java - Spring Security OAuth2 从默认过滤器链中禁用 BasicAuthenticationFilter

Question

在授权服务器中，由于对客户端 ID 的一些操作，需要添加自定义 BasicAuthenticationFilter。大多数实现与 BasicAuthenticationFilter 相同。以下是相同的片段，

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
    ...
    ...
    String username = someDecoder(tokens[0]); // Kind of something
    ...
    ...
}

我的自定义过滤器放在过滤器链中的 BasicAuthenticationFilter 之前。

http.addFilterBefore(new CustomBasicAuthenticationFilter(authenticationManager(), authenticationEntryPoint()),
    BasicAuthenticationFilter.class);

这个自定义过滤器非常棒，用户也成功通过了身份验证。但是由于 BasicAuthenticationFilter 仍然存在于链中，这个过滤器也被执行并尝试再次验证用户但由于未操纵客户端凭据而失败。参见 BasicAuthenticationFilter-GitHub

因此，要从过滤器链中删除/禁用 BasicAuthenticationFilter，请遵循此 SOQ ，建议使用 BeanPostProcessor。但是在 Spring Boot 过滤器链中注册了 bean 名称 springSecurityFilterChain 和类 FilterChainProxy。作为FilterChainProxy-GitHub返回 SecurityFilterChain 的不可修改列表。所以接下来不可能改变 FilterChainProxy bean。

那么如何实现相同或任何其他方式来删除/禁用 BasicAuthenticationFilter 或 Spring Security 过滤器链中的任何其他过滤器。

使用 Spring Boot 1.5.1 和 Spring Security OAuth2 2.0.12

Answer 1

我认为您可以使用另一个答案:https://stackoverflow.com/a/28428154/2648577

---->>> 这是复制/粘贴(更改过滤器名称)。

By default Spring Boot creates a FilterRegistrationBean for every Filter in the application context for which a FilterRegistrationBean doesn't already exist. This allows you to take control of the registration process, including disabling registration, by declaring your own FilterRegistrationBean for the Filter. For your BasicAuthenticationFilter the required configuration would look like this:

@Bean
public FilterRegistrationBean registration(BasicAuthenticationFilter filter) {
  FilterRegistrationBean registration = new FilterRegistrationBean(filter);
  registration.setEnabled(false);
  return registration;
}

You may also be interested in this Spring Boot issue which discusses how to disable the automatic registration of Filter and Servlet beans.