开发者

Good way to make Authentication and Authorization information available between application layers

开发者 https://www.devze.com 2022-12-31 00:45 出处:网络
I have a web application running on Google App Engine (GAE) for JAVA.I\'m authenticating the client at the Servlet layer but would like to make the client information available to my business and data

I have a web application running on Google App Engine (GAE) for JAVA. I'm authenticating the client at the Servlet layer but would like to make the client information available to my business and data layers without having to pass the client object through the arguments of every single function.

I'm considering setting up a "session" type object using ThreadLocal. That way any function can just say something like:

CurrentUser.getRoles();

Is this a good way to do this or is there 开发者_如何学编程something else that is a more accepted solution?

Thanks!


This will probably work and will be utterly convenient, but usually I try to avoid ThreadLocals for similar use cases as much as I can. Reasons:

  • You code just suddenly starts to depend on the fact that underlying container uses different threads for different users. If the container will start using NIO, different type of threads (e.g. green threads which would not be mapped into java.lang.Thread on some exotic JVM), etc. you will be out of luck.

  • ThreadLocals tend to be forgotten to be cleaned up after using them. So if your server will spike in usage and one of the users will put lots of stuff into 'cache', you might run out of RAM.

  • As a consequence of not cleaning up after a request, ThreadLocal can expose security vulnerability assuming the other user would jump unto the same thread.

  • Finally, I believe ThreadLocals were designed for environments where you have an absolute control over threads in your context, and this use case is just so far beyond.

Unfortunately I don't know much about GAE to suggest a viable alternative, sorry about that!


ThreadLocals are a completely accepted way to store such information. Besides us I also know from Alfresco that they do it.


If using Spring and Spring Security works for you then you can use the code I've built as part of jappstart for your authentication/authorization. This information is then available via Spring Security.

0

精彩评论

暂无评论...
验证码 换一张
取 消