java - 如何使用 Java EE 安全性从 HttpSessionListener 访问登录主体？

Question

我有一个带有 @CustomFormAuthenticationMechanismDefinition 的应用程序，我想在登录和注销时记录用户名、 session ID、IP 地址等。应用此注释的 HttpAuthMechanism 将给定 session 与主体相关联，我可以通过 SecurityContext 访问该主体。通过直接注销，我的日志记录没有问题，但我还想在 session 超时时进行日志记录。因此，我创建了一个 HttpSessionListener，并在其 sessionDestroyed() 方法中尝试通过 SecurityContext 访问登录用户，但它返回一个空集，可能是因为 securityContext 已失效已经。

我想到的一个解决方案是将用户主体存储在 session 参数中(这可能发生在 HttpAuthMechanism 实现中)，并从 HttpSessionEvent 从那里访问它> 对象，但这感觉不是最干净的解决方案。我可以使用另一个监听器或其他解决方案吗？

Answer 1

我使用了自定义的 HttpAuthenticationMechanism，如果有人需要它的话，这里就是它(尽管我很高兴收到一些关于它是否有任何安全缺陷或改进的反馈) .

在实现 HttpAuthenticationMechanism 的 @ApplicationScoped 类中:

@Override
public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException {
    if (!httpMessageContext.isProtected()) {
        return httpMessageContext.doNothing();
    }
    HttpSession session = request.getSession(false);

    Credential credential = httpMessageContext.getAuthParameters().getCredential();

    // If we already have a session, we get the user from it, unless it's a new login
    if (session != null && !(credential instanceof UsernamePasswordCredential)) {  
        User user = (User) session.getAttribute("user");
        if (user != null) {
            return httpMessageContext.notifyContainerAboutLogin(user, user.getRoles());
        }
    }

    // If we either don't have a session or it has no user attribute, we redirect/forward to login page
    if (!(credential instanceof UsernamePasswordCredential)) {
        return redirect(request, response, httpMessageContext);
    }

    // Here we have a Credential, so we validate it with the registered IdentityStoreHandler (injected as idStoreHandler)
    CredentialValidationResult validate = idStoreHandler.validate(credential);

    Context context = new Context();
    context.setIp(request.getRemoteAddr());

    if (validate.getStatus() == CredentialValidationResult.Status.VALID) {
        session = request.getSession(true);
        CallerPrincipal callerPrincipal = validate.getCallerPrincipal();
        session.setAttribute("user", callerPrincipal);


        context.setUser(callerPrincipal);
        context.setSessionId(session.getId());

        Logger log = new Logger(logger, "validateRequest", context);

        log.debug("Logged in user: " + callerPrincipal.getName());

        String redirectPage = "whatYouWant.xhtml";

        redirect(request, response, httpMessageContext, redirectPage);

        return httpMessageContext.notifyContainerAboutLogin(validate);
    } else if (validate.getStatus() == CredentialValidationResult.Status.NOT_VALIDATED) {
        return redirect(request, response, httpMessageContext);
    } else {
        // Logging
        return httpMessageContext.responseUnauthorized();
    }
}

在实现的HttpSessionListener中:

 @Override
public void sessionDestroyed(HttpSessionEvent se) {
    User user = (User) se.getSession().getAttribute("user");

    if (user != null) {
        // logging
    }
}