1. Overview

1.概述

Spring Security is based on a chain of servlet filters. Each filter has a specific responsibility and depending on the configuration, filters are added or removed.

Spring Security是基于servlet过滤器链的。每个过滤器都有特定的责任，根据配置，过滤器被添加或删除。

In this tutorial, we’ll discuss different ways to find the registered Spring Security Filters.

在本教程中，我们将讨论寻找已注册的Spring安全过滤器的不同方法。

2. Security Debugging

2.安全调试

First, we’ll enable security debugging which will log detailed security information on each request.

首先，我们将启用安全调试，这将记录每个请求的详细安全信息。

We can enable security debugging using the debug property:

我们可以使用debug属性启用安全调试。

@EnableWebSecurity(debug = true)

This way, when we send a request to the server, all the request information will be logged.

这样，当我们向服务器发送请求时，所有的请求信息都将被记录下来。

We’ll also be able to see the entire security filter chain:

我们也将能够看到整个安全过滤链。

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  // ...
]

3. Logging

3.记录

Next, we’ll find our security filters by enabling the logging for the FilterChainProxy.

接下来，我们将通过启用FilterChainProxy的日志来找到我们的安全过滤器。

We can enable logging by adding the following line to application.properties:

我们可以通过在application.properties中添加以下一行来启用日志记录。

logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

Here’s the related log:

这里是相关的日志。

DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.security.web.FilterChainProxy - /foos/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
...

4. Obtaining the Filters Programmatically

4.以程序方式获得过滤器

Now, we’ll see how to obtain the registered security filters programmatically.

现在，我们将看到如何以编程方式获得已注册的安全过滤器。

We’ll use FilterChainProxy to get the security filters.

我们将使用FilterChainProxy来获得安全过滤器。。

First, let’s autowire the springSecurityFilterChain bean:

首先，让我们自动连接springSecurityFilterChain Bean。

@Autowired
@Qualifier("springSecurityFilterChain")
private Filter springSecurityFilterChain;

Here, we used a @Qualifier with the name springSecurityFilterChain with type Filter instead of FilterChainProxy. This is because the method of springSecurityFilterChain() in WebSecurityConfiguration, which creates the Spring Security filter chain, return type Filter and not FilterChainProxy.

在这里，我们使用了一个@Qualifier，其名称为springSecurityFilterChain，类型为Filter，而不是FilterChainProxy。WebSecurityConfiguration中创建Spring Security过滤链的springSecurityFilterChain()方法返回类型Filter，而不是FilterChainProxy。。

Next, we’ll cast this object to FilterChainProxy and call the getFilterChains() method:

接下来，我们将把这个对象转换为FilterChainProxy并调用getFilterChains()方法。

public void getFilters() {
    FilterChainProxy filterChainProxy = (FilterChainProxy) springSecurityFilterChain;
    List<SecurityFilterChain> list = filterChainProxy.getFilterChains();
    list.stream()
      .flatMap(chain -> chain.getFilters().stream()) 
      .forEach(filter -> System.out.println(filter.getClass()));
}

And here’s a sample output:

下面是一个输出样本。

class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
class org.springframework.security.web.context.SecurityContextPersistenceFilter
class org.springframework.security.web.header.HeaderWriterFilter
class org.springframework.security.web.authentication.logout.LogoutFilter
class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
...

Note that since Spring Security 3.1, FilterChainProxy is configured using a list of SecurityFilterChain. However, most applications need only one SecurityFilterChain.

请注意，从Spring Security 3.1开始，FilterChainProxy是使用SecurityFilterChain的列表来配置的。然而，大多数应用程序只需要一个SecurityFilterChain。

5. Important Spring Security Filters

5.重要的Spring安全过滤器

Finally, let’s take a look at some of the important security filters:

最后，让我们看一下一些重要的安全过滤器。

UsernamePasswordAuthenticationFilter: process authentication, responds by default to “/login” URL
AnonymousAuthenticationFilter: when there’s no authentication object in SecurityContextHolder, it creates an anonymous authentication object and put it there
FilterSecurityInterceptor: raise exceptions when access is denied
ExceptionTranslationFilter: catch Spring Security exceptions

6. Conclusion

6.结论

In this quick articles, we explored how to find the registered Spring Security filters programmatically and using logs.

在这篇快速文章中，我们探讨了如何通过编程和使用日志找到已注册的Spring Security过滤器。

As always, source code can be found over on GitHub.

一如既往，源代码可以在GitHub上找到over。