tomcat & spring-ecurity异常处理流程

最新推荐文章于 2023-09-22 00:03:37 发布
最新推荐文章于 2023-09-22 00:03:37 发布
阅读量633 收藏 2
点赞数
分类专栏: # spring-security # tomcat
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/it_freshman/article/details/93166664
版权

tomcat正常请求过程

首先回顾下一个http请求在tomcat中的处理过程:

流程图
在这里插入图片描述

框架准备

为了分析异常处理的过程, 这里自定义一个filter,并主动抛出异常;
自定义Filter

public class HttpMethodAllowedFilter extends OncePerRequestFilter {
	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
		if(1 < 2) {
			throw new ServiceException("抛出异常");
		}
		filterChain.doFilter(request, response);
	}
}

配置Filter

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
	//略....
	httpSecurity.addFilterBefore(new HttpMethodAllowedFilter(), ChannelProcessingFilter.class);
}

tomcat异常处理

异常处理流程图
首先将异常处理的流程画出来,然后逐步分析代码的执行过程。
**tomcat请求过程**
接下来分析下错误流程处理代码:

StandardEngineValve

//org.apache.catalina.core.StandardEngineValve
public final void invoke(Request request, Response response)
    throws IOException, ServletException {
    Host host = request.getHost();

    //check host,略......

    // ErrorReportValve -> StandardHostValve
    host.getPipeline().getFirst().invoke(request, response);

}

StandardHostValve
异常主要是在StandardHostValve中处理的:

//org.apache.catalina.core.StandardHostValve
 public final void invoke(Request request, Response response)
    throws IOException, ServletException {
	
	//使用此Context来处理请求
    Context context = request.getContext();
    
    
    // NonLoginAuthenticator -> StandardContextValve
    context.getPipeline().getFirst().invoke(request, response);
       
    //获取request中ERROR_EXCEPTION属性,来判断是否在请求过程中存在异常.
    Throwable t = (Throwable) request.getAttribute(RequestDispatcher.ERROR_EXCEPTION);

    //略....

    //异常处理。
    throwable(request, response, t);
}

 protected void throwable(Request request, Response response,
                             Throwable throwable) {
    Context context = request.getContext();
    if (context == null) {
        return;
    }

    Throwable realError = throwable;

    //针对ServletException,ClientAbortException 的特殊处理....(略)
  
  	//寻找errorPage
    ErrorPage errorPage = findErrorPage(context, throwable);
    if (errorPage != null) {
        //如果配置了errorPage,则做相应的处理(略...)
    } else {
        // 未找到请求处理期间抛出的异常对应的error-page
        // 查看是否存在500错误页面,如果存在指定为响应返回;
        response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        response.setError();

        status(request, response);
    }
}

private void status(Request request, Response response) {
    int statusCode = response.getStatus();

    Context context = request.getContext();
    if (!response.isError()) {
        return;
    }

    //寻找有没有配置errorPage
    ErrorPage errorPage = context.findErrorPage(statusCode);

    //如果没有,则设置默认的page: "/error"
    if (errorPage == null) {
        // errorPage = "/error"
        errorPage = context.findErrorPage(0);
    }

    if (errorPage != null && response.isErrorReportRequired()) {
        response.setAppCommitted(false);
        request.setAttribute(RequestDispatcher.ERROR_STATUS_CODE,
                          Integer.valueOf(statusCode));

        String message = response.getMessage();
        if (message == null) {
            message = "";
        }
        request.setAttribute(RequestDispatcher.ERROR_MESSAGE, message);
        request.setAttribute(Globals.DISPATCHER_REQUEST_PATH_ATTR,
                errorPage.getLocation());
        //设置dispatchType=="ERROR",匹配filter时只匹配“ERROR”类型的Filter
        request.setAttribute(Globals.DISPATCHER_TYPE_ATTR,
                DispatcherType.ERROR);

        if (custom(request, response, errorPage)) {
            response.setErrorReported();
           response.finishResponse();
        }
    }
}

private boolean custom(Request request, Response response,
                             ErrorPage errorPage) {
    ServletContext servletContext =
        request.getContext().getServletContext();
    RequestDispatcher rd =
        servletContext.getRequestDispatcher(errorPage.getLocation());

    if (response.isCommitted()) {
        rd.include(request.getRequest(), response.getResponse());
    } else {
        response.resetBuffer(true);
        response.setContentLength(-1);

