by hand.
    119. 

  119. However, it does not matter where or how we get the `SecurityContext` (for example, we could obtain it from the `SecurityContextHolder`).
    120. 

  120. * Creates a `delegateExecutor` that is in charge of executing submitted `Runnable` objects.
    121. 

  121. * Finally, we create a `DelegatingSecurityContextExecutor`, which is in charge of wrapping any `Runnable` that is passed into the `execute` method with a `DelegatingSecurityContextRunnable`.
    122. 

  122. It then passes the wrapped `Runnable` to the `delegateExecutor`.
    123. 

  123. In this case, the same `SecurityContext` is used for every `Runnable` submitted to our `DelegatingSecurityContextExecutor`.
    124. 

  124. This is nice if we run background tasks that need to be run by a user with elevated privileges.
    125. 

  125. * At this point, you may ask yourself, "`How does this shield my code of any knowledge of Spring Security?`" Instead of creating the `SecurityContext` and the `DelegatingSecurityContextExecutor` in our own code, we can inject an already initialized instance of `DelegatingSecurityContextExecutor`.
    126. 

  126. 

  127. Consider the following example:
    128. 

  128. 

  129. ====
    130. 

  130. [source,java]
    131. 

  131. ----
    132. 

  132. @Autowired
    133. 

  133. private Executor executor; // becomes an instance of our DelegatingSecurityContextExecutor
    134. 

  134. 

  135. public void submitRunnable() {
    136. 

  136. Runnable originalRunnable = new Runnable() {
    137. 

  137. 	public void run() {
    138. 

  138. 	// invoke secured service
    139. 

  139. 	}
    140. 

  140. };
    141. 

  141. executor.execute(originalRunnable);
    142. 

  142. }
    143. 

  143. ----
    144. 

  144. ====
    145. 

  145. 

  146. Now our code is unaware that the `SecurityContext` is being propagated to the `Thread`, the `originalRunnable` is run, and the `SecurityContextHolder` is cleared out.
    147. 

  147. In this example, the same user is being used to run each thread.
    148. 

  148. What if we wanted to use the user from `SecurityContextHolder` (that is, the currently logged in-user) at the time we invoked `executor.execute(Runnable)` to process `originalRunnable`?
    149. 

  149. You can do so by removing the `SecurityContext` argument from our `DelegatingSecurityContextExecutor` constructor:
    150. 

  150. 

  151. ====
    152. 

  152. [source,java]
    153. 

  153. ----
    154. 

  154. SimpleAsyncTaskExecutor delegateExecutor = new SimpleAsyncTaskExecutor();
    155. 

  155. DelegatingSecurityContextExecutor executor =
    156. 

  156. 	new DelegatingSecurityContextExecutor(delegateExecutor);
    157. 

  157. ----
    158. 

  158. ====
    159. 

  159. 

  160. Now, any time `executor.execute(Runnable)` is run, the `SecurityContext` is first obtained by the `SecurityContextHolder` and then that `SecurityContext` is used to create our `DelegatingSecurityContextRunnable`.
    161. 

  161. This means that we are running our `Runnable` with the same user that was used to invoke the `executor.execute(Runnable)` code.
    162. 

  162. 

  163. == Spring Security Concurrency Classes
    164. 

  164. 

  165. See the {security-api-url}index.html[Javadoc] for additional integrations with both the Java concurrent APIs and the Spring Task abstractions.
    166. 

  166. They are self-explanatory once you understand the previous code.
    167. 

  167. 

  168. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextCallable.html[`DelegatingSecurityContextCallable`]
    169. 

  169. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextExecutor.html[`DelegatingSecurityContextExecutor`]
    170. 

  170. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextExecutorService.html[`DelegatingSecurityContextExecutorService`]
    171. 

  171. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextRunnable.html[`DelegatingSecurityContextRunnable`]
    172. 

  172. * {security-api-url}org/springframework/security/concurrent/DelegatingSecurityContextScheduledExecutorService.html[`DelegatingSecurityContextScheduledExecutorService`]
    173. 

  173. * {security-api-url}org/springframework/security/scheduling/DelegatingSecurityContextSchedulingTaskExecutor.html[`DelegatingSecurityContextSchedulingTaskExecutor`]
    174. 

  174. * {security-api-url}org/springframework/security/task/DelegatingSecurityContextAsyncTaskExecutor.html[`DelegatingSecurityContextAsyncTaskExecutor`]
    175. 

  175. * {security-api-url}org/springframework/security/task/DelegatingSecurityContextTaskExecutor.html[`DelegatingSecurityContextTaskExecutor`]
    176. 

  176. * {security-api-url}org/springframework/security/scheduling/DelegatingSecurityContextTaskScheduler.html[`DelegatingSecurityContextTaskScheduler`]
    177.