spring security添加自定义过滤器

1. 定义自己的过滤器
2. 指定位置，通过HttpSecurity的方法指定

定义过滤器

package com.qiudaozhang.springsecurity.filter;


import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class RequestHeadCheckFilter implements Filter {

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        var httpRequest = (HttpServletRequest) servletRequest;
        var httpResponse = (HttpServletResponse) servletResponse;
        String requestId = httpRequest.getHeader("Request-id");
        if(requestId == null || requestId.isBlank()) {
            httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }
}

package com.qiudaozhang.springsecurity.filter;


import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class RequestParamCheckFilter implements Filter {

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        var httpRequest = (HttpServletRequest) servletRequest;
        var httpResponse = (HttpServletResponse) servletResponse;

        String timestamp = httpRequest.getParameter("timestamp");
        if(timestamp == null || timestamp.isBlank()) {
            httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
            return;
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }
}

指定位置

HttpSecurity中有两个方法，指定过滤器的位置，一个指定在谁前面，一个指定在谁后面。

   public HttpSecurity addFilterAfter(Filter filter, Class<? extends Filter> afterFilter) {
       this.comparator.registerAfter(filter.getClass(), afterFilter);
       return this.addFilter(filter);
   }

   public HttpSecurity addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter) {
       this.comparator.registerBefore(filter.getClass(), beforeFilter);
       return this.addFilter(filter);
   }

package com.qiudaozhang.springsecurity.config;

import com.qiudaozhang.springsecurity.filter.RequestHeadCheckFilter;
import com.qiudaozhang.springsecurity.filter.RequestParamCheckFilter;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

@Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(
                new RequestHeadCheckFilter(),
                BasicAuthenticationFilter.class
        )
                .addFilterAfter(new RequestParamCheckFilter(),BasicAuthenticationFilter.class)
                .authorizeRequests()
                .anyRequest()
                .permitAll();
    }
}

测试

准备一个端点测试

package com.qiudaozhang.springsecurity.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {

    @GetMapping("hello")
    public String hello () {
        return "hello";
    }
}

当前没有传递timestamp参数，所以参照约定，过滤器直接给出403.

当前头部信息和参数信息都提供了，检测通过。

实际应用场景

• 检测相关的头部，参数等等信息
• 日志过滤器，将所有请求的相关数据记录下来
• 特殊的权限校验等等。