Spring Security（八）：过滤器

最新推荐文章于 2024-04-17 11:41:45 发布

@shair911

最新推荐文章于 2024-04-17 11:41:45 发布

阅读量204

点赞数

分类专栏：技术

本文链接：https://blog.csdn.net/Shair911/article/details/104219315

版权

技术专栏收录该内容

14 篇文章 1 订阅

订阅专栏

Spring Security 过滤器

Spring Security 内置过滤器
- ChannelProcessingFilter
- ConcurrentSessionFilter
- WebAsyncManagerIntegrationFilter
- SecurityContextPersistenceFilter
- HeaderWriterFilter
- CorsFilter
- CsrfFilter
- LogoutFilter
- OAuth2AuthorizationRequestRedirectFilter
- Saml2WebSsoAuthenticationRequestFilter
- X509AuthenticationFilter
- AbstractPreAuthenticatedProcessingFilter
- CasAuthenticationFilter
- OAuth2LoginAuthenticationFilter
- Saml2WebSsoAuthenticationFilter
- UsernamePasswordAuthenticationFilter
- ConcurrentSessionFilter
- OpenIDAuthenticationFilter
- DefaultLoginPageGeneratingFilter
- DefaultLogoutPageGeneratingFilter
- DigestAuthenticationFilter
- BasicAuthenticationFilter
- RequestCacheAwareFilter
- SecurityContextHolderAwareRequestFilter
- JaasApiIntegrationFilter
- RememberMeAuthenticationFilter
- AnonymousAuthenticationFilter
- SessionManagementFilter
- ExceptionTranslationFilter
- FilterSecurityInterceptor
- SwitchUserFilter

常用内置过滤器讲解

LogoutFilter
- LogoutFilter 处理注销的过滤器，可以通过 HttpSecurity.logout() 来定制注销逻辑
UsernamePasswordAuthenticationFilter
- 处理用户以及密码认证的核心过滤器。认证请求提交的username和 password，被封装成token进行一系列的认证
RememberMeAuthenticationFilter
- 处理 记住我 功能的过滤器，RememberMeAuthenticationFilter 通过 HttpSecurity.rememberMe() 及相关方法引入其配置对象 RememberMeConfigurer 来进行配置
AnonymousAuthenticationFilter
- 匿名认证过滤器
  - 对于 Spring Security 来说，所有对资源的访问都是有 Authentication 的。对于无需登录（UsernamePasswordAuthenticationFilter ）直接可以访问的资源，会授予其匿名用户身份
  - AnonymousAuthenticationFilter 通过 HttpSecurity.anonymous() 及相关方法引入其配置对象 AnonymousConfigurer 来进行配置
SessionManagementFilter
- Session 管理器过滤器，内部维护了一个 SessionAuthenticationStrategy 用于管理 Session
- SessionManagementFilter 通过 HttpSecurity#sessionManagement() 及相关方法引入其配置对象 SessionManagementConfigurer 来进行配置

过滤器案例

定义过滤器

public class CaptchaAuthenticationFilter implements Filter {
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        if ("/doLogin".equals(req.getRequestURI()) && "POST".equals(req.getMethod().toUpperCase())) {
            String captcha = req.getParameter("captcha");
            if (captcha == null || captcha.trim().length() < 1) {
                ForwardAuthenticationFailureHandler failureHandler = new ForwardAuthenticationFailureHandler("/loginFail");
                failureHandler.onAuthenticationFailure(req, resp, new BadCaptchaAuthenticationException("验证码不能为空"));
                return;
            }
            String code = req.getSession().getAttribute("captcha").toString();
            if (captcha.equals(code)) {
                chain.doFilter(request, response);
            } else {
                ForwardAuthenticationFailureHandler failureHandler = new ForwardAuthenticationFailureHandler("/loginFail");
                failureHandler.onAuthenticationFailure(req, resp, new BadCaptchaAuthenticationException("验证码错误"));
            }
        } else {
            chain.doFilter(request, response);
        }
    }
    @Override
    public void destroy() {

    }
}

配置过滤器

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    	//配置自定义认证和授权处理类
    	http.addFilterBefore(new CaptchaAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }
}