Spring集成：SecurityContext传播

我对Spring Integration中的SecurityContext传播有些困惑.

这是文档的重点：

http://docs.spring.io/spring-integration/reference/htmlsingle/#security-context-propagation

我的困惑如下：

(1) To be sure that our interaction with the application is secure,
according to its security system rules, we should supply some security
context with an authentication (principal) object. The Spring
Security project provides a flexible, canonical mechanism to
authenticate our application clients over HTTP, WebSocket or SOAP
protocols (as can be done for any other integration protocol with a
simple Spring Security extension) and it provides a SecurityContext
for further authorization checks on the application objects, such as
message channels. By default, the SecurityContext is tied with the
current Thread’s execution state using the
(ThreadLocalSecurityContextHolderStrategy). It is accessed by an AOP
interceptor on secured methods to check if that principal of the
invocation has sufficent permissions to call that method, for example.
This works well with the current thread, but often, processing logic
can be performed on another thread or even on several threads, or on
to some external system(s).

这意味着SecurityContext(通常)仅可用于当前线程.对？

那么,如何使它可以被另一个应用程序的另一个线程访问(与Spring Integration集成)？

(2) Standard thread-bound behavior is easy to configure if our application is built on the Spring Integration components and its
message channels. In this case, the secured objects may be any
service activator or transformer, secured with a
MethodSecurityInterceptor in their
(see Section 8.8, “Adding Behavior to Endpoints”) or even
MessageChannel (see Section D.2, “Securing channels” above). When
using DirectChannel communication, the SecurityContext is available
automatically, because the downstream flow runs on the current thread.
But in case of the QueueChannel, ExecutorChannel and
PublishSubscribeChannel with an Executor, messages are transferred
from one thread to another (or several) by the nature of those
channels. In order to support such scenarios, we can either transfer
an Authentication object within the message headers and extract and
authenticate it on the other side before secured object access.
Or, we can propagate the SecurityContext to the thread receiving the
transferred message.

这意味着我们必须手动提取Principal？如果是,怎么办？

还是使用4.2版本的传播方式就足够了？

(3) Starting with version 4.2 SecurityContext propagation has been
introduced. It is implemented as a
SecurityContextPropagationChannelInterceptor, which can simply be
added to any MessageChannel or configured as a
@GlobalChannelInterceptor. The logic of this interceptor is based on
the SecurityContext extraction from the current thread from the
preSend() method, and its populating to another thread from the
postReceive() (beforeHandle()) method. Actually, this interceptor
is an extension of the more generic
ThreadStatePropagationChannelInterceptor, which wraps the
message-to-send together with the state-to-propagate in an internal
Message extension – MessageWithThreadState, – on one side and
extracts the original message back and state-to-propagate on another.
The ThreadStatePropagationChannelInterceptor can be extended for any
context propagation use-case and
SecurityContextPropagationChannelInterceptor is a good sample on the
matter.

“从版本4.2开始,引入了SecurityContext传播.” =>好,很好

但是：“它被实现为SecurityContextPropagationChannelInterceptor,可以将其简单地添加到任何MessageChannel或配置为@GlobalChannelInterceptor.”

这是什么意思？我必须实现扩展“ SecurityContextPropagationChannelInterceptor”的拦截器？

我必须在< int：channel>中添加的内容组态？

如果我使用< int：channel-interceptor> (与@GlobalChannelInterceptor相同),与使用< int：interceptors> ？

其他困惑：

“此拦截器的逻辑基于从preSend()方法的当前线程中提取的SecurityContext,并将其从postReceive()填充到另一个线程中
    (beforeHandle())方法.”

但是,为什么在SecurityContextPropagationChannelInterceptor类中有“ obtainPropagatingContext”方法和“ populatePropagatedContext”方法？
在哪里传播？在preSend()/ postReceive()方法中,还是在这两个方法中？

此外,我尝试将SecurityContext传播到外部应用程序,但没有成功…

关于此论点的任何解释将不胜感激.

解决方法:

您在这里有很多问题,但让我尝试回答.

>什么意思？我必须实现扩展“ SecurityContextPropagationChannelInterceptor”的拦截器？

不,现成的框架中有这样的拦截器.您必须做些什么才能了解​​如何将拦截器添加到MessageChannel：http://docs.spring.io/spring-integration/reference/html/messaging-channels-section.html#channel-configuration-interceptors.

或像这样：

@Bean
@GlobalChannelInterceptor(patterns = {
        "#{'queueChannel'}",
        "${security.channel:executorChannel}",
        "publishSubscribeChannel" })
public ChannelInterceptor securityContextPropagationInterceptor() {
    return new SecurityContextPropagationChannelInterceptor();
}

有关更多信息,请参见其JavaDocs.

>但是为什么在SecurityContextPropagationChannelInterceptor类中有一个“ obtainPropagatingContext”方法和一个“ populatePropagatedContext”方法？

SecurityContextPropagationChannelInterceptor扩展了ThreadStatePropagationChannelInterceptor< Authentication>. ,其中getPropagatingContext和populatePropagatedContext只是在preSend()(在线程上)中提取某些当前状态,并在postReceive()中提供该状态用于填充/操纵的通用方法,这可能发生在不同的线程中.

>是的,SecurityContext在Spring Security中是线程绑定的,并且确保我们可以执行安全功能的逻辑完全基于ThreadLocal变量.这就是为什么我们必须以这种方式进行转移. “传播”是一个过程而不是状态.

不确定您对“外部应用程序”的含义,但是只有一种机制可以做到：将凭据与请求一起发送到该应用程序.

标签：spring-security,spring,spring-integration
来源： https://codeday.me/bug/20191118/2027878.html