在 Spring Boot MVC 中添加 ShallowEtagHeaderFilter [英] Add ShallowEtagHeaderFilter in Spring Boot MVC
问题描述
我正在尝试调整我的应用程序配置以设置 ETag 支持.
我刚刚检查了这个所以问题,让我说我的代码与它的不同之处:
- 我不使用任何 xml 配置文件.
- 我正在为系统的每个方面使用不同的配置类.我的
WebConfig
看起来像这样:
<前><代码>@配置@EnableAutoConfiguration@ComponentScan(basePackages = { "xxx", "yyy" })公共类 WebConfig 扩展了 WebMvcConfigurerAdapter {@豆角,扁豆公共过滤器shallowETagHeaderFilter() {返回新的 ShallowEtagHeaderFilter();}...}
- 我的 SecurityConfig 如下所示:
<前><代码>@配置@启用网络安全公共类 SecurityConfig 扩展了 WebSecurityConfigurerAdapter {...@覆盖protected void configure(final HttpSecurity http) 抛出异常 {http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()).and().authorizeRequests().antMatchers(HttpMethod.GET, "/**").authenticated().antMatchers(HttpMethod.POST, "/**").authenticated().antMatchers(HttpMethod.HEAD, "/**").authenticated().and().csrf().disable().addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);}}
- 我还有一个初始化器类,它是空的:
<前><代码>@订单(值=1)公共类 SecurityWebAppInitializer 扩展 AbstractSecurityWebApplicationInitializer {}
我没有看到任何地方将 ShallowEtagHeaderFilter
添加到默认链或任何东西中,我该如何在此设置中使用它?
好的,
根据这个帖子:
<块引用>[...] 为了帮助缓解这种情况,Spring Security 添加了缓存控制支持,它将在您的响应中插入以下标头.
缓存控制:无缓存、无存储、max-age=0、必须重新验证
编译指示:无缓存
过期时间:0
所以,发生的事情是添加了 ETag 支持,但 Spring Security 在响应中使其无效.看来如果要同时使用 Spring Security 和 ETag 支持,则需要声明以下代码行(用箭头突出显示):
@Configuration@启用网络安全公共类 SecurityConfig 扩展了 WebSecurityConfigurerAdapter {...@覆盖protected void configure(final HttpSecurity http) 抛出异常 {http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()).and().authorizeRequests().antMatchers(HttpMethod.GET, "/**").authenticated().antMatchers(HttpMethod.POST, "/**").authenticated().antMatchers(HttpMethod.HEAD, "/**").authenticated().and().csrf().disable().addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);===>http.headers().cacheControl().disable();}}
I'm trying to adjust my application configuration in order to setup ETag support.
I have just checked this SO question, so let me say where my code is different from it:
- I don't use any xml configuration file whatsoever.
- I'm using different configuration classes for each aspect of the system. My
WebConfig
looks like this:
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackages = { "xxx", "yyy" })
public class WebConfig extends WebMvcConfigurerAdapter {
@Bean
public Filter shallowETagHeaderFilter() {
return new ShallowEtagHeaderFilter();
}
...
}
- And my SecurityConfig looks like this:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint())
.and().authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").authenticated()
.antMatchers(HttpMethod.POST, "/**").authenticated()
.antMatchers(HttpMethod.HEAD, "/**").authenticated()
.and().csrf().disable()
.addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
- I also have an initializer class, which is empty:
@Order(value=1)
public class SecurityWebAppInitializer extends AbstractSecurityWebApplicationInitializer {
}
I don't see anywhere the ShallowEtagHeaderFilter
been added to the default chain or anything, how can I use it in this setup?
Alright,
According to this post:
[...] To help mitigate this Spring Security has added cache control support which will insert the following headers into you response.
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
So, what happened is that ETag support was added, but Spring Security invalidated it in the response. It seems that if you want to use both Spring Security and ETag support, you need to declare the following code line (highlighted by the arrow):
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint())
.and().authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").authenticated()
.antMatchers(HttpMethod.POST, "/**").authenticated()
.antMatchers(HttpMethod.HEAD, "/**").authenticated()
.and().csrf().disable()
.addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
===> http.headers().cacheControl().disable();
}
}
这篇关于在 Spring Boot MVC 中添加 ShallowEtagHeaderFilter的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!