java.security.Principal - creation in HttpServletRequest and Spring Security

问题

1. I am unable to find how the java.security.Principal in HttpServletRequest is created - who is responsible? How it is done? Is it necessarily kept in Session?

2. How it is connected to Spring Security?

3. Are there any alternatives to Spring Security which uses Principal for User authorization/authentication?

4. How would one implement own user authorization/authentication so that Principal would contain the current user?

回答1:

1. typically, Principal object putting in the session after successful login.See documentation.
2. Springs Authentication interface extends Principal interface
3. Alternatively you can use Apache Shiro
4. Implement own UserDetailsService which wil return your User object(it must implement UserDetails interface) See docs.

回答2:

The Principal will be set by Spring Security based upon your Spring Security configuration.

To implement this, please see http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html

来源：https://stackoverflow.com/questions/9824942/java-security-principal-creation-in-httpservletrequest-and-spring-security