Google 如何允许在不传递 HttpServletRequest 请求参数的情况下调用 userService.getCurrentUser()?我希望扩展 UserService,但它不允许我轻松做到这一点。
我创建了自己的身份验证机制,它与 UserService 重叠,以便我可以允许 Google 支持的用户和自动登录的用户。但我有兴趣知道如何在从任何函数调用时发送 getCurrentUser。
这是当前的工作流程
请求保护资源->过滤->在某处设置当前用户,但我不确定在哪里,这样我就可以从应用程序的其余部分调用它而不传递httprequests ..
在我的代码中
GetCurrentUser() 应该返回过滤器中设置的用户。请注意,我不会传递原始的 HttpServletRequest
谢谢。
After few days of research, we can safely save the session info in the ThreadLocal. This is set in the servlet filter. Static ThreadLocal variable in a WebApp - Are there any Security/Performance issues?
Since each servlet is executed in a single thread, we can safely call getCurrentUser from the code which then reads from the threadlocal.
Caveat though. Threads are recycled. So you can get a thread which has threadlocal set for a different user. You have to make sure that it is reset everytime.