彈簧引導安全 - 兩個不同的過濾器

Question

我想用兩個不同的過濾器配置彈簧安全。 我想要的是有一些URL將被一個過濾器處理，以及一些URL將被其他過濾器處理。 這是我想出了設置：

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled=true) 
public class SecurityConfigurationContext { 

    @Order(1) 
    @Configuration 
    public static class ConfigurerAdapter1 extends WebSecurityConfigurerAdapter{ 
     ... 

     @Override 
     protected void configure(final HttpSecurity http) throws Exception { 
      // Handlers and entry points 
      http.exceptionHandling() 
       .authenticationEntryPoint(MyCustomAuthenticationEntryPoint); 


      http.authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/filter1-urls/*").hasRole("USER"); 


      http.addFilterBefore(myCustomFilter1, ChannelProcessingFilter.class); 

      http.csrf().disable(); 
      http.httpBasic() 
       .and() 
       .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 
     } 

     @Override 
     protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
      auth.userDetailsService(myCustomAuthenticationService) 
       .passwordEncoder(new BCryptPasswordEncoder()); 
     } 
    } 

    @Order(2) 
    @Configuration 
    public static class ConfigurerAdapter2 extends WebSecurityConfigurerAdapter{ 
     ... 

     @Override 
     protected void configure(final HttpSecurity http) throws Exception { 
      // Handlers and entry points 
      http.exceptionHandling() 
       .authenticationEntryPoint(MyCustomAuthenticationEntryPoint); 


      http.authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/filter2-urls/*").hasRole("SUPER_USER"); 


      http.addFilterBefore(myCustomFilter2, ChannelProcessingFilter.class); 

      http.csrf().disable(); 
      http.httpBasic() 
       .and() 
       .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 
     } 

     @Override 
     protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
      auth.userDetailsService(myCustomAuthenticationService) 
       .passwordEncoder(new BCryptPasswordEncoder()); 
     } 
    } 
} 

和過濾器是這樣的：

過濾器1：

@Component 
@Order(1) 
public final class MyCustomFilter1 implements Filter{ 

    public MyCustomFilter1() { 
     super(); 
    } 

    @Override 
    public final void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException { 
     // logic for processing filter1-urls 
    } 
} 

過濾器2：

@Component 
@Order(2) 
public final class MyCustomFilter2 implements Filter{ 

    public MyCustomFilter2() { 
     super(); 
    } 

    @Override 
    public final void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException { 
     // logic for processing filter2-urls 
    } 
} 

的問題是，無論是這些過濾器在每個請求鏈中都被調用。我提出的任何要求，首先通過一個過濾器，然後通過另一個過濾器，而不是通過一個過濾器。

我該如何解決這個問題？

在此先感謝。

Answer 1

你應該只有一個ConfigurerAdapter。你可以把它合併成一個配置：因爲你設置這樣的行爲

http.exceptionHandling() 
      .authenticationEntryPoint(MyCustomAuthenticationEntryPoint); 
http 
    .authorizeRequests() 
    .antMatchers(HttpMethod.GET, "/filter1-urls/*").hasRole("USER") 
    .antMatchers(HttpMethod.GET, "/filter2-urls/*").hasRole("SUPER_USER"); 
http.addFilterBefore(myCustomFilter, ChannelProcessingFilter.class); 

兩個過濾器將被調用。你應該只剩下一個過濾器來達到你想要的結果。

@Component 
public final class MyCustomFilter implements Filter { 

    public MyCustomFilter() { 
     super(); 
    } 

    @Override 
    public final void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException { 
    // logic for processing filter2-urls and filter1-urls 
    } 
} 

無論如何，你的過濾器將在一個鏈中被調用。如果你想分割你的過濾器，你應該在你的過濾器添加if語句來過濾只需要URL（你可以從ServletRequest

@Component 
public final class MyCustomFilter2 implements Filter { 

    public MyCustomFilter2() { 
     super(); 
    } 

    @Override 
    public final void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException { 
     if (/*is filter2 urls*/) { 
     // logic for processing filter2-urls 
     } 
    } 
}