如何使用自定義過濾器映射將自定義過濾器添加到彈簧安全過濾器鏈中？

Question

我想檢查驗證碼，如果用戶想登錄，如果驗證碼是正確的，請致電filterChain.doFilter()恢復驗證，如果驗證碼不正確，請將用戶重新輸入用戶名，密碼和驗證碼。 所以，我想把我的CaptchaFilter與/登錄filterMapping在春季安全裝配鏈的第一個。

的login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 
<%@ page contentType="text/html; charset=UTF-8" language="java" pageEncoding="UTF-8" session="true" %> 
<html> 
<head> 
    <title>Login Page</title> 
</head> 
<body onload='document.loginForm.username.focus();'> 
<div id="login-box"> 

    <form name='loginForm' action="<c:url value='/login' />" method='POST'> 
     <table> 
      <tr> 
       <td>User:</td> 
       <td><input type='text' name='username'></td> 
      </tr> 
      <tr> 
       <td>Password:</td> 
       <td><input type='password' name='password'/> 
       </td> 
      </tr> 
      <tr> 
       <td colspan="2"> 
        <img id="imgCaptcha" src="<c:url value = '/j-captcha.jpg' />" onclick='this.src="<c:url value='/j-captcha.jpg'/>";' style="cursor: pointer"/> 
       </td> 
      </tr> 
      <tr> 
       <td colspan="2"> 
        <input name="jcaptcha" type="text" placeholder="captcha"/> 
       </td> 
      <tr> 
       <td colspan='2'><input name="submit" type="submit" value="submit"/></td> 
      </tr> 
     </table> 
    </form> 
</div> 
</body> 
</html> 

CaptchaFilter

public class CaptchaFilter implements Filter { 

    @Override 
    public void init(FilterConfig filterConfig) throws ServletException { 

    } 

    @Override 
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
     HttpServletRequest request = (HttpServletRequest) servletRequest; 
     HttpServletResponse response = (HttpServletResponse) servletResponse; 

     if (request.getParameter("jcaptcha") != null) { 
      checkCaptcha(request, response, filterChain); 
     } else { 
      filterChain.doFilter(request, response); 
     } 
    } 

    private void checkCaptcha(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { 
     try { 
      String userCaptchaResponse = request.getParameter("jcaptcha"); 
      boolean isResponseCorrect = CaptchaService.getInstance().validateResponseForID(request.getRequestedSessionId(), userCaptchaResponse); 
      if (isResponseCorrect) { 
       filterChain.doFilter(request, response); 
      } else { 
       String url = request.getHeader("referer").replaceAll("[&?]error.*?(?=&|\\?|$)", ""); 
       url += "?error=" + SecurityUtility.CAPTCHA_IS_WRONG; 

       redirect(request, response, url); 
      } 
     } catch (Exception e) { 
      e.printStackTrace(); 
      filterChain.doFilter(request, response); 
     } 
    } 

    private void redirect(HttpServletRequest request, HttpServletResponse response, String url) { 
     try { 
      response.sendRedirect(request.getContextPath() + url); 
     } catch (Exception ex) { 
      ex.printStackTrace(); 
     } 
    } 

    @Override 
    public void destroy() { 

    } 
} 

SpringSecurityConfig：

@Configuration 
@EnableWebSecurity 
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Autowired 
    @Qualifier("userDetailsService") 
    UserDetailsService userDetailsService; 

    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth.userDetailsService(userDetailsService); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 

     http.authorizeRequests().antMatchers("/admin/**") 
       .access("hasRole('ROLE_USER')").and().formLogin() 
       .loginPage("/login").failureUrl("/login?error") 
       .usernameParameter("username") 
       .passwordParameter("password") 
       .and().logout().logoutSuccessUrl("/login?logout") 
       .and().exceptionHandling().accessDeniedPage("/403"); 
    } 
} 

SpringWebConfig

@EnableWebMvc 
@Configuration 
@ComponentScan({"com.rgh.*"}) 
@EnableTransactionManagement 
@Import({SpringSecurityConfig.class}) 
public class SpringWebConfig { 
    @Bean 
    public SessionFactory sessionFactory() { 
     LocalSessionFactoryBuilder builder = new LocalSessionFactoryBuilder(dataSource()); 
     builder.scanPackages("com.rgh.*.model").addProperties(getHibernateProperties()); 
     return builder.buildSessionFactory(); 
    } 

    private Properties getHibernateProperties() { 
     // set and return properties 
    } 

    @Bean(name = "dataSource") 
    public BasicDataSource dataSource() { 
     // set and return datasource 
    } 

    @Bean 
    public HibernateTransactionManager txManager() { 
     return new HibernateTransactionManager(sessionFactory()); 
    } 
} 

SpringWebInitializer

public class SpringWebInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { 
    @Override 
    protected Class<?>[] getRootConfigClasses() { 
     return new Class[]{SpringWebConfig.class}; 
    } 

    @Override 
    protected String[] getServletMappings() { 
     return new String[]{"/", "/rest/*"}; 
    } 
} 

SpringSecurityInitializer

public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer { 

} 

我是新來的彈簧4和的Spring Java配置。

Answer 1

您可以添加您的過濾器是這樣的：

public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
@Override 
protected void configure(HttpSecurity http) throws Exception { 
... 
http.addFilterAfter(yourFilter, CsrfFilter.class); 
... 
} 

還有其他方法addFilterBefore（..）和addFilter（..）添加過濾器。 addFilterBefore和addFilterAfter期望作爲第二個參數的過濾器類是SecurityFilterChain的一部分，並且它們將相對於它添加。 addFilter需要一些我從未嘗試過的comperator。

要查找實際在SecurityFilterChain中的過濾器類，請在控制器方法中設置斷點並在堆棧中搜索SecurityFilterChain（或DefaultSecurityFilterChain）。在那裏你可以看到哪些過濾器類被配置，例如在DefaultSecurityFilterChain.fiters中 查找第一個過濾器類，而不是使用addFilterBefore添加您的驗證碼過濾器。