过滤器链未自动装配到我的自定义过滤器类中答案

【问题标题】：Filter Chain not autowiring into my custom filter class过滤器链未自动装配到我的自定义过滤器类中
【发布时间】：2015-03-05 02:40:32
【问题描述】：

我正在通过扩展 UsernamePasswordAuthenticationFilter 并覆盖 requiresAuthentication 方法来实现自定义过滤器。但是，在这种方法中，我需要访问过滤器链。因此，我将其自动装配进去。但是，在尝试构建时，它会说 FilterChain 没有这样的 bean。

web.xml：

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/security-context.xml
        </param-value>
    </context-param>

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

安全上下文.xml：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:http 
            realm="Protected API"
            use-expressions="true"
            auto-config="false"
            create-session="stateless"
            entry-point-ref="unauthorizedEntryPoint">
        <security:intercept-url pattern="/User/sign_up/*" access="permitAll" />
        <security:intercept-url pattern="/User/authenticate/**" access="permitAll" />
        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <security:custom-filter ref="authenticationTokenFilter" position="FORM_LOGIN_FILTER" />
    </security:http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="customAuthenticationProvider" />
    </authentication-manager>

    <beans:bean id="customAuthenticationProvider" class="pathTo:CustomAuthenticationProvider"></beans:bean>

    <beans:bean id="unauthorizedEntryPoint" class="pathTo:UnauthorizedEntryPoint" />

     <beans:bean id="mySuccessHandler" class="pathTo:SuccessHandler" />

    <beans:bean
        class="pathTo:AuthenticationTokenFilter"
        id="authenticationTokenFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="postOnly" value="false" />
        <beans:property name="authenticationSuccessHandler" ref="mySuccessHandler" />
    </beans:bean>


    <context:component-scan base-package="base package" />
    <context:annotation-config />


</beans:beans>

过滤器：

public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter  {  

    @Autowired
    FilterChain chain;


    @Override
    protected boolean requiresAuthentication(HttpServletRequest request,
            HttpServletResponse response) {
        System.out.println("here");
        boolean retVal = false;
        String username = request.getHeader("j_username");
        String password = request.getHeader("j_password");
        System.out.println("username: " + username + " password: " + password);
        if (username != null && password != null) {
            Authentication authResult = null;
            try {
                authResult = attemptAuthentication(request, response);
                System.out.println(authResult.getName());
                if (authResult == null) {
                    retVal = false;
                }
            } catch (AuthenticationException failed) {
                try {
                    System.out.println("auth failed");
                    unsuccessfulAuthentication(request, response, failed);
                } catch (IOException e) {
                    retVal = false;
                } catch (ServletException e) {
                    retVal = false;
                }
                retVal = false;
            }
            try {
                successfulAuthentication(request, response, chain, authResult);
            } catch (IOException e) {
                retVal = false;
            } catch (ServletException e) {
                retVal = false;
            }
            return false;
        } else {
            System.out.println("not calling authenticate");
            retVal = true;
        }
        return retVal;
    }

    protected String obtainPassword(HttpServletRequest request) {
        return request.getHeader("j_password");
    }

    protected String obtainUsername(HttpServletRequest request) {
        return request.getHeader("j_username");
    }

没有filterChain还有其他方法吗？否则，它应该能够做到这一点，因为 filterChain 是在 web.xml 中定义的。

关于如何解决这个问题的任何想法？

【问题讨论】：

标签： java spring spring-security

【解决方案1】：

更改代码可能会起作用

<beans:bean
    class="pathTo:AuthenticationManagerHandler"
    id="authenticationTokenFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="postOnly" value="false" />
    <beans:property name="authenticationSuccessHandler" ref="mySuccessHandler" />
</beans:bean>

这里是 AuthenticationManagerHandler 类

public class AuthenticationManagerHandler extends AbstractAuthenticationProcessingFilter {

private static final String INTERCEPTOR_PROCESS_URL = "/j_spring_security_check";

private AuthenticationUtil util;

public AuthenticationManagerHandler() {
    super(INTERCEPTOR_PROCESS_URL);        
}

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {

    String username = request.getParameter("j_username");
    String password = request.getParameter("j_password");
    UsernamePasswordAuthenticationToken authRequest = null;
    if(util== null) {
        util= ApplicationContext.getInstance(AuthenticationUtil.class);
    }
    if(util.isLDAPEnalbed()) {
        authRequest = new LDAPUsernamePasswordAuthenticationToken(username, password);            
    }
    else {
        authRequest = new DBUsernamePasswordAuthenticationToken(username, password);    
    }
    setDetails(request, authRequest);
    return getAuthenticationManager().authenticate(authRequest);
}

protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
{
  authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
}

private static final class SubStringFilterProcessUrlRequestMatcher implements RequestMatcher {

    private final List<String> filterProcessUrls;

    private SubStringFilterProcessUrlRequestMatcher(List<String> filterProcessUrls) {
        Assert.notEmpty(filterProcessUrls, "filterProcessesUrl must be specified");
        for (String filterProcessesUrl : filterProcessUrls) {
            Assert.isTrue(UrlUtils.isValidRedirectUrl(filterProcessesUrl), filterProcessesUrl + " isn't a valid redirect URL");
        }
        this.filterProcessUrls = filterProcessUrls;
    }

    public boolean matches(HttpServletRequest request) {
        for (String filterProcessesUrl : filterProcessUrls) {
            if (matches(request, filterProcessesUrl)) {
                return true;
            }

        }
        return false;
    }

    private boolean matches(HttpServletRequest request, String filterProcessesUrl) {
        String uri = request.getRequestURI();
        int pathParamIndex = uri.indexOf(';');

        if (pathParamIndex > 0) {
            // strip everything after the first semi-colon
            uri = uri.substring(0, pathParamIndex);
        }

        if ("".equals(request.getContextPath())) {
            return uri.endsWith(filterProcessesUrl);
        }

        return uri.contains(filterProcessesUrl);
    }
}    

}

【讨论】：

谢谢。不过，我最终以不同的方式进行操作并使其正常工作

【解决方案2】：

我最终将我的过滤器实现更改为直接调用我的身份验证提供程序（我应该如何开始。我还删除了成功处理程序，因为它最终不是我想要实现的。我会分享我更新的过滤器如下：

public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter  {  

    @Autowired
    private CustomAuthenticationProvider authProvider;


    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        String username = obtainUsername(request);
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        return this.authProvider.authenticate(authRequest);
    }



    @Override
    protected String obtainPassword(HttpServletRequest request) {
        return request.getHeader("X_password");
    }

    @Override
    protected String obtainUsername(HttpServletRequest request) {
        return request.getHeader("X_username");
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
            ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        Authentication auth = attemptAuthentication(httpRequest, httpResponse);
        SecurityContextHolder.getContext().setAuthentication(auth);

        chain.doFilter(request, response);

    }



}

这避免了必须调用successfulAuthentication（我的其他方法需要）的问题。现在这种方法更简单了，因为不推荐使用不带 FilterChain 的成功身份验证。

感谢您的帮助！

【讨论】：