Servlet 3 Async Support with Spring MVC and Spring Security – 使用Spring MVC和Spring Security的Servlet 3异步支持

最后修改: 2017年 1月 2日


1. Introduction


In this quick tutorial, we’re going to focus on the Servlet 3 support for async requests, and how Spring MVC and Spring Security handle these.

在这个快速教程中,我们将重点介绍Servlet 3对异步请求的支持,以及Spring MVC和Spring Security如何处理这些请求

The most basic motivation for asynchronicity in web applications is to handle long running requests. In most use cases, we’ll need to make sure the Spring Security principal is propagated to these threads.

网络应用中异步性的最基本动机是处理长期运行的请求。在大多数用例中,我们需要确保Spring Security本金被传播给这些线程。

And, of course, Spring Security integrates with @Async outside the scope of MVC and processing HTTP requests as well.

当然,Spring Security 在MVC的范围之外与@Async集成,也可以处理HTTP请求。

2. Maven Dependencies


In order to use the async integration in Spring MVC, we need to include the following dependencies into our pom.xml:

为了在Spring MVC中使用异步集成,我们需要在pom.xml中包含以下依赖项。


The latest version of Spring Security dependencies can be found here.

最新版本的 Spring Security 依赖项可以在这里找到。

3. Spring MVC and @Async

3.Spring MVC和@Async

According to the official docs, Spring Security integrates with WebAsyncManager.

根据官方的文档,Spring Security与WebAsyncManager进行了整合。

The first step is to ensure our springSecurityFilterChain is set up for processing asynchronous requests. We can do it either in Java config, by adding following line to our Servlet config class:



or in XML config:



We also need to enable the async-supported parameter in our servlet configuration:



Now we are ready to send asynchronous requests with SecurityContext propagated with them.


Internal mechanisms within Spring Security will ensure that our SecurityContext is no longer cleared out when a response is committed in another Thread resulting in a user logout.

Spring Security的内部机制将确保在另一个Thread中提交响应导致用户注销时,我们的SecurityContext不再被清空。

4. Use Cases


Let’s see this in action with a simple example:


public Callable<Boolean> checkIfPrincipalPropagated() {
    Object before 
      = SecurityContextHolder.getContext().getAuthentication().getPrincipal();"Before new thread: " + before);

    return new Callable<Boolean>() {
        public Boolean call() throws Exception {
            Object after 
              = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
  "New thread: " + after);
            return before == after;

We want to check if the Spring SecurityContext is propagated to the new thread.


The method presented above will automatically have its Callable executed with the SecurityContext included, as seen in logs:


web - 2017-01-02 10:42:19,011 [http-nio-8081-exec-3] INFO
  o.baeldung.web.service.AsyncService - Before new thread:
  Username: temporary; Password: [PROTECTED]; Enabled: true;
  AccountNonExpired: true; credentialsNonExpired: true;
  AccountNonLocked: true; Granted Authorities: ROLE_ADMIN

web - 2017-01-02 10:42:19,020 [MvcAsync1] INFO
  o.baeldung.web.service.AsyncService - New thread:
  Username: temporary; Password: [PROTECTED]; Enabled: true;
  AccountNonExpired: true; credentialsNonExpired: true;
  AccountNonLocked: true; Granted Authorities: ROLE_ADMIN

Without setting up the SecurityContext to be propagated, the second request will end up with null value.


There are also other important use cases to use asynchronous requests with propagated SecurityContext:


  • we want to make multiple external requests which can run in parallel and which may take significant time to execute
  • we have some significant processing to do locally and our external request can execute in parallel to that
  • other represent fire-and-forget scenarios, like for example sending an email

Do note that, if our multiple method calls were previously chained together in a synchronous fashion, converting these to an asynchronous approach may require synchronizing results.


5. Conclusion


In this short tutorial, we illustrated the Spring support for processing asynchronous requests in an authenticated context.


From a programming model perspective, the new capabilities appear deceptively simple. But there are certainly some aspects that do require a more in-depth understanding.


This example is also available as a Maven project over on Github.