- 定义自己的过滤器
- 指定位置,通过
HttpSecurity
的方法指定
定义过滤器
package com.qiudaozhang.springsecurity.filter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class RequestHeadCheckFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
var httpRequest = (HttpServletRequest) servletRequest;
var httpResponse = (HttpServletResponse) servletResponse;
String requestId = httpRequest.getHeader("Request-id");
if(requestId == null || requestId.isBlank()) {
httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
}
package com.qiudaozhang.springsecurity.filter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class RequestParamCheckFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
var httpRequest = (HttpServletRequest) servletRequest;
var httpResponse = (HttpServletResponse) servletResponse;
String timestamp = httpRequest.getParameter("timestamp");
if(timestamp == null || timestamp.isBlank()) {
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
}
指定位置
HttpSecurity
中有两个方法,指定过滤器的位置,一个指定在谁前面,一个指定在谁后面。
public HttpSecurity addFilterAfter(Filter filter, Class<? extends Filter> afterFilter) {
this.comparator.registerAfter(filter.getClass(), afterFilter);
return this.addFilter(filter);
}
public HttpSecurity addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter) {
this.comparator.registerBefore(filter.getClass(), beforeFilter);
return this.addFilter(filter);
}
package com.qiudaozhang.springsecurity.config;
import com.qiudaozhang.springsecurity.filter.RequestHeadCheckFilter;
import com.qiudaozhang.springsecurity.filter.RequestParamCheckFilter;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(
new RequestHeadCheckFilter(),
BasicAuthenticationFilter.class
)
.addFilterAfter(new RequestParamCheckFilter(),BasicAuthenticationFilter.class)
.authorizeRequests()
.anyRequest()
.permitAll();
}
}
测试
准备一个端点测试
package com.qiudaozhang.springsecurity.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("hello")
public String hello () {
return "hello";
}
}
当前没有传递timestamp参数,所以参照约定,过滤器直接给出403.
当前头部信息和参数信息都提供了,检测通过。
实际应用场景
- 检测相关的头部,参数等等信息
- 日志过滤器,将所有请求的相关数据记录下来
- 特殊的权限校验等等。