spring-security - 我在哪里可以找到使用 <http> 元素时注册的所有安全过滤器的列表?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10140515/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
spring-security - where can I find the list of ALL security filters registered when I use the <http> element?
提问by Daud
There are a default set of filters registered when we use the <http>element in our xml file. Thismentions the ordering of filters (whichever we choose to apply), and just above that, it mentions :
当我们<http>在 xml 文件中使用元素时,会注册一组默认的过滤器。这提到了过滤器的顺序(无论我们选择应用哪个),就在上面,它提到:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/restful/**" filters="
securityContextPersistenceFilterWithASCFalse,
basicAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
<sec:filter-chain pattern="/**" filters="
securityContextPersistenceFilterWithASCTrue,
formLoginFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</list>
</constructor-arg>
</bean>
If the above is the list of default filters, then during debugging, I found that RequestCacheAwareFilteris also called. From where is this filter called and what is its position in the filter chain ? In which condition is AnonymousAuthenticationFilterconfigured into the chain ?
如果上面是默认过滤器的列表,那么在调试的过程中,我发现它RequestCacheAwareFilter也被调用了。这个过滤器是从哪里调用的,它在过滤器链中的位置是什么?在什么情况下AnonymousAuthenticationFilter配置成链?
What's the default filter chain that's configured for me ?
为我配置的默认过滤器链是什么?
Edit: I have applicationContext.xml and springSecurity.xml. The following is my applicationContext.xml :
编辑:我有 applicationContext.xml 和 springSecurity.xml。以下是我的 applicationContext.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd">
<context:annotation-config />
<context:spring-configured />
<!-- Make sure that the part of the file until "End of beans" is identical
to bean definitions in applicationContext.xml of the main application. -->
<bean id="adminService" class="org.daud.admin.server.AdminServiceImpl" />
<bean id="feedbackService" class="org.daud.feedback.server.FeedbackServiceImpl" />
<bean id="guideService" class="org.daud.guider.server.GuiderServiceImpl" />
<bean id="messageService" class="org.daud.messages.server.MessageServiceImpl" />
<bean id="wsService" class="org.daud.guider.server.WSServiceImpl" />
<bean id="jabxUtil" class="org.daud.common.server.services.JAXBUtil" />
<bean id="serviceAdvisor" class="org.daud.common.server.ServiceAdvisor" />
<bean id="userPreferences" class="org.daud.preferences.server.UserPreferencesServiceImpl" />
<bean id="dynamicClientFactory" class="org.apache.cxf.jaxws.endpoint.dynamic.JaxWsDynamicClientFactory" factory-method="newInstance" />
<!-- End of beans. -->
<!-- For testing. -->
<bean id="guiderClientService" class="org.daud.guider.server.GuiderClientServiceImpl" />
<bean id="entityManager" class="com.daud.jpa.DBUtil" factory-method="createEntityManager" lazy-init="true">
<constructor-arg value="bb-test" />
</bean>
<bean id="testUtil" class="com.daud.jpa.JPATestUtil" lazy-init="true">
<constructor-arg ref="entityManager" />
<constructor-arg value="org.daud" />
<constructor-arg value="fixtures" />
</bean>
</beans>
And this is my springSecurity.xml
这是我的 springSecurity.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd">
<aop:aspectj-autoproxy proxy-target-class="true" />
<beans:bean class="com.gwt.ss.GwtExceptionTranslator" />
<global-method-security secured-annotations="enabled" access-decision-manager-ref="methodSecurityAccessDecisionManager"/>
<http use-expressions="true" auto-config="false" disable-url-rewriting="true" access-decision-manager-ref="urlSecurityAccessDecisionManager">
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/login.jsp" filters="none" />
