1. 首页
  2. 问答
  3. 在Spring Security Filter Chain之前设置Cookie

在Spring Security Filter Chain之前设置Cookie

2014-12-19 218 views
0

我想设置一个引用cookie,因为我需要排除某些页面(例如错误,登录,注销等),以便能够重定向到上次调用但未排除的页面登录后:在Spring Security Filter Chain之前设置Cookie

public class CookieReferrerFilter extends OncePerRequestFilter { 
    public static final String REFERRER_COOKIE_NAME = "REFERRER"; 

    @Override 
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { 
     if (!isReferrerExcluded(request)) { 
      Cookie sessionCookie = new Cookie(REFERRER_COOKIE_NAME, request.getRequestURI()); 
      sessionCookie.setPath(!"".equals(request.getContextPath()) ? request.getContextPath() : "/"); 
      sessionCookie.setSecure(false); 
      sessionCookie.setMaxAge(-1); 

      response.addCookie(sessionCookie); 
     } 

     filterChain.doFilter(request, response); 
    } 

    private boolean isReferrerExcluded(HttpServletRequest request) { 
     for (String pattern : EXCLUDED_REFERRER) { 
      if (new AntPathRequestMatcher(pattern).matches(request)) { 
       return true; 
      } 
     } 

     return false; 
    } 
}

但是Spring Security Filter链在CookieReferrerFilter之前被触发。 因此,调用受保护的页面会立即将我重定向到登录页面,而无需在之前调用CookieReferrerFilter.doFilterInternal,也不设置cookie。

有一类配置webbapp(设置配置类,映射,过滤器)延伸AbstractAnnotationConfigDispatcherServletInitializer

public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { 
    @Override 
    protected Class<?>[] getRootConfigClasses() { 
     return new Class[] { ApplicationContextConfig.class }; 
    } 

    @Override 
    protected Class<?>[] getServletConfigClasses() { 
     return null; 
    } 

    @Override 
    protected String[] getServletMappings() { 
     return new String[] { "/" }; 
    } 

    @Override 
    protected Filter[] getServletFilters() { 
     CookieReferrerFilter cookieReferrerFilter = new CookieReferrerFilter(); 

     CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter(); 
     characterEncodingFilter.setEncoding("UTF-8"); 
     characterEncodingFilter.setForceEncoding(true); 

     return new Filter[] { cookieReferrerFilter, characterEncodingFilter }; 
    } 
}

,另一个简单地延伸AbstractSecurityWebApplicationInitializer

public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer { 
}

来源

2014-12-19 dtrunk

+0

[安全过滤链](http://docs.spring.io/spring-security/site/docs/3.0.x/reference/security-filter-chain.html) – 2014-12-19 08:32:35

回答

3

假设你正在使用的Spring Security的基于Java的配置,你可以让你的过滤器被Spring管理,并且在Spring Security过滤器链的开头添加它(很大程度上受HttpSecurity javadoc示例的启发(参见低中的链接):

@Configuration 
@EnableWebSecurity 
public class HttpSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired CookieReferrerFilter cookieFilter; 

    @Autowired CharacterEncodingFilter encodingFilter; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
      .addFilterBefore(cookieFilter, ChannelProcessingFilter.class) 
      .addFilterBefore(encodingFilter, ChannelProcessingFilter.class) 
       //your configuration follows here 
       ; 
     } 
    }

查找有关此详见http://docs.spring.io/autorepo/docs/spring-security/current/apidocs/org/springframework/security/config/annotation/web/builders/HttpSecurity.html#addFilter(javax.servlet.Filter)

来源

2014-12-19 10:10:36 cbeutenmueller

相关问题

 相关问题