        //org.apache.catalina.core.ApplicationDispatcher,执行跳转命令
        //执行跳转“/error”的请求;
        rd.forward(request.getRequest(), response.getResponse());

        response.setSuspended(false);
    }
    return true;
}

ApplicationDispatcher
到出现异常时,会调用ApplicationDispatcher.forward(“error”),方法执行调用过程为:forward -> doForward -> processRequest ->invoke

  private void invoke(ServletRequest request, ServletResponse response,
            State state) throws IOException, ServletException {

    	//略....

        // 获取filterChian,当出现错误时即forword("/error")时,
        // 获取的filter的dispatchType为“ERROR”
        ApplicationFilterChain filterChain =
                ApplicationFilterFactory.createFilterChain(request, wrapper, servlet);
        try {
           filterChain.doFilter(request, response);
        } //catch 其他异常(略.....)
         catch (RuntimeException e) {
            runtimeException = e;
        }

        // 抛出捕获的异常;  与后续的StandardWrapperValve(吃掉异常)不同
        if (ioException != null)
            throw ioException;
        if (servletException != null)
            throw servletException;
        if (runtimeException != null)
            throw runtimeException;
    }

当抛出异常forward("/error")ApplicationFilterChain内容如下:
在这里插入图片描述

StandardContextValve

public final void invoke(Request request, Response response)
    throws IOException, ServletException {

    // 禁止任何请求直接访问: WEB-INF or META-INF 下的资源;
    MessageBytes requestPathMB = request.getRequestPathMB();
    if ((requestPathMB.startsWithIgnoreCase("/META-INF/", 0))
            || (requestPathMB.equalsIgnoreCase("/META-INF"))
            || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
            || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
        response.sendError(HttpServletResponse.SC_NOT_FOUND);
        return;
    }

    // Select the  to be used for this Request
    Wrapper wrapper = request.getWrapper();
    if (wrapper == null || wrapper.isUnavailable()) {
        response.sendError(HttpServletResponse.SC_NOT_FOUND);
        return;
    }

  	//略.....
    wrapper.getPipeline().getFirst().invoke(request, response);
}

StandardWrapperValve

//org.apache.catalina.core.StandardWrapperValve
public final void invoke(Request request, Response response)
throws IOException, ServletException {

	//1.创建filterChain
	ApplicationFilterChain filterChain =
                ApplicationFilterFactory.createFilterChain(request, wrapper, servlet);


    //2. filterChain类型为: ApplicationFilterChain
    try{
   	 	filterChain.doFilter(request.getRequest(), response.getResponse());
                            (request.getRequest(), response.getResponse());
      // catch{} catch各种异常(略...)
      } catch (Throwable e) {
        ExceptionUtils.handleThrowable(e);
        //log异常(略....)
        
        throwable = e;
         // 注意!!! 这里不再向上抛出异常,
         // 而是将异常信息,写到request的attribute中;
        exception(request, response, e);
    }

    //释放filterchain
    if (filterChain != null) {
        filterChain.release();
    }

    //释放servlet
  	if (servlet != null) {
        wrapper.deallocate(servlet);
    }
}

ApplicationFilterFactory & ApplicationFilterChain

//org.apache.catalina.core.ApplicationFilterFactory
//1.
	public static ApplicationFilterChain createFilterChain(ServletRequest request,
        Wrapper wrapper, Servlet servlet) {


	ApplicationFilterChain filterChain =  new ApplicationFilterChain();
	//设置servlet
	filterChain.setServlet(servlet);
    filterChain.setServletSupportsAsync(wrapper.isAsyncSupported());

