java - Spring Security addFilterAfter 未注册过滤器

Question

我正在开发一个 Spring Boot 应用程序，并使用 Spring Security 来保护我的应用程序。我创建了一个自定义过滤器，我想将其添加到 UsernamePasswordAuthenticationFilter 之后。我使用 HttpSecurity.addFilterAfter 方法来执行此操作。

但是，我的过滤器从未被调用。请求你帮我解决这个问题。代码:

MultiSessionCustomLMSFilter.java

public class MultiSessionCustomLMSFilter extends GenericFilterBean {

private final static Logger log = LoggerFactory.getLogger(MultiSessionCustomLMSFilter.class);

@Autowired private UserLoginLogRepository userLoginLogRepository;
private ObjectMapper mapper;

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)   throws IOException, ServletException {
    log.debug("Inside doFilter of MultipleSessionFilter");
    //CUSTOM APP SPECIFIC LOGIC GOES IN HERE
    }
}

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization";
    public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login";
    public static final String CSRF_ENTRY_POINT = "/api/auth/login/csrf";
    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**";
    public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token";

    @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
    @Autowired private AuthenticationSuccessHandler successHandler;
    @Autowired private AuthenticationFailureHandler failureHandler;
    @Autowired private LoginAuthenticationProvider loginAuthenticationProvider;
    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired private TokenExtractor tokenExtractor;

    @Autowired private AuthenticationManager authenticationManager;

    @Autowired private ObjectMapper objectMapper;

    @Autowired private JwtTokenFactory jwtTokenFactory;

    protected LoginProcessingFilter buildAjaxLoginProcessingFilter() throws Exception {
        LoginProcessingFilter filter = new LoginProcessingFilter(FORM_BASED_LOGIN_ENTRY_POINT, successHandler, failureHandler, objectMapper);
        filter.setAuthenticationManager(this.authenticationManager);
        return filter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception {
        List<String> pathsToSkip = Arrays.asList(TOKEN_REFRESH_ENTRY_POINT,FORM_BASED_LOGIN_ENTRY_POINT, CSRF_ENTRY_POINT);
        SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT);
        JwtTokenAuthenticationProcessingFilter filter = new JwtTokenAuthenticationProcessingFilter(failureHandler, tokenExtractor, matcher,objectMapper,jwtTokenFactory);
        filter.setAuthenticationManager(this.authenticationManager);
        return filter;
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(loginAuthenticationProvider);
        auth.authenticationProvider(jwtAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
        .exceptionHandling()
        .authenticationEntryPoint(this.authenticationEntryPoint)

        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

        .and()
            .authorizeRequests()
                .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
                .antMatchers(CSRF_ENTRY_POINT).permitAll()
//              .antMatchers(MIQA_FORUM_ENTRY_POINT).permitAll()
        .and()
            .authorizeRequests()
                .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points
        .and().cors().and()
            .addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterAfter(new MultiSessionCustomLMSFilter(),UsernamePasswordAuthenticationFilter.class);

    }

启动期间调用过滤器时的应用程序日志:

    Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1,
 [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@a457c2b,
 org.springframework.security.web.context.SecurityContextPersistenceFilter@464aeb09,
 org.springframework.security.web.header.HeaderWriterFilter@32da97fd,
 org.springframework.web.filter.CorsFilter@16a6dc21,
 org.springframework.security.web.authentication.logout.LogoutFilter@c0c8f96,
 com.egmat.lms.security.auth.login.LoginProcessingFilter@5773d271,
 com.egmat.lms.security.auth.jwt.JwtTokenAuthenticationProcessingFilter@59f45950,
 com.egmat.lms.security.MultiSessionCustomLMSFilter@7871d261,
 org.springframework.security.web.savedrequest.RequestCacheAwareFilter@59d6642a,
 org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@288728e,
 org.springframework.security.web.authentication.AnonymousAuthenticationFilter@58164e9a,
 org.springframework.security.web.session.SessionManagementFilter@4aa22cc2,
 org.springframework.security.web.access.ExceptionTranslationFilter@e01a26b,
 org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5c70d7f0]

Answer 1

LoginProcessingFilter 和 JwtTokenAuthenticationProcessingFilter 是否继续过滤器链？

之前的过滤器需要通过执行以下操作来继续过滤器链:

chain.doFilter(request, response);