Spring安全性可以增加HttpSecurity上下文和自定义过滤器

时间:2016-08-17 17:13:36

标签: java spring spring-security

我使用Spring安全性和多重http安全上下文。

问题在于我无法为每个HttpSecurity上下文创建独立的过滤器链。 在每个请求中(对于/ oldapi ot / newapi)都会调用两个过滤器(oldDeviceApiAuthFilter和newApiDeviceAuthFilter)。

我需要两个独立的过滤器:

  • 对于/ oldapi / **:只有oldDeviceApiAuthFilter
  • / newapi / **:仅限newApiDeviceAuthFilter

那么,有可能吗?

WebSecurityConfig.java: 

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {

    // Device legacy API
    @Configuration
    @Order(30)
    public static class OldApiSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        private final XmlRpcDeviceApiAuthFilter oldDeviceApiAuthFilter;
        @Autowired
        public OldApiSecurityConfigurationAdapter(XmlRpcDeviceApiAuthFilter oldDeviceApiAuthFilter) {
            this.oldDeviceApiAuthFilter = oldDeviceApiAuthFilter;
        }
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/oldapi/**")
                    .addFilterBefore(oldDeviceApiAuthFilter, UsernamePasswordAuthenticationFilter.class)
                    .authorizeRequests()
                    .anyRequest().permitAll()
                    .and().csrf().disable()
            ;
        }
    }

    // Device new API
    @Configuration
    @Order(40)
    public static class NewApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        private final NewApiDeviceAuthFilter newApiDeviceAuthFilter;
        @Autowired
        public NewApiWebSecurityConfigurationAdapter(NewApiDeviceAuthFilter newApiDeviceAuthFilter) {
            this.newApiDeviceAuthFilter = newApiDeviceAuthFilter;
        }
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/newapi/**")
                    .addFilterBefore(newApiDeviceAuthFilter, UsernamePasswordAuthenticationFilter.class)
                    .authorizeRequests()
                    .anyRequest().permitAll()
                    .and().csrf().disable()
            ;
        }
    }

}

更新

启用调试后,我看到了对 / oldapi / 的请求的下一个过滤器链:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  XmlRpcDeviceApiAuthFilter  <- ONLY ONE FILTER
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

但是当我将断点设置为newApiDeviceAuthFilter时,我发现两个过滤器都可以处理对 / oldapi / / newapi / 的请求:

NewApiDeviceAuthFilter.java:

@Component
public class NewApiDeviceAuthFilter extends GenericFilterBean{

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        Boolean myTest = true; // <-- BREAKPOINT HERE ALWAYS WORK
        chain.doFilter(request, response); 
    }
}

0 个答案:

没有答案
相关问题
最新问题