<!-- Allow access only to admins and superadmins for the following 2 url patterns -->
<intercept-url pattern="/do/admin/*" access="hasAdminStatus(3,4)" />
<intercept-url pattern="/admin/*" access="hasAdminStatus(3,4)" />
<intercept-url pattern="/**/*.html" access="isAuthenticated()" /> <!-- access="isAuthenticated()"-->
<intercept-url pattern="/do/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter"/>
<form-login login-page="/login" login-processing-url="/do/login" authentication-failure-url="/login?authfailed=true" authentication-success-handler-ref="myAuthenticationSuccessHandler"/>
<!-- Using success-handler-ref instead of logout-success-url for asynchronous logout. -->
<logout invalidate-session="true" success-handler-ref="logoutSuccessHandler" logout-url="/do/logout" />
</http>
<beans:bean id="urlSecurityAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="myWebSecurityExpressionHandler"/>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="myWebSecurityExpressionHandler" class="org.daud.common.server.security.MyWebSecurityExpressionHandler"/>
<beans:bean id="myWebSecurityExpressionRoot" class="org.daud.common.server.security.MyWebSecurityExpressionRoot" scope="prototype"/>
<!-- For asynchronous login -->
<beans:bean id="methodSecurityAccessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" p:rolePrefix="" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:bean class="org.daud.common.server.security.AllowPrivilegedRolesVoter">
<beans:property name="privilegedRoleTypes">
<beans:set>
<beans:value>ROOT</beans:value>
</beans:set>
</beans:property>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean class="com.gwt.ss.GwtUsernamePasswordAuthority">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="myAuthenticationSuccessHandler" class="org.daud.common.server.security.myAuthenticationSuccessHandler">
<!-- If redirection after logging in is to URLs containing these strings, the redirection will instead be to '/' -->
<beans:property name="partialURLsRequiringRedirection">
<beans:list>
<beans:value>/do/</beans:value>
<beans:value>/exitUser</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="userSwitchSuccessHandler" class="org.daud.common.server.security.myUserSwitchSuccessHandler"/>
<beans:bean id="userServices" class="org.daud.common.server.security.myUserServices"/>
<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="userServices" />
<beans:property name="switchUserUrl" value="/admin/switchUser" />
<beans:property name="exitUserUrl" value="/admin/exitUser" />
<beans:property name="successHandler" ref="userSwitchSuccessHandler"></beans:property>
</beans:bean>
<!-- For asynchronous logout -->
<beans:bean id="logoutSuccessHandler" class="com.gwt.ss.GwtLogoutSuccessHandler" p:logoutSuccessUrl="/login" />
<beans:bean id="myAuthenticationProvider" class="org.daud.common.server.security.myAuthenticationProvider" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="myAuthenticationProvider" />
</authentication-manager>
</beans:beans>
回答by Shaun the Sheep
Another thing you can do in Spring Security 3.1 is add
您可以在 Spring Security 3.1 中做的另一件事是添加
<sec:debug />
or
或者
@EnableWebSecurity(debug = true)
@EnableWebSecurity(debug = true)
to your application context. This adds an extra filter which will (amongs other things) report the list of security filters that will be applied to each request.
到您的应用程序上下文。这会添加一个额外的过滤器,它将(除其他外)报告将应用于每个请求的安全过滤器列表。
回答by sourcedelica
If you turn on debug logging for org.springframework.security.web.FilterChainProxyyou will see, for each request, every filter that it passes through.
如果您打开调试日志记录,org.springframework.security.web.FilterChainProxy您将看到,对于每个请求,它通过的每个过滤器。
For example (I am also using Spring Security OAuth).
