Class SecurityContextHolder
- java.lang.Object
-
- org.springframework.security.core.context.SecurityContextHolder
-
public class SecurityContextHolder extends java.lang.Object
Associates a givenSecurityContext
with the current execution thread.This class provides a series of static methods that delegate to an instance of
SecurityContextHolderStrategy
. The purpose of the class is to provide a convenient way to specify the strategy that should be used for a given JVM. This is a JVM-wide setting, since everything in this class isstatic
to facilitate ease of use in calling code.To specify which strategy should be used, you must provide a mode setting. A mode setting is one of the three valid
MODE_
settings defined asstatic final
fields, or a fully qualified classname to a concrete implementation ofSecurityContextHolderStrategy
that provides a public no-argument constructor.There are two ways to specify the desired strategy mode
String
. The first is to specify it via the system property keyed onSYSTEM_PROPERTY
. The second is to callsetStrategyName(String)
before using the class. If neither approach is used, the class will default to usingMODE_THREADLOCAL
, which is backwards compatible, has fewer JVM incompatibilities and is appropriate on servers (whereasMODE_GLOBAL
is definitely inappropriate for server use).
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
MODE_GLOBAL
static java.lang.String
MODE_INHERITABLETHREADLOCAL
static java.lang.String
MODE_THREADLOCAL
static java.lang.String
SYSTEM_PROPERTY
-
Constructor Summary
Constructors Constructor Description SecurityContextHolder()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static void
clearContext()
Explicitly clears the context value from the current thread.static SecurityContext
createEmptyContext()
Delegates the creation of a new, empty context to the configured strategy.static SecurityContext
getContext()
Obtain the currentSecurityContext
.static SecurityContextHolderStrategy
getContextHolderStrategy()
Allows retrieval of the context strategy.static java.util.function.Supplier<SecurityContext>
getDeferredContext()
Obtains aSupplier
that returns the current context.static int
getInitializeCount()
Primarily for troubleshooting purposes, this method shows how many times the class has re-initialized itsSecurityContextHolderStrategy
.static void
setContext(SecurityContext context)
Associates a newSecurityContext
with the current thread of execution.static void
setContextHolderStrategy(SecurityContextHolderStrategy strategy)
Use thisSecurityContextHolderStrategy
.static void
setDeferredContext(java.util.function.Supplier<SecurityContext> deferredContext)
Sets aSupplier
that will return the current context.static void
setStrategyName(java.lang.String strategyName)
Changes the preferred strategy.java.lang.String
toString()
-
-
-
Field Detail
-
MODE_THREADLOCAL
public static final java.lang.String MODE_THREADLOCAL
- See Also:
- Constant Field Values
-
MODE_INHERITABLETHREADLOCAL
public static final java.lang.String MODE_INHERITABLETHREADLOCAL
- See Also:
- Constant Field Values
-
MODE_GLOBAL
public static final java.lang.String MODE_GLOBAL
- See Also:
- Constant Field Values
-
SYSTEM_PROPERTY
public static final java.lang.String SYSTEM_PROPERTY
- See Also:
- Constant Field Values
-
-
Method Detail
-
clearContext
public static void clearContext()
Explicitly clears the context value from the current thread.
-
getContext
public static SecurityContext getContext()
Obtain the currentSecurityContext
.- Returns:
- the security context (never
null
)
-
getDeferredContext
public static java.util.function.Supplier<SecurityContext> getDeferredContext()
Obtains aSupplier
that returns the current context.- Returns:
- a
Supplier
that returns the current context (nevernull
- create a default implementation if necessary) - Since:
- 5.8
-
getInitializeCount
public static int getInitializeCount()
Primarily for troubleshooting purposes, this method shows how many times the class has re-initialized itsSecurityContextHolderStrategy
.- Returns:
- the count (should be one unless you've called
setStrategyName(String)
orsetContextHolderStrategy(SecurityContextHolderStrategy)
to switch to an alternate strategy).
-
setContext
public static void setContext(SecurityContext context)
Associates a newSecurityContext
with the current thread of execution.- Parameters:
context
- the newSecurityContext
(may not benull
)
-
setDeferredContext
public static void setDeferredContext(java.util.function.Supplier<SecurityContext> deferredContext)
Sets aSupplier
that will return the current context. Implementations can override the default to avoid invokingSupplier.get()
.- Parameters:
deferredContext
- aSupplier
that returns theSecurityContext
- Since:
- 5.8
-
setStrategyName
public static void setStrategyName(java.lang.String strategyName)
Changes the preferred strategy. Do NOT call this method more than once for a given JVM, as it will re-initialize the strategy and adversely affect any existing threads using the old strategy.- Parameters:
strategyName
- the fully qualified class name of the strategy that should be used.
-
setContextHolderStrategy
public static void setContextHolderStrategy(SecurityContextHolderStrategy strategy)
Use thisSecurityContextHolderStrategy
. Call eithersetStrategyName(String)
or this method, but not both. This method is not thread safe. Changing the strategy while requests are in-flight may cause race conditions.SecurityContextHolder
maintains a static reference to the providedSecurityContextHolderStrategy
. This means that the strategy and its members will not be garbage collected until you remove your strategy. To ensure garbage collection, remember the original strategy like so:SecurityContextHolderStrategy original = SecurityContextHolder.getContextHolderStrategy(); SecurityContextHolder.setContextHolderStrategy(myStrategy);
And then when you are ready formyStrategy
to be garbage collected you can do:SecurityContextHolder.setContextHolderStrategy(original);
- Parameters:
strategy
- theSecurityContextHolderStrategy
to use- Since:
- 5.6
-
getContextHolderStrategy
public static SecurityContextHolderStrategy getContextHolderStrategy()
Allows retrieval of the context strategy. See SEC-1188.- Returns:
- the configured strategy for storing the security context.
-
createEmptyContext
public static SecurityContext createEmptyContext()
Delegates the creation of a new, empty context to the configured strategy.
-
toString
public java.lang.String toString()
- Overrides:
toString
in classjava.lang.Object
-
-