在 Servlet 3+ 环境中添加要在 spring-security 过滤器之后调用的自定义过滤器 [英] Adding a custom filter to be invoked after spring-security filter in a Servlet 3+ environment

问题描述

我使用的是 Spring-Security 3.2.4 和 Spring Boot 1.1.0(以及相关的依赖版本 4.X).我正在编写一个将在嵌入式 tomcat 中运行的 Web 应用程序.

I'm using Spring-Security 3.2.4 and Spring Boot 1.1.0 (and it's related dependencies versions 4.X). I'm writing a web application that will be run in an embedded tomcat.

我正在尝试添加两个额外的过滤器(与 Spring 安全性无关)，其中一个将在 Spring-Security-FilterChainProxy 之前调用，另一个将在 Spring-Security-FilterChainProxy 之后调用.

I'm trying to add two additional filters(not related to Spring security) that one of them will be invoked before the Spring-Security-FilterChainProxy and the other one will be invoked after the Spring-Security-FilterChainProxy.

我的 Spring-Security 配置文件:

My Spring-Security configuration files:

@Configuration
@EnableWebMvcSecurity
public class SecurityCtxConfig extends WebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
    .inMemoryAuthentication()
        .withUser("user").password("pass").roles("USER");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf()
            .disable()
            .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .usernameParameter("user").passwordParameter("password");
}
}

还有主类(Application.class):

And the Main class (Application.class):

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {

    @Bean
RequestFilter beforeSpringSecurityFilter(){
    return new RequestFilter();
}

@Bean
RequestFilter afterSpringSecurityFilter(){
    return new RequestFilter();
}

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

和过滤器实现:

public class RequestFilter extends OncePerRequestFilter {

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
        FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(request, response);
}

}

在考虑 FilterChainProxy(即由 WebSecurityConfigurerAdapter 创建的)时，有没有办法控制调用顺序?准确地说，所需的顺序是:

Is there a way to controll the invocation order when taking in account the FilterChainProxy (that is beeing created by the WebSecurityConfigurerAdapter ? To be percise, the required order is:

1. 请求过滤器-1
2. Spring-Security FilterChain
3. request-filter-2

谢谢

推荐答案

Spring Security 使用的 FilterChainProxy 不是 Ordered(如果是，您可以订购所有过滤器).但是您应该能够在 FilterRegistrationBean 中注册它，is Ordered 并以相同的方式注册其他过滤器.对于安全过滤器，您可以按名称将其注入到注册 bean 中.您可以通过调用 @Bean 方法注入的其他方法.

The FilterChainProxy use by Spring Security is not Ordered (if it was you could order all your filters). But you should be able to register it in a FilterRegistrationBean which is Ordered and register your other filters the same way. In the case of the security filter you can inject it by name into the registration bean. The others you can probably inject by calling a @Bean method.

这篇关于在 Servlet 3+ 环境中添加要在 spring-security 过滤器之后调用的自定义过滤器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！