我有几个 REST 控制器,其中之一是 /api/test。现在,我有一个扩展了 OncePerRequestFilter 的 MyCustomFilter 类。
公共类SecurityConfig {
private final UserServiceImplementation userServiceImplementation;
private final JwtAuthFilter jwtAuthFilter;
private final TimingFilter timingFilter;
private final ApiRateLimit apiRateLimit;
private final MyCustomFilter myCustomFilter;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManagerBean(AuthenticationConfiguration configuration) throws Exception {
return configuration.getAuthenticationManager();
}
@Bean
public AuthenticationProvider authenticationProvider() {
final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userServiceImplementation);
provider.setPasswordEncoder(passwordEncoder());
return provider;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.cors(cors -> cors
.configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues()))
.csrf(crsf -> crsf
.disable())
.authorizeHttpRequests(authz -> authz
.requestMatchers(HttpMethod.GET, "/v1/user/hotel").permitAll()
.requestMatchers(HttpMethod.GET,"/api/test").permitAll()
.anyRequest().permitAll())
.exceptionHandling( ex -> ex
.authenticationEntryPoint(new JwtAuthenticationEntryPoint()))
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.authenticationProvider(authenticationProvider());
http.addFilterBefore(apiRateLimit, UsernamePasswordAuthenticationFilter.class);
http.addFilterBefore(timingFilter, UsernamePasswordAuthenticationFilter.class);
http.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
http.addFilterBefore(myCustomFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
}
@Component
公共类 MyCustomFilter 扩展了 OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
System.out.println("My custom filter is called");
filterChain.doFilter(request, response);
}
}
每当我到达 /v1/user/hotels 或其他端点时, MyCustomFilter 也适用于它们。但是,我只想将此过滤器应用于特定端点,例如 /api/test。 我该如何解决这个问题?
如果 Spring 在其组件扫描期间识别出您的过滤器,该过滤器将自动添加到基本 SecurityFilterChain 中。如果这不是您想要的,您必须从过滤器中删除
@Component
并将其手动注入链中:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
//...
http.addFilterBefore(new MyCustomFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}