Security在securityContextPersistenceFilter这个过滤器中把SecurityContextHolder清除了,
finally {
//先从SecurityContextHolder获取SecurityContext实例
SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();
// Crucial removal of SecurityContextHolder contents - do this before anything else.
//再把SecurityContext实例从SecurityContextHolder中清空
SecurityContextHolder.clearContext();
//将SecurityContext实例持久化到session中
repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse());
request.removeAttribute(FILTER_APPLIED);
if (debug) {
logger.debug("SecurityContextHolder now cleared, as request processing completed");
}
}
而在sec:authorize标签鉴权时,还是使用Authentication auth = SecurityContextHolder.getContext().getAuthentication();这样获取的值为null,标签无法使用,这个问题怎么解决,框架这么做不合理啊。