如何在Spring Security中从默认过滤器堆栈中删除一个过滤器? [英] How to delete one filter from default filter stack in Spring Security?

问题描述

我必须从Spring Security堆栈中排除一个默认过滤器.因此，所有过滤器都应照常工作.看来我找到了方法，请创建自定义FilterChainProxy:

I have to exclude one default filter from Spring Security stack. So all filters should work as usual. It seems like I find the way to do so, make custom FilterChainProxy:

public class CustomFilterChainProxy extends FilterChainProxy {

Logger LOGGER = Logger.getLogger(CustomFilterChainProxy.class);

public CustomFilterChainProxy() {
    super();
    LOGGER.debug("Run custom filter proxy");
    LOGGER.debug("String filters: " + this.toString());
}

public CustomFilterChainProxy(SecurityFilterChain chain) {
    super(chain);
    LOGGER.debug("Run custom filter proxy with chains");
}
}

如您所见，它具有获取过滤器列表的构造函数，因此我将能够根据需要从链中删除一个过滤器，其余所有过滤器将照常工作.但是我无法在安全配置中为此类构造函数制作bean.如果我使用

As you see it have constructor which get list of filters, so I will be able to delete one filter from chain as I need and all the rest will work as usual. But I can`t make bean in security config for such constructor. If I use

<bean id="filterChainProxy" class="com.pkg.CustomFilterChainProxy">

它，当然是使用默认构造函数构建对象.好的，我尝试用一​​些过滤器列表制作bean:

it, of course build object with default constructor. Ok, I try to make bean with list of some filters:

<bean id="filterChainProxy" class="ru.olekstra.backoffice.util.CustomFilterChainProxy">
<constructor-arg>
    <list>
        <sec:filter-chain pattern="/**" 
        filters="BasicUserApprovalFilter" />
    </list>
</constructor-arg>
</bean>

但这不会编译，因为BasicUserApprovalFilter是未知的bean.那么，如何从默认过滤器堆栈中排除一个过滤器呢?如果我使用自定义过滤器链代理的方法是一个好的决定，那么如何使用默认过滤器链创建bean?

But this wont compile, cause BasicUserApprovalFilter is unknown bean. So how could I exclude one filter from default filter stack? If my way with custom filter chain proxy is good decision, so how create bean with default filter chain?

推荐答案

如果您提供有关要删除的过滤器及其原因的更多详细信息，则可能会有所帮助.

It would probably help if you gave some more details on what the filter is you want to remove and why.

如果愿意，可以在创建过滤器链后使用BeanPostProcessor对其进行修改.在默认的名称空间配置中，可以给<http>元素创建的过滤器链命名:

If you wish, you can use a BeanPostProcessor to modify the filter chain after it has been created. In a default namespace configuration, you can give the filter chain created by the <http> element a name:

<http name="myFilterChain">
   ...

这将使用该名称注册类型为SecurityFilterChain的bean. FilterChainProxy是从这些列表创建的.

This registers a bean of type SecurityFilterChain with this name. The FilterChainProxy is created from a list of these.

后处理器看起来像:

public class SecurityFilterChainPostProcessor implements BeanPostProcessor {

    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {

        if (beanName.equals("myFilterChain")) {
            DefaultSecurityFilterChain fc = (DefaultSecurityFilterChain)bean;
            List<Filter> filters = fc.getFilters();

            // Modify the filter list as you choose here.                
            List<Filter> newFilters = ...

            return new DefaultSecurityFilterChain(fc.getRequestMatcher(), newFilters);
        }

        return bean;
    }

    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
        return bean;
    }
}

然后只需在您的应用程序上下文中注册此bean的实例，其余的将由Spring完成.这样，您可以避免将所有Spring Security基础结构过滤器定义为单独的bean.

Then just register an instance of this bean in your application context and Spring will do the rest. That way you can avoid having to define all the Spring Security infrastructure filters as separate beans.

这里是 查看全文