我的项目中只需要Spring Security Basic HTML Authentication Filter来保护REST API。
由于我是Spring Security的新手,我想知道不需要哪个过滤器链过滤器。我做过一些研究表示securityContextPersistenceFilter是否需要在任何身份验证过滤器之前设置,其他人如何?
securityContextPersistenceFilter //It should be needed..
logoutFilter, // I'm not so sure about this..
authenticationProcessingFilter, // I guess it should not be necessary, because user will just use header to hold the credential
concurrentSessionFilter, // I guess no
basicAuthenticationFilter, // Should be needed
securityContextHolderAwareRequestFilter, //It's required because the need to judge the ROLE of the user
rememberMeAuthenticationFilter, // I guess no
anonymousAuthenticationFilter, // I'm not so sure
exceptionTranslationFilter, // Should be needed
filterInvocationInterceptor // I'm not so sure
我对列表中的所有内容是否正确?
答案 0 :(得分:1)
我认为你只需要:
securityContextPersistenceFilter // It should be needed..
basicAuthenticationFilter, // Should be needed
securityContextHolderAwareRequestFilter, // for internal stuff also
anonymousAuthenticationFilter, // for default/non-logged in user
exceptionTranslationFilter, // catches security exceptions
filterInvocationInterceptor // defines which url are accessible, etc
还有很好的描述:http://docs.spring.io/spring-security/site/docs/3.0.x/reference/security-filter-chain.html#d0e2952