A Custom Filter in the Spring Security Filter Chain – Spring安全过滤器链中的一个自定义过滤器

1. Overview

1.概述

In this quick tutorial, we’ll focus on writing a custom filter for the Spring Security filter chain.

在这个快速教程中，我们将专注于为Spring Security过滤器链编写一个自定义过滤器。

2. Creating the Filter

2.创建过滤器

Spring Security provides a number of filters by default, and these are enough most of the time.

Spring Security默认提供了一些过滤器，这些过滤器在大多数时候是足够的。

But of course it’s sometimes necessary to implement new functionality by creating a new filter to use in the chain.

但当然有时也需要通过创建一个新的过滤器在链中使用来实现新的功能。

We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.

我们将从实现org.springframework.web.filter.GenericFilterBean开始。

The GenericFilterBean is a simple javax.servlet.Filter implementation that is Spring-aware.

GenericFilterBean是一个简单的javax.servlet.Filter实现，是Spring感知的。

We only need to implement a single method:

我们只需要实现一个单一的方法。

public class CustomFilter extends GenericFilterBean {

    @Override
    public void doFilter(
      ServletRequest request, 
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

3. Using the Filter in the Security Config

3.在安全配置中使用过滤器

We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

我们可以自由选择XML配置或Java配置，将过滤器接入Spring Security配置。

3.1. Java Configuration

3.1. Java配置

We can register the filter programmatically by creating a SecurityFilterChain bean.

我们可以通过创建一个SecurityFilterChain bean，以编程方式注册该过滤器。

For example, it works with the addFilterAfter method on an HttpSecurity instance:

例如，它与HttpSecurity实例上的addFilterAfter方法一起工作。

@Configuration
public class CustomWebSecurityConfigurerAdapter {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.addFilterAfter(
          new CustomFilter(), BasicAuthenticationFilter.class);
        return http.build();
    }
}

There are a couple of possible methods:

有几种可能的方法。

• addFilterBefore(filter, class) adds a filter before the position of the specified filter class.
• addFilterAfter(filter, class) adds a filter after the position of the specified filter class.
• addFilterAt(filter, class) adds a filter at the location of the specified filter class.
• addFilter(filter) adds a filter that must be an instance of or extend one of the filters provided by Spring Security.

3.2. XML Configuration

3.2.XML配置

We can add the filter to the chain using the custom-filter tag and one of these names to specify the position of our filter.

我们可以使用custom-filter标签和这些名字中的一个来指定我们的过滤器的位置，将过滤器添加到链中。

For instance, it can be pointed out by the after attribute:

例如，它可以由after属性指出。

<http>
    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>

<beans:bean id="myFilter" class="com.baeldung.security.filter.CustomFilter"/>

Here are all the attributes to specify exactly where to place our filter in the stack:

这里有所有的属性，可以准确指定我们的过滤器在堆栈中的位置。

• after describes the filter immediately after which a custom filter will be placed in the chain.
• before defines the filter before which our filter should be placed in the chain.
• position allows replacing a standard filter in the explicit position by a custom filter.

4. Conclusion

4.结论

In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

在这篇快速文章中，我们创建了一个自定义过滤器，并将其接入Spring Security过滤器链。

As always, all code examples are available in the sample GitHub project.

一如既往，所有的代码示例都可以在GitHub项目示例中找到。