Spring Security配置中是否可以添加多个过滤器?

huangapple go评论111阅读模式
英文:

Can multiple filters be added to spring security configuration?

问题

这是我在过去一周一直在努力解决的问题,我需要在变得疯狂之前找到答案。我试图在每次IP连接到我们的系统时执行特定任务。不详细说明,我的工作解决方案是通过我们的WebSecurityConfigurationAdapter实现的,我已经证明每次IP连接时都会触发它。根据我的努力,代码看起来像这样:

// 这部分代码最初就在这里
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
    return new JwtAuthenticationFilter();
}

// 这部分是我添加的
@Bean
public IPFilter ipFilter() {
    return new IPFilter();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.//这里有大量配置HttpSecurity对象的代码,我不会分享
    
    // jwt过滤器以前存在并且运行正常。我添加了ipFilter()
    http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    http.addFilterAfter(ipFilter(), JwtAuthenticationFilter.class);
}

我的最初计划是尝试将此任务实现到现有的Jwt过滤器中,但是各种开发相关的问题导致了在其上实现一个单独的过滤器的想法。添加新过滤器的代码看起来像是添加这样一行,但是使用新的过滤器。

然而,五个工作日和40个小时的开发时间后,我仍然试图弄清楚问题出在哪里。当我添加这个新的过滤器时,我得到了一堆(不太有帮助的)错误,并且应用程序通常不工作。我已经将问题缩小到添加这个新过滤器的操作上,但是过滤器本身非常简单:

public class IPFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        AuditLogger.log(AuditMessageType.IP_CONNECT, "Detecting connection from IP Address: " + request.getRemoteAddr());
        log.trace("Request from: " + request.getRemoteAddr());
    }
}

因此,我完全不知道为什么每当我指定将这个过滤器添加到堆栈时,系统总是崩溃。我尝试查找在线上类似的示例,但没有找到任何信息。这让我想知道是否可能做到这一点,如果不可能,那么为什么会这样?

英文:

This is an issue I've been struggling with for the past week, and I need answers before I go insane. I'm trying to do a specific task every time an IP connects to our system. Without going into much detail, my working solution is to implement this via our WebSecurityConfigurationAdapter, which I've proven reliably goes off when an IP connects. Following my efforts, the code looks something like this:

// this block of code was here originally
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
    return new JwtAuthenticationFilter();
}

// this block is my addition
@Bean
public IPFilter ipFilter() {
    return new IPFilter();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.//there's a HUGE bulk of configuring the HttpSecurity object here that I'm not gonna share

    // the jwt filter existed previously and worked fine. I have added ipFilter()
    http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    http.addFilterAfter(ipFilter(), JwtAuthenticationFilter.class);
}

My original plan was to try and implement this task into the existing Jwt filter, but various dev-related complications led to the idea of implementing a separate filter to add on top of this one. It seemed like a simple case of adding a line just like this one but with the new filter.

Well, five business days and 40 hours of lost dev time later, I'm still trying to figure out what's wrong. When I add this new filter, I get a bunch of (unhelpful) errors and the application generally just... does not work. I've narrowed my issue down to the act of adding this new filter, but the filter itself is extremely simplistic:

public class IPFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        AuditLogger.log(AuditMessageType.IP_CONNECT, "Detecting connection from IP Address: " + request.getRemoteAddr());
        log.trace("Request from: " + request.getRemoteAddr());
    }
}

I am thus fully at a loss as to why, whenever I specify to add this filter to the stack, the system always crashes and burns. I've attempted to look up examples of this sort of thing online and have turned up nothing. This leads me to wonder if this is even possible to do, and if not then why so?

答案1

得分: 0

我的一个同事决定将 filterChain.doFilter(request, response); 添加到代码中,问题得到解决。据他们说,否则会返回“空的 200 响应”,这是我不知道的,因为我没有在输出日志中注意到这个问题。

我之前没有在代码中加入这行代码的原因是,这个问题发生在代码中已经有这行代码的情况下,我认为它是不必要的,因为这个“过滤器”并不是用来过滤任何内容的,而是作为注入日志逻辑的方式。

英文:

A coworker of mine decided to add filterChain.doFilter(request, response); to the code and that solved the issue. According to them, it was otherwise returning "empty 200 responses", something I wasn't aware of because I hadn't spotted that in the output logs.

The reason why I hadn't put this in the code in the first place was that this problem was occurring while that line was in the code and I assumed it was unnecessary because the "filter" wasn't intended to filter anything and serve instead as an injection of logging logic.

huangapple
  • 本文由 发表于 2023年8月4日 23:57:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/76837504.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定