Let codes support both modes, access and landing with token access request header can be.
First, do reconstruction code
Here changed getSession () changed so that later there will be a problem, then I landed successfully with httpBasic, my user information session on the inside, subsequent requests do not take Authorization request header can access.
I hope to achieve the effect, if you have not logged in, then you use HttpBasic this way to visit every time you head inside to be with this. Then, unless you landed, time of the visit can not lead the way. Avenue then to this effect, we need to distinguish under which session session is established by httpBasic this way.
The following getSesison to this is through httpBasic created in this way.
Another method is to call the landing, landed on the inside to create a method of session
want to arrive effect is, in this way created out of httpBasic session, after his method call ends, when the return to the destruction of this session out.
So the next time he came up again when the session gone. He must hand with a token, then you can access the request.
So to hit this effect, it is here to write a try finally
to call the filter is placed inside the try. The call filter is placed inside the try. Then finally something to make him fail out.
So there is a problem is to write a piece of landed session will fail out. So I need to make a judgment. One more session in httpBasic temp of the session. Judge it is not empty, let off the session failed.
That we now also support the landing to access support httpBasic visit
with UserInfo to receive
method originally written in a user to move about
the code to cut inside UserInfo
This property is also copied to the past, attention is copy, not cut.
SecurityConfig
Before writing here is dead, and now I clearly know that I want to get inside the user session information
that Spring has a static method, it allows us to get the session
cast.
ServeltRequestAttribute we can get from the current request, and then get the request in session from
now AuditorWare can be based on who the real users, you can get it and return the user name. When the final audit logs, user name is the currently logged in. .
More on reconstruction is complete.
Do exit operation
Let session failure.
Here then turned into UserInfo
Runtime
there is no clear filter which code is invoked when a request comes in, which code is called when a response back, this seems not intuitive, as a method interceptor
interceptor preHandler afterCompletion and intuitive look.
Now it is not with the request did not look landed. It returns 401
to bring our request header
band request header got the user information.
The request header deleted still can not access either httpBasic respond to every request back session are cleared.
Test landing
After the successful landing, without first requesting access to our approach, because we are landed, the server kept the session
to call it method exit
after exit, then call getUser method
above to achieve the results we want, our method It supports two authentication methods. Course of the process there is flow control, authentication, auditing, authorization, and so have
all the security mechanisms should have been equipped. ,
End