    // Acquire the filter mappings for this Context
    StandardContext context = (StandardContext) wrapper.getParent();
    FilterMap filterMaps[] = context.findFilterMaps();

    //1.1  for-each filterMaps,匹配req.getRequestPath()的 filter
    for (int i = 0; i < filterMaps.length; i++) {
         if (!matchDispatcher(filterMaps[i] ,dispatcher)) {
             continue;
         }
         if (!matchFiltersURL(filterMaps[i], requestPath))
             continue;
         ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)
             context.findFilterConfig(filterMaps[i].getFilterName());
         if (filterConfig == null) {
             // FIXME - log configuration problem
             continue;
         }
         filterChain.addFilter(filterConfig);
     }
    //1.2  for-each filterMaps,匹配 servletName
    for (int i = 0; i < filterMaps.length; i++) {
        if (!matchDispatcher(filterMaps[i] ,dispatcher)) {
             continue;
         }
         if (!matchFiltersServlet(filterMaps[i], servletName))
             continue;
         ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)
             context.findFilterConfig(filterMaps[i].getFilterName());
         if (filterConfig == null) {
             // FIXME - log configuration problem
             continue;
         }
         filterChain.addFilter(filterConfig);
     }

}

//org.apache.catalina.core.ApplicationFilterChain
//2.
public final class ApplicationFilterChain implements FilterChain {

	private ApplicationFilterConfig[] filters = new ApplicationFilterConfig[0];

	//filterChain正在执行的filter的位置
	private int pos = 0;

	//filterchain中filter的个数
	private int n = 0;


    private Servlet servlet = null;


	public void doFilter(ServletRequest request, ServletResponse response)
	    throws IOException, ServletException {
	 	internalDoFilter(request,response);
	}

	private void internalDoFilter(ServletRequest request,
	                                  ServletResponse response)
	        throws IOException, ServletException {

        // 如果hasNext,则执行if{},调用filter.doFilter
        // 执行到 n-1 ,当pos = n时,return; 继续往下执行
        if (pos < n) {
            ApplicationFilterConfig filterConfig = filters[pos++];
             try {
                Filter filter = filterConfig.getFilter();

                filter.doFilter(request, response, this);
            } catch (IOException | ServletException | RuntimeException e) {
                throw e;
            } catch (Throwable e) {
                e = ExceptionUtils.unwrapInvocationTargetException(e);
                ExceptionUtils.handleThrowable(e);
                throw new ServletException(sm.getString("filterChain.filter"), e);
            }
            return;
        }

        // 当filterChain中 filter全部执行完毕后,执行servlet.service();
        servlet.service(request, response);
    }
}

此时正常请求时ApplicationFilterChain内容如下:
在这里插入图片描述

为什么处理异常时前后创建的ApplicationFilterChain,内容不一致
DispatcherType
每一个request都有DispatcherType类型,它是枚举类型

public enum DispatcherType {
    FORWARD,
    INCLUDE,
    REQUEST,
    ASYNC,
    ERROR
}

而每个Filter也有与之对应的类型:

    public class FilterMap extends XmlEncodingBase implements Serializable 
	    public static final int ERROR = 1;
	    public static final int FORWARD = 2;
	    public static final int INCLUDE = 4;
	    public static final int REQUEST = 8;
	    public static final int ASYNC = 16;
	}

在对servlet请求匹配关联Filter时,不仅需要匹配:URL,servletName更需要匹配DispatcherType.

