Spring Security为我们提供了很多Filter,当然可配置是否加载这些Filter(本篇基于Spring Security5.0.4)。也可自定义Filter。
一、Spring Security提供的默认Filter
当不弃用任何过滤器时,Spring Security默认的过滤器集合如下图:
当我们配置不适用CSRF过滤器时,方式如下:
http.formLogin() //表单登录
.loginPage("/logintype") //如果需要身份认证则跳转到这里
.loginProcessingUrl("/login")
.successHandler(evolutionaryAuthenticationHandler)
.failureHandler(evolutionaryAuthenticationFailureHandler)
.and()
.authorizeRequests()
.antMatchers("/logintype",securityProperties.getBrower().getLoginPage())//不校验我们配置的登录页面
.permitAll()
.anyRequest()
.authenticated()
.and().csrf().disable();
其过滤器集合如下图:
二、自定义Filter
从上篇文章,看到很多类都继承自GenericFilterBean,而GenericFilterBean是Filter的实现类。所以,自定义Filter可以继承自GenericFilterBean:
public class BeforeLoginFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
System.out.println("This is a filter before UsernamePasswordAuthenticationFilter.");
// 继续调用 Filter 链
filterChain.doFilter(servletRequest, servletResponse);
}
}
配置自定义Filter在Spring Security过滤链中的位置:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/user/**").hasRole("USER")
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/user")
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login");
// 在 UsernamePasswordAuthenticationFilter 前添加 BeforeLoginFilter
http.addFilterBefore(new BeforeLoginFilter(), UsernamePasswordAuthenticationFilter.class);
// 在 CsrfFilter 后添加 AfterCsrfFilter
http.addFilterAfter(new AfterCsrfFilter(), CsrfFilter.class);
}
HttpSecurity有三个常用方法来配置:
- addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter)在 beforeFilter 之前添加 filter
- addFilterAfter(Filter filter, Class<? extends Filter> afterFilter)在 afterFilter 之后添加 filter
- addFilterAt(Filter filter, Class<? extends Filter> atFilter)在 atFilter 相同位置添加 filter, 此 filter 不覆盖 filter