我正在开发Spring Boot应用程序,并使用Spring Security来保护我的应用程序。我创建了一个自定义过滤器,我想在UsernamePasswordAuthenticationFilter之后添加它。我使用HttpSecurity.addFilterAfter方法来执行此操作。
但是,我的过滤器从未被调用。请您帮助我。码:
MultiSessionCustomLMSFilter.java
public class MultiSessionCustomLMSFilter extends GenericFilterBean { private final static Logger log = LoggerFactory.getLogger(MultiSessionCustomLMSFilter.class); @Autowired private UserLoginLogRepository userLoginLogRepository; private ObjectMapper mapper; @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { log.debug("Inside doFilter of MultipleSessionFilter"); //CUSTOM APP SPECIFIC LOGIC GOES IN HERE } }
WebSecurityConfig.java
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization"; public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login"; public static final String CSRF_ENTRY_POINT = "/api/auth/login/csrf"; public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**"; public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token"; @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint; @Autowired private AuthenticationSuccessHandler successHandler; @Autowired private AuthenticationFailureHandler failureHandler; @Autowired private LoginAuthenticationProvider loginAuthenticationProvider; @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider; @Autowired private TokenExtractor tokenExtractor; @Autowired private AuthenticationManager authenticationManager; @Autowired private ObjectMapper objectMapper; @Autowired private JwtTokenFactory jwtTokenFactory; protected LoginProcessingFilter buildAjaxLoginProcessingFilter() throws Exception { LoginProcessingFilter filter = new LoginProcessingFilter(FORM_BASED_LOGIN_ENTRY_POINT, successHandler, failureHandler, objectMapper); filter.setAuthenticationManager(this.authenticationManager); return filter; } protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception { List<String> pathsToSkip = Arrays.asList(TOKEN_REFRESH_ENTRY_POINT,FORM_BASED_LOGIN_ENTRY_POINT, CSRF_ENTRY_POINT); SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT); JwtTokenAuthenticationProcessingFilter filter = new JwtTokenAuthenticationProcessingFilter(failureHandler, tokenExtractor, matcher,objectMapper,jwtTokenFactory); filter.setAuthenticationManager(this.authenticationManager); return filter; } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(AuthenticationManagerBuilder auth) { auth.authenticationProvider(loginAuthenticationProvider); auth.authenticationProvider(jwtAuthenticationProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point .antMatchers(CSRF_ENTRY_POINT).permitAll() // .antMatchers(MIQA_FORUM_ENTRY_POINT).permitAll() .and() .authorizeRequests() .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points .and().cors().and() .addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterAfter(new MultiSessionCustomLMSFilter(),UsernamePasswordAuthenticationFilter.class); }
引导期间调用过滤器时的应用程序日志:
Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@a457c2b, org.springframework.security.web.context.SecurityContextPersistenceFilter@464aeb09, org.springframework.security.web.header.HeaderWriterFilter@32da97fd, org.springframework.web.filter.CorsFilter@16a6dc21, org.springframework.security.web.authentication.logout.LogoutFilter@c0c8f96, com.egmat.lms.security.auth.login.LoginProcessingFilter@5773d271, com.egmat.lms.security.auth.jwt.JwtTokenAuthenticationProcessingFilter@59f45950, com.egmat.lms.security.MultiSessionCustomLMSFilter@7871d261, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@59d6642a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@288728e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@58164e9a, org.springframework.security.web.session.SessionManagementFilter@4aa22cc2, org.springframework.security.web.access.ExceptionTranslationFilter@e01a26b, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5c70d7f0]
是LoginProcessingFilter并JwtTokenAuthenticationProcessingFilter继续过滤链吗?
LoginProcessingFilter
JwtTokenAuthenticationProcessingFilter
过滤器需要执行以下操作来继续过滤器链:
chain.doFilter(request, response);
