在Spring Security Filter中获取请求参数

时间:2019-12-17 21:24:45

标签: spring spring-boot spring-security

有人可以帮助获取请求参数 在WebsecurityConfig中Httpsecurity配置方法?在以下情况下,我需要提取来自请求的acr = loa3请求参数

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement()
            .maximumSessions(1)
            .expiredUrl(this.uiUri + "/expired")
            .maxSessionsPreventsLogin(true)
            .and()
            .invalidSessionUrl(this.uiUri + "/expired")
            .and()
            .csrf().disable().cors()
            .and()       
            .authorizeRequests()
            .antMatchers("/expired").permitAll()
            .anyRequest().authenticated()
            .and()
//Can some one help me here on how to extract request param coming in the url for example xyz.com/login?acr=loa3 ? I need to send that as acr value before the configureOIDCfilter executes
            .addFilterBefore(configureOIDCfilter(http, acrValue), 
                             AbstractPreAuthenticatedProcessingFilter.class)
            .exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint(this.redirectUri));
    }
}
@Bean
    public OIDCAuthenticationFilter configureOIDCfilter(HttpSecurity http, String acrValue) throws Exception {

        OIDCAuthenticationFilter filter = new OIDCAuthenticationFilter();
        StaticSingleIssuerService issuerService = new StaticSingleIssuerService();
        issuerService.setIssuer(issuerUrl);
        filter.setServerConfigurationService(new DynamicServerConfigurationService());
        StaticClientConfigurationService clientService = new StaticClientConfigurationService();
        RegisteredClient client = new RegisteredClient();
        client.setClientId(clientId);
        client.setDefaultACRvalues(ImmutableSet.of(acrValue));
        return filter;

    }

1 个答案:

答案 0 :(得分:0)

您在代码中显示的是配置。这是在启动时完成的,目前无法捕获任何请求参数。但是,如果您需要通过请求执行某项操作,则可能需要实现我在my recent blog post中所写的过滤器。

您可以从这样的过滤器进行扩展:

public class MyAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    public MyAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.setAuthenticationManager(authenticationManager);
    }
}

然后,尝试找到要覆盖的方法。例如:

public Authentication attemptAuthentication(HttpServletRequest request,
        HttpServletResponse response) throws AuthenticationException {
...
}

在上述方法中,您可以访问http请求参数。

此过滤器也需要添加到您的配置中:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(new MyAuthenticationFilter()). 
}

对于任何请求,都将调用过滤器,这是接收请求参数的唯一方法(据我所知)。

相关问题
最新问题