Spring Security Filter Chain 和定义 FilterRegistrationBean

huangapple go评论71阅读模式
英文:

Spring Security Filter Chain and defining FilterRegistartionBean

问题

I am playing around with spring boot + spring security and filter chain configuration and have noticed something for which I don't find much relevant information in the spring docs.

我正在尝试使用Spring Boot + Spring Security和过滤器链配置,并注意到了一些问题,这些问题在Spring文档中没有找到相关信息。

I have a security filter chain config, where I have added a couple of custom filters (using http.addFilterBefore(...))

我有一个安全过滤器链配置,在其中我添加了一些自定义过滤器(使用 http.addFilterBefore(...) )。

I have also created a Filter configuration such that it defines several FilterRegistrationBean<> methods.

我还创建了一个过滤器配置,其中定义了多个 FilterRegistrationBean<> 方法。

When booting the application, the logger prints the SecurityFilterChain, which contains the custom filters defined in the security filter chain config, however, I want to know where the rest of the filter beans exist in the servlet filter chain.

在启动应用程序时,日志记录器会打印SecurityFilterChain,其中包含在安全过滤器链配置中定义的自定义过滤器,但我想知道其余的过滤器bean在Servlet过滤器链中的位置。

I inspected the filter chain architecture when using spring security and know that the DelegatingFilterProxy contains the FilterChainProxy which in turn contains all security filters, as defined by each SecurityFilterChain configuration.

我在使用Spring Security时检查了过滤器链架构,知道DelegatingFilterProxy 包含 FilterChainProxy,而 FilterChainProxy 包含每个 SecurityFilterChain 配置中定义的所有安全过滤器。

Where do the FilterRegistrationBean<> filter beans get in the servlet filter chain? I like the flexibility they provide, but don't know how they are placed in order to properly order my filter chain.

FilterRegistrationBean<> 过滤器bean放在Servlet过滤器链的哪里?我喜欢它们提供的灵活性,但不知道它们如何排列以正确排序我的过滤器链。

英文:

I am playing around with spring boot + spring security and filter chain configuration and have noticed something for which I don't find much relevant information in the spring docs.

I have a security filter chain config, where I have added a couple of custom filters (using http.addFilterBefore(...))

I have also created a Filter configuration such that it defines several FilterRegistrationBean<> methods.

When booting the application, the logger prints the SecurityFilterChain, which contains the custom filters defined in the security filter chain config, however, I want to know where the rest of the filter beans exist in the servlet filter chain.

I inspected the filter chain architecture when using spring security and know that the DelegatingFilterProxy contains the FilterChainProxy which in turn contains all security filters, as defined by each SecurityFilterChain configuration.

Where do the FilterRegistrationBean<> filter beans get in the servlet filter chain? I like the flexibility they provide, but don't know how they are placed in order to properly order my filter chain.

答案1

得分: 1

安全过滤器链在requestContextFilter之后,作为一个单独的Servlet容器过滤器。它包含了所有内部的过滤器,而FilterRegistrationBean<>中的过滤器则注册为单独的Servlet容器过滤器。

回答我自己的问题,将过滤器注册为FilterRegistrationBean<>会根据您指定的顺序将它们放入Servlet容器过滤器链中,这意味着您可以根据需求将它们放在安全过滤器链之前/之后。

在我的情况和观点下,一个人应该首先考虑每个过滤器的目的:

  1. 仅与安全性相关的过滤器,例如身份验证,应该放在安全过滤器链中。
  2. 通用的应用程序过滤器,例如日志记录过滤器,应该注册为FilterRegistration<> beans,最终会放入Servlet过滤器链中。

注意: 请记住,安全过滤器不应该声明为beans,因为这将使它们成为Servlet容器过滤器,这可能会导致在过滤器链中调用相同的过滤器两次。

英文:

Okay, I did some more debugging and troubleshooting and found out the answer:

Security filter chain comes after the requestContextFilter, as a separate servlet container filter. It holds all filters internal to it, while FilterRegistrationBean&lt;&gt; filters are registered as separate servlet container filters.

To answer my own question, registering filters as FilterRegistrationBean&lt;&gt; puts them in the servlet container filter chain according to the order you specify, meaning, you could place them before/after the security filter chain based on your requirement.

In my case and opinion, one should first think about the purpose of each filter:

  1. Filters that deal solely with security, e.g authentication should go in the security filter chain
  2. General application filters, e.g logging filter should be registered as FilterRegistration<> beans, which eventually get placed in the servlet filter chain

Note: Keep in mind that security filters should not be declared as beans, as that would put them as servlet container filters, which might result in the same filter being called twice in the filter chain.

huangapple
  • 本文由 发表于 2023年6月29日 18:10:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76580075.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定