使用Java配置在多个HttpSecurity对象中自定义身份验证过滤器
我想使用SpringBoot和SpringJavaConfig使用两种不同的http web配置和自定义身份验证过滤器。 我遵循了可以在此处找到的示例应用程序:。 我的理解是,对于每种web配置,这都会在一个单独的spring过滤器链中结束。尽管web配置url模式与请求不匹配,但这两个过滤器都会被调用。 例如,请求将调用这两个过滤器,而不仅仅是CustomApiAuthenticationFilter。当然,可以在doFilterInternal中检查请求url,如果不匹配则忽略请求,但我认为这应该通过尊重相应web配置的url模式自动完成。 此外,我的RestController没有被调用,邮递员只收到状态代码200OK,没有响应主体 两个问题: 1.这种行为是出于设计还是配置错误? 2.为什么我的RestController没有被调用使用Java配置在多个HttpSecurity对象中自定义身份验证过滤器,java,spring,spring-mvc,spring-security,Java,Spring,Spring Mvc,Spring Security,我想使用SpringBoot和SpringJavaConfig使用两种不同的http web配置和自定义身份验证过滤器。 我遵循了可以在此处找到的示例应用程序:。 我的理解是,对于每种web配置,这都会在一个单独的spring过滤器链中结束。尽管web配置url模式与请求不匹配,但这两个过滤器都会被调用。 例如,请求将调用这两个过滤器,而不仅仅是CustomApiAuthenticationFilter。当然,可以在doFilterInternal中检查请求url,如果不匹配则忽略请求,但我认为
@EnableWebSecurity
public class SecurityConfiguration {
@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Bean
public GenericFilterBean apiAuthenticationFilter() {
return new CustomApiAuthenticationFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").addFilterAfter(apiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers("/api/**").authenticated();
}
}
@Configuration
@Order(2)
public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public GenericFilterBean webAuthenticationFilter() {
return new CustomWebAuthenticationFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/").addFilterAfter(webAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().antMatchers("/").authenticated();
}
}
}
public class CustomApiAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("API")));
SecurityContextHolder.getContext().setAuthentication(auth);
}
}
public class CustomWebAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("USER")));
SecurityContextHolder.getContext().setAuthentication(auth);
}
}
@RestController
public class ApiController {
@RequestMapping(value = "/api/v1/dosomething", method = RequestMethod.GET)
public String getSomething() {
return "something";
}
}
感谢迪纳姆先生给了我正确的答案。下面的方法现在可以按预期工作,但我仍然不确定这是否是一种合法的方法
@EnableWebSecurity
public class SecurityConfiguration {
@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.addFilterAfter(new CustomApiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().hasRole("API");
}
}
@Configuration
@Order(2)
public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/")
.addFilterAfter(new CustomWebAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasRole("USER");
}
}
}
public class CustomApiAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("ROLE_API")));
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(request, response);
}
}
public class CustomWebAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("ROLE_USER")));
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(request, response);
}
}
除了我前面的答案之外,还可以通过手动创建相应的spring
FilterRegistrationBean
并禁用自动过滤器注册来保留@Bean
注释。这也将保留过滤器中的自动布线
public class SecurityConfiguration {
@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Bean
public FilterRegistrationBean customApiAuthenticationFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean(customApiAuthenticationFilter());
registration.setEnabled(false);
return registration;
}
@Bean
public GenericFilterBean customApiAuthenticationFilter() {
return new CustomApiAuthenticationFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").addFilterAfter(customApiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasRole("API").and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Configuration
@Order(2)
public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public FilterRegistrationBean customWebAuthenticationFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean(customWebAuthenticationFilter());
registration.setEnabled(false);
return registration;
}
@Bean
public GenericFilterBean customWebAuthenticationFilter() {
return new CustomWebAuthenticationFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/").addFilterAfter(customWebAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().antMatchers("/").hasRole("USER");
}
}
}
您的过滤器是一个bean。Spring Boot检测到这些,并将它们添加到常规过滤器链,而不仅仅是Spring Security过滤器链。因此,它们甚至可能会被调用两次而不是一次。当您扩展
OncePerRequestFilter
时,它们只会被调用一次,但问题是该过滤器被检测为普通的javax.servlet.filter
,因此也被添加为常规过滤器。因此,executionOK在删除@Bean
注释后,只调用正确的过滤器。但是我仍然有一个问题,我的RestController
没有被调用。有什么想法吗?在doFilterInternal
中,我可以通过request.getRequestDispatcher(request.getRequestURI()).forward(请求,响应)手动转发请求代码>在成功的身份验证之后,但是这种方法在我看来是错误的,对吗?实际上是你的doFilterInternal
方法破坏了东西。它在您的过滤器处停止处理。在您的方法中,您必须调用过滤器链以继续处理,否则请求将立即停止。