FilterChainProxy

接上文中的FilterChainProxy的组成如下图:
在这里插入图片描述,我们都知道,SpringSecurity的异常都是交由ExceptionTranslationFilter来处理的:
ExceptionTranslationFilter

public class ExceptionTranslationFilter extends GenericFilterBean {
	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		try {
			//nextFilter为 FilterSecurityInterceptor
			//FilterSecurityInterceptor来判断是否通过认证和是否拥有权限;
			//若未通过则抛出对应的AuthenticationException(401),AccessDeniedException(403)
			chain.doFilter(request, response);
		}catch (IOException ex) {
			throw ex;
		}
		catch (Exception ex) {
			Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex);
			RuntimeException ase = (AuthenticationException) throwableAnalyzer
					.getFirstThrowableOfType(AuthenticationException.class, causeChain);

			//略 if()else{}判断....
			handleSpringSecurityException(request, response, chain, ase);
		}
	}


	private void handleSpringSecurityException(HttpServletRequest request,
			HttpServletResponse response, FilterChain chain, RuntimeException exception)
			throws IOException, ServletException {
		if (exception instanceof AuthenticationException) {
			//调用authenticationEntryPoint.commence(request, response, reason);
			sendStartAuthentication(request, response, chain,
					(AuthenticationException) exception);
		}
		else if (exception instanceof AccessDeniedException) {
			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
			if (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) {
				//调用authenticationEntryPoint.commence(request, response, reason);
				sendStartAuthentication(
						request,
						response,
						chain,
						new InsufficientAuthenticationException(
							messages.getMessage(
								"ExceptionTranslationFilter.insufficientAuthentication",
								"Full authentication is required to access this resource")));
			}
			else {
				//调用accessDeniedHandler.handle()
				accessDeniedHandler.handle(request, response,
						(AccessDeniedException) exception);
			}
		}
	}

