我们目前正在努力为来 self 们应用程序的每个响应添加 header 。要添加这些 header ,我们使用 Servlet APIs Filter-interface。
我们的应用程序中有以下过滤器:
public class SecurityFilter implements Filter
{
@Override
public void init(FilterConfig filterConfig) throws ServletException
{
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
chain.doFilter(request, response);
HttpServletResponse httpServletResponse = ((HttpServletResponse) response);
httpServletResponse.addHeader("X-Frame-Options", "DENY");
httpServletResponse.addHeader("X-Content-Type-Options", "nosniff");
}
@Override
public void destroy()
{
}
}
这个(特别是 doFilter 方法)是根据文档正确实现的,这表明了以下工作顺序:
- Examine the request
- Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
- Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
- or not pass on the request/response pair to the next entity in the filter chain to block the request processing
- Directly set headers on the response after invocation of the next entity in the filter chain.
据我们所知,根据文档,我们的 doFilter 方法的顺序是正确的(如第 4 点所述,首先将请求传递给链,然后如所述添加自定义 header 根据第 5 点)。但是,我们添加的 header 在响应中不可见。如果我们将订单更改为以下内容,一切似乎都运行良好:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
HttpServletResponse httpServletResponse = ((HttpServletResponse) response);
httpServletResponse.addHeader("X-Frame-Options", "DENY");
httpServletResponse.addHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(request, response);
}
谁能解释这种行为?
最佳答案
如果你想在 chain.doFilter(..) 之后添加一些内容,Oracle 会告诉你在将响应传递到链下之前包装响应
Note that if you want to preprocess the request object or postprocess the response object, you cannot directly manipulate the original request or response object. You must use wrappers. When postprocessing a response, for example, the target servlet has already completed and the response could already be committed by the time a filter would have a chance to do anything with the response. You must pass a response wrapper instead of the original response in the chain doFilter() call. See "Using a Filter to Wrap and Alter the Request or Response".
http://docs.oracle.com/cd/B32110_01/web.1013/b28959/filters.htm#BCFCIHAH
关于Java Servlet 过滤器 : I have to add headers before passing to the chain, 文档另有说明,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30343563/