我有一个带有多个初始化程序的 Spring web-mvc REST 服务。
WebAppInitializer.java
@Order(1)
public class MyFiltersInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext servletContext) {
FilterRegistration.Dynamic registration = servletContext.addFilter("myRequestFilter", DelegatingFilterProxy.class);
// register other filters and DispatcherServlet
}
}
SecurityWebAppInitializer.java
@Order(2)
public class MySecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
@Override
protected Set<SessionTrackingMode> getSessionTrackingModes() {
return EnumSet.of(SessionTrackingMode.COOKIE, SessionTrackingMode.URL);
}
}
如您所见,SecurityFilterChain 被添加到所有自定义请求过滤器之后。我需要做的是记录每个请求,如果请求被授权,则包含User进行记录
类似于MyRequestFilter.java:
@Slf4j
public class RequestFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(final HttpServletRequest request,
final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
MyUser user = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); //no auth yet
log.debug("request {} start, user {}", request, user);
filterChain.doFilter(request, response); //may return 401 or 403, what also need to be logged
log.debug("request {} end with response {}", request, response);
}
有一个想法是添加一个LogBodyHolder,它保持日志主体直到SecurityChain完全通过,然后调用log.debug。但是有什么漂亮的方法可以解决这个问题吗?
最佳答案
您可以只创建一个 Spring Bean,它扩展了 Spring 提供的 AbstractRequestLoggingFilter 类,然后覆盖 beforeRequest() 和 afterRequest() 方法来添加你的日志。
关于java - Spring FilterChain + 安全 : log request with user or not,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53871341/