}
伊布拉西莫
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Tomcat异常处理
snail_gesture的博客
07-31 2054
初次接触tomcat各种问题层出不穷,就我最近遇到的问题做一个总结。 PS:我安装的JDK是1.8.0_51 tomcat版本:apache-tomcat-7.0.63 免安装版本 1.闪退问题 在cmd命令中在tomcat的bin目录下输入startup.bat D:\tomcat\apache-tomcat-7.0.63\bin>startup.bat Using CATALINA_
tomcat异常解决
02-11
The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_04\jre\bin;C:\Program Files\Tomcat 6.0\bin
Tomcat定义异常处理页面
我的世界我的梦
02-07 2010
    index.jsp               cn.hxex.message.exception.MessageDAOException        /error/daoerror.jsp  遇到MessageDAOException时会自动跳转到daoerror.jsp处理页面
tomcat 异常信息处理
weixin_33787529的博客
03-01 169
1.A child container failed during startjava.lang.ClassNotFoundException: org.slf4j.Loggerproject ---> propertiesDeployment Assembly设置【web部署部件】:...
Tomcat异常讲解
上善若泪
03-12 1291
文章目录1 Tomcat异常1.1 起步内存溢出问题Exception in thread http-bio-80801.1.1异常现象1.1.2解决方案1.2 At least one JAR was scanned for TLDs yet contained no TLDs解决办法1.3 tomcat HTTP Status 4051.4 java.lang.IllegalStateException;Cannot forward after response has been committe1
Packt.Hands-On.Spring.Security.5.for.Reactive.Applications
09-27
ecurity is one of the most vital concerns for any organization. The complexity of an application is compounded when you need to integrate security with existing code, new technology, and other ...
海康威视WEB3.0多版本开发控件.zip
07-05
海康威视WEB3.0,包含官方控件:CH_32位、CH_64位、CN_64位、火狐浏览器:4.00/45.0/50.0.1、IE浏览器:IE7-32位/64位。具体操作:https://blog.csdn.net/concealed0/article/details/88637413#comments
sqlserver2014更新补丁
03-17
解决控制台输出Security Warning: The negotiated TLS 1.0 is an insecure protocol and is suported for backward compatibility only. The reconmmmended protocol version is TLS 1.2 and later.
ESB Professional Computation Suite for VCL v6.2.0
08-10
By default with ESBPCS 6 and later, the setup.exe chooses c:\ESBPCS6 as the install directory to try and get around the 搒ecurity improvements?of Vista and above, where the UAC prevents things editing...
Tamcat两种异常处理方式
qq_41923771的博客
08-03 619
常见的Web服务器一般有;      WebLogic:  WebSphere  Tomcat   IIS   TomcatTomcat是一个实现了JAVA EE标准的最小的WEB服务器,是Apache 软件基金会的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。因为Tomcat 技术先进、性能稳定,而且开源免费,因而深受Java 爱好者的喜爱并...
Tomcat常见报错以及手动实现Tomcat
最新发布
weixin_54107527的博客
09-22 3222
Tomcat:轻量级的 javaWeb 容器(服务器),也是当前应用最广的 JavaWeb 服务器
spring security oauth:自定义异常处理(授权服务)
szw-yunie的博客
02-25 3092
最近使用了 spring security oauth 来搭建认证服务,计划使用 oauth 的密码模式、以前端页面为客户端。 前后端交互要求统一相应结构,spring security oauth 默认的错误响应不满足要求。 本文对spring security oauth 授权服务对自定义异常处理、自定义异常响应问题提出解决办法。
xstream security framework of xstream not initialized xstream is probably vulnerable 问题解决办法
zgz15515397650的博客
03-01 8892
xstream security framework of xstream not initialized xstream is probably vulnerable 最近在使用 XStream 1.4.10 版本的时候遇到了一个安全问题:“xstream security framework of xstream not initialized xstream is probably vuln...
xStream:Security framework of XStream not initialized, XStream is probably vulnerable
霓虹深处
08-31 8451
今天在做微信公众号开发的时候,在解析xml的时候有一个红色的警告;大致的意思是说,XStream 的安全框架没被初始化,xstream 容易受攻击,这是一段红色的提示,实际使用过程中也没有大的问题。但是作为开发者来说,一个红色的提示太耀眼了,可能还是强迫症在作怪,所以我一直想把这个红色的提示给去掉。 xStream:Security framework of XStream not initi...
SpringFilter过滤器配置全局异常处理
Mr_FenKuan的博客
12-14 2731
SpringFilter过滤器配置全局异常处理 Filter中出现的异常spring的全局异常处理器是无法捕获的,所以filter拦截器中出现的异常会直接的抛向浏览器,在浏览器中显示500错误。 而我当前的项目中,是在Filter中判断用户是否有携带Token访问,如果没有,则抛出异常,让其做登录操作。而且异常信息要处理成json格式返回给前端。这就很尴尬了。 好了废话说多了,上解决方案: 结局方案: Filter拦截器中直接抛出异常信息 @Component public class Ad
TomcatApplicationFilterChain
Details Inside Spring
01-11 8304
概述 Tomcat的类ApplicationFilterChain是一个Java Servlet API规范javax.servlet.FilterChain的实现,用于管理某个请求request的一组过滤器Filter的执行。当针对一个request所定义的一组过滤器Filter执行完后,下一个doFilter()调用就会执行目标Servlet的方法service()。 需要注意的是,这里针
一文搞定 Spring Security 异常处理机制!
m0_71777195的博客
07-08 2699
今天来和小伙伴们聊一聊 Spring Security 中的异常处理机制。在 Spring Security 的过滤器链中,ExceptionTranslationFilter 过滤器专门用来处理异常,在 ExceptionTranslationFilter 中,我们可以看到,异常被分为了两大类:认证异常和授权异常,两种异常分别由不同的回调函数来处理,今天就来和大家分享一下这里的条条框框。Spring Security 中的异常可以分为两大类,一种是认证异常,一种是授权异常。认证异常就是 Authentic
Spring Boot : 全局异常捕捉(三)
shangmingtao的博客
06-28 3802
在写 Spring Boot : 自动JSON转换和热部署(二) 时本来想把全局异常捕捉加上的,但是不知道为什么测试一直没成功.今天又看了下全局异常捕捉@ControllerAdvice 和 @ExceptionHandler 两个标签. 参考 : Spring3.2新注解@ControllerAdvice , 在spring扫描bean的时候一定要把全局异常捕捉类扫描进来,否则是不成功的.下面是反
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值