RemoteInvocation that is passed from the client to the server, which contains the
- * contents of {@link SecurityContextHolder}, being a {@link SecurityContext} object.When constructed on the - * client via {@link org.springframework.security.context.rmi.ContextPropagatingRemoteInvocationFactory}, the contents of the + * contents of {@link SecurityContextHolder}, being a {@link SecurityContext} object. + *
+ * When constructed on the client via {@link ContextPropagatingRemoteInvocationFactory}, the contents of the
* SecurityContext are stored inside the object. The object is then passed to the server that is
* processing the remote invocation. Upon the server invoking the remote invocation, it will retrieve the passed
- * contents of the SecurityContextHolder and set them to the server-side
- * SecurityContextHolder whilst the target object is invoked. When the target invocation has been
- * completed, the server-side SecurityContextHolder will be reset to a new instance of
- * SecurityContextImpl.
SecurityContextHolder and set them on the server-side
+ * SecurityContextHolder while the target object is invoked. When the target invocation has been
+ * completed, the security context will be cleared using a call to {@link SecurityContextHolder#clearContext()}.
*
* @author James Monaghan
* @author Ben Alex
@@ -54,7 +54,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
//~ Constructors ===================================================================================================
-/**
+ /**
* Constructs the object, storing the value of the client-side
* SecurityContextHolder inside the object.
*
@@ -72,11 +72,12 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
//~ Methods ========================================================================================================
/**
- * Invoked on the server-side as described in the class JavaDocs.Invocations will always have their
- * {@link org.springframework.security.Authentication#setAuthenticated(boolean)} set to false, which is
- * guaranteed to always be accepted by Authentication implementations. This ensures that even
- * remotely authenticated Authentications will be untrusted by the server-side, which is an
- * appropriate security measure.
+ * Invocations will always have their {@link org.springframework.security.Authentication#setAuthenticated(boolean)}
+ * set to false, which is guaranteed to always be accepted by Authentication
+ * implementations. This ensures that even remotely authenticated Authentications will be untrusted by
+ * the server-side, which is an appropriate security measure.
*
* @param targetObject the target object to apply the invocation to
*
@@ -87,7 +88,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
* @throws InvocationTargetException if the method invocation resulted in an exception
*/
public Object invoke(Object targetObject)
- throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
+ throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
SecurityContextHolder.setContext(securityContext);
if ((SecurityContextHolder.getContext() != null)
@@ -105,7 +106,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
SecurityContextHolder.clearContext();
if (logger.isDebugEnabled()) {
- logger.debug("Set SecurityContext to new instance of SecurityContextImpl");
+ logger.debug("Cleared SecurityContextHolder.");
}
}
}