我需要为 FORM_LOGIN_FILTER 添加两个自定义过滤器,例如
<custom-filter after="FORM_LOGIN_FILTER" ref="myUsernamePasswordAuthenticationFilter" />
<custom-filter after="FORM_LOGIN_FILTER" ref="myUsernamePasswordAuthenticationFilter2" />
我期望的过滤器序列是:
1. 预定义FORM_LOGIN_FILTER
2. myUsernamePasswordAuthenticationFilter
3. myUsernamePasswordAuthenticationFilter2
但是上面会导致配置错误。 那么,有人知道如何编写正确的配置吗? 谢谢!
【问题讨论】:
标签: java spring spring-security
使用 Spring 的 CompositeFilter 包装您的自定义过滤器列表,然后将该过滤器放在 SecurityFilterChain 上的相关位置。
例如像这样:
<bean id="customFilters" class="org.springframework.web.filter.CompositeFilter">
<property name="filters">
<list>
<ref bean="myUsernamePasswordAuthenticationFilter"/>
<ref bean="myUsernamePasswordAuthenticationFilter2"/>
</list>
</property>
</bean>
...
<custom-filter after="FORM_LOGIN_FILTER" ref="customFilters" />
【讨论】:
这样做:
<custom-filter after="FORM_LOGIN_FILTER" ref="myUsernamePasswordAuthenticationFilter" />
<custom-filter before="BASIC_AUTH_FILTER" ref="myUsernamePasswordAuthenticationFilter2" />
这应该把它们放在你想要的地方。
【讨论】:
我是这样解决的:
public class QmLoginFilterWrapper extends GenericFilterBean implements ApplicationEventPublisherAware,
MessageSourceAware
{
private static final Logger LOGGER = LoggerFactory.getLogger(QmLoginFilterWrapper.class);
private List<AbstractAuthenticationProcessingFilter> filterList = new ArrayList<AbstractAuthenticationProcessingFilter>();
@Override
public void doFilter(ServletRequest request, ServletResponse response, final FilterChain chain) throws IOException,
ServletException
{
FilterChain filterChain = new FilterChain() {
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1) throws IOException, ServletException
{
chain.doFilter(arg0, arg1);
}
};
Vector<FilterChain> filterChains = new Vector<FilterChain>();
filterChains.add(filterChain);
if (LOGGER.isDebugEnabled())
{
LOGGER.debug("Filtering {} filters", filterList.size());
}
for (final GenericFilterBean filter : filterList)
{
final FilterChain lastChain = filterChains.lastElement();
FilterChain loopChain = new FilterChain() {
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1) throws IOException, ServletException
{
if (LOGGER.isDebugEnabled())
{
LOGGER.debug("running filter {}", filter.getClass().getName());
}
filter.doFilter(arg0, arg1, lastChain);
}
};
filterChains.add(loopChain);
}
filterChains.lastElement().doFilter(request, response);
}
@Override
public void setMessageSource(MessageSource messageSource)
{
for (MessageSourceAware filter : filterList)
{
filter.setMessageSource(messageSource);
}
}
@Override
public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
{
for (ApplicationEventPublisherAware applicationEventPublisherAware : filterList)
{
applicationEventPublisherAware.setApplicationEventPublisher(applicationEventPublisher);
}
}
public List<AbstractAuthenticationProcessingFilter> getFilterList()
{
return filterList;
}
public void setFilterList(List<AbstractAuthenticationProcessingFilter> filterList)
{
this.filterList = filterList;
Collections.reverse(this.filterList);
}
}
然后在我的上下文 XML 中:
<bean id="qmAuthFilter" class="com.qmplus.common.logon.QmLoginFilterWrapper">
<property name="filterList">
<list>
<ref local="samlProcessingFilter" />
<ref local="usernamePasswordAuthenticationFilter" />
</list>
</property>
</bean>
【讨论】: