我有一个自定义的Spring Security过滤器,可以扩展GenericFilterBean。
为了进行自动依赖和bean创建,我添加了一个@Component注释。
在我的安全配置中,我也注册过滤器,如:
@Autowired
private RestAuthenticationFilter restAuthenticationFilter;
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.addFilterBefore(restAuthenticationFilter, LogoutFilter.class)
除了我的过滤器被调用两次外,一切运行良好... 看起来,Spring还会自动将过滤器添加到标准过滤器中。
这里最好的方法是什么?
更新
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends WebMvcConfigurerAdapter {
@Autowired
private RestAuthenticationFilter restAuthenticationFilter;
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setEnabled(false);
filterRegistrationBean.setFilter(restAuthenticationFilter);
return filterRegistrationBean;
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthenticationFilter restAuthenticationFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.addFilterBefore(restAuthenticationFilter, LogoutFilter.class)
.authorizeRequests()
.anyRequest().authenticated()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// @formatter:on
}
}
}
答案 0 :(得分:7)
您需要明确注册过滤器并将其标记为" enabled = false"使用FilterRegistrationBean API。然后Spring Security将在其链中使用它,但Boot也不会尝试注册它。