在授权服务器中,由于对客户端 ID 的一些操作,需要添加自定义 BasicAuthenticationFilter。大多数实现与 BasicAuthenticationFilter
相同。以下是相同的片段,
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
...
...
String username = someDecoder(tokens[0]); // Kind of something
...
...
}
我的自定义过滤器放在过滤器链中的 BasicAuthenticationFilter
之前。
http.addFilterBefore(new CustomBasicAuthenticationFilter(authenticationManager(), authenticationEntryPoint()),
BasicAuthenticationFilter.class);
这个自定义过滤器非常棒,用户也成功通过了身份验证。但是由于 BasicAuthenticationFilter 仍然存在于链中,这个过滤器也被执行并尝试再次验证用户但由于未操纵客户端凭据而失败。参见 BasicAuthenticationFilter-GitHub
因此,要从过滤器链中删除/禁用 BasicAuthenticationFilter
,请遵循此 SOQ ,建议使用 BeanPostProcessor
。但是在 Spring Boot 过滤器链中注册了 bean 名称 springSecurityFilterChain 和类 FilterChainProxy
。作为FilterChainProxy-GitHub返回 SecurityFilterChain
的不可修改列表。所以接下来不可能改变 FilterChainProxy
bean。
那么如何实现相同或任何其他方式来删除/禁用 BasicAuthenticationFilter
或 Spring Security 过滤器链中的任何其他过滤器。
使用 Spring Boot 1.5.1 和 Spring Security OAuth2 2.0.12
最佳答案
我认为您可以使用另一个答案:https://stackoverflow.com/a/28428154/2648577
---->>> 这是复制/粘贴(更改过滤器名称)。
By default Spring Boot creates a
FilterRegistrationBean
for everyFilter
in the application context for which aFilterRegistrationBean
doesn't already exist. This allows you to take control of the registration process, including disabling registration, by declaring your ownFilterRegistrationBean
for theFilter
. For yourBasicAuthenticationFilter
the required configuration would look like this:@Bean public FilterRegistrationBean registration(BasicAuthenticationFilter filter) { FilterRegistrationBean registration = new FilterRegistrationBean(filter); registration.setEnabled(false); return registration; }
You may also be interested in this Spring Boot issue which discusses how to disable the automatic registration of
Filter
andServlet
beans.
关于java - Spring Security OAuth2 从默认过滤器链中禁用 BasicAuthenticationFilter,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42297775/