例如(我也在使用 Spring Security OAuth)。
11:18:39.123 FilterChainProxy - /user/login at position 1 of 17 in additional filter chain; firing Filter: 'BasicUserApprovalFilter'
11:18:39.123 FilterChainProxy - /user/login at position 2 of 17 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
11:18:39.124 FilterChainProxy - /user/login at position 3 of 17 in additional filter chain; firing Filter: 'LogoutFilter'
11:18:39.124 FilterChainProxy - /user/login at position 4 of 17 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
11:18:39.124 FilterChainProxy - /user/login at position 5 of 17 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
11:18:39.124 FilterChainProxy - /user/login at position 6 of 17 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
11:18:39.124 FilterChainProxy - /user/login at position 7 of 17 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
11:18:39.124 FilterChainProxy - /user/login at position 8 of 17 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 9 of 17 in additional filter chain; firing Filter: 'ForgotPasswordAuthenticationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 10 of 17 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 11 of 17 in additional filter chain; firing Filter: 'SessionManagementFilter'
11:18:39.125 FilterChainProxy - /user/login at position 12 of 17 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 13 of 17 in additional filter chain; firing Filter: 'OAuth2ExceptionHandlerFilter'
11:18:39.125 FilterChainProxy - /user/login at position 14 of 17 in additional filter chain; firing Filter: 'VerificationCodeFilter'
11:18:39.125 FilterChainProxy - /user/login at position 15 of 17 in additional filter chain; firing Filter: 'OAuth2AuthorizationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 16 of 17 in additional filter chain; firing Filter: 'OAuth2ProtectedResourceFilter'
11:18:39.125 FilterChainProxy - /user/login at position 17 of 17 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
If you want to get the filters programmatically you can inject the FilterChainProxyand get the filterChainMap's values.
如果您想以编程方式获取过滤器,您可以注入FilterChainProxy并获取filterChainMap的值。
For example:
例如:
@Autowired var filterChainProxy: FilterChainProxy = _
//...
val filterChains = filterChainProxy.getFilterChainMap.values
If you onlywant to see the filters that <http>adds then you should look at the source for HttpSecurityBeanDefinitionParser.
如果你只是想看到的过滤器<http>增加了,那么你应该看看源HttpSecurityBeanDefinitionParser。
回答by Xaerxess
Almost complete list of Spring Security's filter typesis here, although to have it all you may display all GenericFilterBean's subclasses in SEC and read chapters 8-13 of Spring Security reference manualbecause, for example, you can choose one of few AbstractPreAuthenticatedProcessingFilterimplementations (and add you own by extending existing filters or GenericFilterBean).
Spring Security 过滤器类型的几乎完整列表在这里,尽管要拥有它,您可以GenericFilterBean在 SEC 中显示所有的子类并阅读Spring Security 参考手册的第 8-13 章,因为例如,您可以选择少数AbstractPreAuthenticatedProcessingFilter实现之一(和通过扩展现有过滤器或GenericFilterBean)添加您自己的过滤器。
Example you have here uses bean configuration of FilterChainProxyvia filter-chainelement and is nota default chain - you must explicitly define your own chains in order to apply filters on requests.
您在此处的示例使用了FilterChainProxyvia filter-chain元素的bean 配置,而不是默认链 - 您必须明确定义自己的链才能对请求应用过滤器。
On the other hand you are asking about <http>element: it has auto-configattributewhich does the following:
另一方面,您正在询问<http>元素:它具有执行以下操作的auto-config属性:
<http>
<form-login />
<http-basic />
<logout />
</http>
which is setting up form-login, basic authentication and logout handling services respectively.
分别设置表单登录、基本身份验证和注销处理服务。
RequestCacheAwareFilteris called because it's probably included in filter chain of your application - your context.xml would be helpful here.
RequestCacheAwareFilter被调用是因为它可能包含在您的应用程序的过滤器链中 - 您的 context.xml 在这里会有所帮助。
AnonymousAuthenticationFilter(and any other filter) is added to chain if you add the bean via <sec:filter-chain>element and configure bean with given id (usually it's class name begining with lowercased letter i.e. anonymousAuthenticationFilter). For example:
AnonymousAuthenticationFilter如果您通过<sec:filter-chain>元素添加 bean并使用给定的 id 配置 bean(通常它的类名以小写字母 ie 开头),则(和任何其他过滤器)被添加到链中anonymousAuthenticationFilter。例如:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/anonym/**" filters="
anonymousAuthenticationFilter" />
<sec:filter-chain pattern="/**" filters="none" />
</list>
</constructor-arg>
</bean>
<bean id="anonymousAuthenticationFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="anonymousAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
