如何阻止spring FilterRegistrationBean在/ *上注册我的过滤器

时间:2014-07-15 14:43:04

标签: spring spring-mvc spring-security servlet-filters spring-boot

我使用的是spring-boot,我已经声明了一个像这样的过滤器:

public static class ZeroLeggedOAuthProviderProcessingFilter extends ProtectedResourceProcessingFilter {
    ZeroLeggedOAuthProviderProcessingFilter(LTIConsumerDetailsService ltiConsumerDetailsService, LTIOAuthNonceServices ltioAuthNonceServices, OAuthProcessingFilterEntryPoint oAuthProcessingFilterEntryPoint, OAuthAuthenticationHandler oAuthAuthenticationHandler, OAuthProviderTokenServices oauthProviderTokenServices) {
        super();
        log.info("CONSTRUCT Zero Legged OAuth provider");
        setAuthenticationEntryPoint(oAuthProcessingFilterEntryPoint);
        setAuthHandler(oAuthAuthenticationHandler);
        setConsumerDetailsService(ltiConsumerDetailsService);
        setNonceServices(ltioAuthNonceServices);
        setTokenServices(oauthProviderTokenServices);
        //setIgnoreMissingCredentials(false); // die if OAuth params are not included
    }
}

@Bean(name = "zeroLeggedOAuthProviderProcessingFilter")
public ZeroLeggedOAuthProviderProcessingFilter oauthProviderProcessingFilter() {
    return new ZeroLeggedOAuthProviderProcessingFilter(oauthConsumerDetailsService, oauthNonceServices, oauthAuthenticationEntryPoint(), oauthAuthenticationHandler, oauthProviderTokenServices());
}

我将这个过滤器应用于这样的单一路径(这似乎有效):

@Configuration
@Order(1) // HIGHEST
public static class OAuthSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Autowired
    ZeroLeggedOAuthProviderProcessingFilter oauthProviderProcessingFilter;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // filters must be ordered: see http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/apidocs/org/springframework/security/config/annotation/web/HttpSecurityBuilder.html#addFilter%28javax.servlet.Filter%29
        http.antMatcher("/oauth/**")
                .addFilterBefore(oauthProviderProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests().anyRequest().hasRole("OAUTH");
    }
}

然而,它最终被应用于所有路径,我认为这是因为正在发生一些自动注册(基于此在日志中)。

  

o.s.b.c.embedded.FilterRegistrationBean:映射过滤器:   ' zeroLeggedOAuthProviderProcessingFilter'致:[/ *]

有没有办法阻止我的过滤器自动注册?

1 个答案:

答案 0 :(得分:2)

我最终以这种方式解决它(因为FilterRegistrationBean引起了其他问题)。

我的过滤器定义:

public static class ZeroLeggedOAuthProviderProcessingFilter extends ProtectedResourceProcessingFilter {
    ZeroLeggedOAuthProviderProcessingFilter(LTIConsumerDetailsService ltiConsumerDetailsService, LTIOAuthNonceServices ltioAuthNonceServices, OAuthProcessingFilterEntryPoint oAuthProcessingFilterEntryPoint, OAuthAuthenticationHandler oAuthAuthenticationHandler, OAuthProviderTokenServices oauthProviderTokenServices) {
        super();
        log.info("CONSTRUCT Zero Legged OAuth provider");
        setAuthenticationEntryPoint(oAuthProcessingFilterEntryPoint);
        setAuthHandler(oAuthAuthenticationHandler);
        setConsumerDetailsService(ltiConsumerDetailsService);
        setNonceServices(ltioAuthNonceServices);
        setTokenServices(oauthProviderTokenServices);
        //setIgnoreMissingCredentials(false); // die if OAuth params are not included
    }
}

我的http配置仅将该过滤器应用于oauth路径:

@Configuration
@Order(1) // HIGHEST
public static class OAuthSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    private ZeroLeggedOAuthProviderProcessingFilter zeroLeggedOAuthProviderProcessingFilter;
    @Autowired
    LTIConsumerDetailsService oauthConsumerDetailsService;
    @Autowired
    LTIOAuthNonceServices oauthNonceServices;
    @Autowired
    OAuthAuthenticationHandler oauthAuthenticationHandler;
    @Autowired
    OAuthProcessingFilterEntryPoint oauthProcessingFilterEntryPoint;
    @Autowired
    OAuthProviderTokenServices oauthProviderTokenServices;

    @PostConstruct
    public void init() {
        zeroLeggedOAuthProviderProcessingFilter = new ZeroLeggedOAuthProviderProcessingFilter(oauthConsumerDetailsService, oauthNonceServices, oauthProcessingFilterEntryPoint, oauthAuthenticationHandler, oauthProviderTokenServices);
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // added filters must be ordered: see http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/apidocs/org/springframework/security/config/annotation/web/HttpSecurityBuilder.html#addFilter%28javax.servlet.Filter%29
        http.antMatcher("/oauth/**")
                .addFilterBefore(zeroLeggedOAuthProviderProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests().anyRequest().hasRole("OAUTH");
    }
}

这也解决了我在过滤器出现在安全过滤器之前的另一个问题(导致其他问题),所以我认为这是最好的解决方案。我希望有一些机制可以告诉spring忽略全局过滤器列表中的过滤器,但这同时起作用,因为它不存在。

相关问题
最新问题