浏览更多点之后,我发现了以下答案,希望它对某些人有用.
TL; DR仅使用http.addFilter(new MyPreAuthFilter)是正确的,因为将自动为AbstractPreAuthenticatedProcessingFilter的子类建立正确的顺序.
因此,这是完整的解释:查看HttpSecurity的addFilter(),我们看到它可以完成以下操作
public HttpSecurity addFilter(Filter filter) {
Class extends Filter> filterClass = filter.getClass();
if (!comparitor.isRegistered(filterClass)) {
throw new IllegalArgumentException(...); // Complain about missing order
}
this.filters.add(filter);
return this;
}
首先,请注意以下两个事实:
public HttpSecurity addFilterAfter(Filter filter,
Class extends Filter> afterFilter) {
comparitor.registerAfter(filter.getClass(), afterFilter);
return addFilter(filter);
}
现在,请记住http.addFilter(new MyPreAuthFilter())在哪里(类MyPreAuthFilter扩展了AbstractPreAuthenticatedProcessingFilter {…})可以正常工作而不会引发异常.这意味着AbstractPreAuthenticatedProcessingFilter(或其超类之一)必须已经在比较器中注册.而且,实际上,查看constructor of FilterComparator,我们看到以下顺序已建立:
...
final int STEP = 100;
...
int order = 100;
put(ChannelProcessingFilter.class, order);
order += STEP;
put(ConcurrentSessionFilter.class, order);
order += STEP;
... // more filters
put(X509AuthenticationFilter.class, order);
order += STEP;
put(AbstractPreAuthenticatedProcessingFilter.class, order);
order += STEP;
...
put(UsernamePasswordAuthenticationFilter.class, order);
order += STEP;
...
put(ExceptionTranslationFilter.class, order);
order += STEP;
put(FilterSecurityInterceptor.class, order);
...
因此,将HttpSecurity :: addFilter用于AbstractPreAuthenticatedProcessingFilter的子类是正确的答案.