使用 @ControllerAdvice 制作简单的 servlet 过滤器

Question

我有一个简单的过滤器，只是为了检查请求是否包含带有静态密钥的特殊标头 - 没有用户身份验证 - 只是为了保护端点。这个想法是如果键不匹配则抛出AccessForbiddenException，然后将其映射到带有@ControllerAdvice注释的类的响应。但是我不能让它工作。我的@ExceptionHandler 没有被调用。

ClientKeyFilter

import org.springframework.beans.factory.annotation.Value
import org.springframework.stereotype.Controller

import javax.servlet.*
import javax.servlet.http.HttpServletRequest

@Controller //I know that @Component might be here
public class ClientKeyFilter implements Filter {

  @Value('${CLIENT_KEY}')
  String clientKey

  public void init(FilterConfig filterConfig) {}

  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
    req = (HttpServletRequest) req
    def reqClientKey = req.getHeader('Client-Key')
    if (!clientKey.equals(reqClientKey)) {
      throw new AccessForbiddenException('Invalid API key')
    }
    chain.doFilter(req, res)
  }

  public void destroy() {}
}

AccessForbiddenException

public class AccessForbiddenException extends RuntimeException {
  AccessForbiddenException(String message) {
    super(message)
  }
}

异常控制器

@ControllerAdvice
class ExceptionController {
  static final Logger logger = LoggerFactory.getLogger(ExceptionController)

  @ExceptionHandler(AccessForbiddenException)
  public ResponseEntity handleException(HttpServletRequest request, AccessForbiddenException e) {
    logger.error('Caught exception.', e)
    return new ResponseEntity<>(e.getMessage(), I_AM_A_TEAPOT)
  }
}

我哪里错了？简单的 servlet 过滤器可以和 spring-boot 的异常映射一起工作吗？

Answer 1

正如java servlet 规范Filters 所指定的，总是在调用Servlet 之前执行。现在@ControllerAdvice 仅对在DispatcherServlet 内执行的控制器有用。因此，使用Filter 并期待@ControllerAdvice 或在本例中为@ExceptionHandler，将不会被调用。

您需要在过滤器中放入相同的逻辑（用于编写 JSON 响应），或者使用执行此检查的 HandlerInterceptor 代替过滤器。最简单的方法是扩展 HandlerInterceptorAdapter 并重写并实现 preHandle 方法并将过滤器中的逻辑放入该方法中。

public class ClientKeyInterceptor extends HandlerInterceptorAdapter {

    @Value('${CLIENT_KEY}')
    String clientKey

    @Override
    public boolean preHandle(ServletRequest req, ServletResponse res, Object handler) {
        String reqClientKey = req.getHeader('Client-Key')
        if (!clientKey.equals(reqClientKey)) {
          throw new AccessForbiddenException('Invalid API key')
        }
        return true;
    }

}

Answer 2

你不能使用@ControllerAdvice，因为它会在某些控制器出现异常的情况下被调用，但你的ClientKeyFilter不是@Controller。

您应该将@Controller 注释替换为@Component，然后像这样设置响应正文和状态：

@Component
public class ClientKeyFilter implements Filter {

    @Value('${CLIENT_KEY}')
    String clientKey

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        String reqClientKey = request.getHeader("Client-Key");

        if (!clientKey.equals(reqClientKey)) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid API key");
            return;
        }

        chain.doFilter(req, res);
    }

    public void destroy() {
    }
}

Answer 3

Java 类中的 Servlet 过滤器用于以下目的：

• 在客户端访问后端资源之前检查来自客户端的请求。
• 在发送回客户端之前检查来自服务器的响应。

@ControllerAdvice 可能无法捕获来自 Filter 的异常抛出，因为 in 可能无法到达 DispatcherServlet。我在我的项目中处理如下：

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws IOException, ServletException {
        String token = null;
        String bearerToken = request.getHeader("Authorization");

        if (bearerToken != null && (bearerToken.contains("Bearer "))) {
            if (bearerToken.startsWith("Bearer "))
                token = bearerToken.substring(7, bearerToken.length());
            try {
                AuthenticationInfo authInfo = TokenHandler.validateToken(token);
                logger.debug("Found id:{}", authInfo.getId());
                authInfo.uri = request.getRequestURI();
                
                AuthPersistenceBean persistentBean = new AuthPersistenceBean(authInfo);
                SecurityContextHolder.getContext().setAuthentication(persistentBean);
                logger.debug("Found id:'{}', added into SecurityContextHolder", authInfo.getId());
                
            } catch (AuthenticationException authException) {
                logger.error("User Unauthorized: Invalid token provided");
                raiseException(request, response);
                return;
            } catch (Exception e) {
                raiseException(request, response);
                return;
            }

// 包装错误响应

private void raiseException(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException {
    response.setContentType(MediaType.APPLICATION_JSON_VALUE);
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    ApiError apiError = new ApiError(HttpStatus.UNAUTHORIZED);
    apiError.setMessage("User Unauthorized: Invalid token provided");
    apiError.setPath(request.getRequestURI());
    byte[] body = new ObjectMapper().writeValueAsBytes(apiError);
    response.getOutputStream().write(body);
}

// ApiError 类

public class ApiError {
    // 4xx and 5xx
    private HttpStatus status;

    // holds a user-friendly message about the error.
    private String message;

    // holds a system message describing the error in more detail.
    private String debugMessage;

    // returns the part of this request's URL
    private String path;

    public ApiError(HttpStatus status) {
      this();
      this.status = status;
    }
   //setter and getters