将@Component添加到自定义Spring Security过滤器意味着什么 [英] What is implication of adding @Component to custom Spring Security filter

查看:279
本文介绍了将@Component添加到自定义Spring Security过滤器意味着什么的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个自定义的Spring Security过滤器,扩展了GenericFilterBean.

要执行自动依赖关系和创建Bean,我添加了@Component批注.

在安全性"配置中,我还注册了过滤器,如:

@Autowired
private RestAuthenticationFilter restAuthenticationFilter;

protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
        .addFilterBefore(restAuthenticationFilter, LogoutFilter.class)

一切正常,除了我的过滤器被调用了两次... 看来Spring也会自动将过滤器添加到标准过滤器中.

这里最好的方法是什么?

更新

@Dave这是什么意思?似乎可行.

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends WebMvcConfigurerAdapter {

    @Autowired
    private RestAuthenticationFilter restAuthenticationFilter;

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Bean
    public ApplicationSecurity applicationSecurity() {
        return new ApplicationSecurity();
    }

    @Bean
    public FilterRegistrationBean filterRegistrationBean() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setEnabled(false);
        filterRegistrationBean.setFilter(restAuthenticationFilter);
        return filterRegistrationBean;
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

        @Autowired
        private RestAuthenticationFilter restAuthenticationFilter;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .addFilterBefore(restAuthenticationFilter, LogoutFilter.class)
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .csrf()
                    .disable()
                .exceptionHandling()
                    .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
                    .and()
                .requestCache()
                    .requestCache(new NullRequestCache())
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
            // @formatter:on
        }
    }
}

解决方案

您需要使用FilterRegistrationBean API明确注册过滤器并将其标记为"enabled = false".然后,Spring Security将在其链中使用它,但是Boot不会尝试也对其进行注册.

I have a custom Spring Security filter extending GenericFilterBean.

To do automatic dependency and bean creation I added a @Component annotation.

In my Security config I also register the filter like:

@Autowired
private RestAuthenticationFilter restAuthenticationFilter;

protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
        .addFilterBefore(restAuthenticationFilter, LogoutFilter.class)

Everything works well except that my filter is called twice... It seems Spring adds filters also automatically to standard filters.

What should be the best approach here?

UPDATE

@Dave is this what you mean? It seems to work.

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends WebMvcConfigurerAdapter {

    @Autowired
    private RestAuthenticationFilter restAuthenticationFilter;

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Bean
    public ApplicationSecurity applicationSecurity() {
        return new ApplicationSecurity();
    }

    @Bean
    public FilterRegistrationBean filterRegistrationBean() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setEnabled(false);
        filterRegistrationBean.setFilter(restAuthenticationFilter);
        return filterRegistrationBean;
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

        @Autowired
        private RestAuthenticationFilter restAuthenticationFilter;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .addFilterBefore(restAuthenticationFilter, LogoutFilter.class)
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .csrf()
                    .disable()
                .exceptionHandling()
                    .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
                    .and()
                .requestCache()
                    .requestCache(new NullRequestCache())
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
            // @formatter:on
        }
    }
}

解决方案

You need to explicitly register the filter and mark it as "enabled=false" using the FilterRegistrationBean API. Then Spring Security will use it in its chain, but Boot will not try and register it as well.

这篇关于将@Component添加到自定义Spring Security过滤器意味着什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