Spring安全addFilterAfter未注册筛选器

Question

我正在开发一个spring引导应用程序，我使用spring安全性来保护我的应用程序。我已经创建了一个自定义过滤器，我想在UsernamePasswordAuthenticationFilter之后添加它。我使用HttpSecurity.addFilterAfter方法来完成这个任务。

但是，我的过滤器从未被调用过。请你帮我解决这个问题。代码：

MultiSessionCustomLMSFilter.java

public class MultiSessionCustomLMSFilter extends GenericFilterBean {

private final static Logger log = LoggerFactory.getLogger(MultiSessionCustomLMSFilter.class);

@Autowired private UserLoginLogRepository userLoginLogRepository;
private ObjectMapper mapper;

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)   throws IOException, ServletException {
    log.debug("Inside doFilter of MultipleSessionFilter");
    //CUSTOM APP SPECIFIC LOGIC GOES IN HERE
    }
}

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization";
    public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login";
    public static final String CSRF_ENTRY_POINT = "/api/auth/login/csrf";
    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**";
    public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token";

    @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
    @Autowired private AuthenticationSuccessHandler successHandler;
    @Autowired private AuthenticationFailureHandler failureHandler;
    @Autowired private LoginAuthenticationProvider loginAuthenticationProvider;
    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired private TokenExtractor tokenExtractor;

    @Autowired private AuthenticationManager authenticationManager;

    @Autowired private ObjectMapper objectMapper;

    @Autowired private JwtTokenFactory jwtTokenFactory;

    protected LoginProcessingFilter buildAjaxLoginProcessingFilter() throws Exception {
        LoginProcessingFilter filter = new LoginProcessingFilter(FORM_BASED_LOGIN_ENTRY_POINT, successHandler, failureHandler, objectMapper);
        filter.setAuthenticationManager(this.authenticationManager);
        return filter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception {
        List<String> pathsToSkip = Arrays.asList(TOKEN_REFRESH_ENTRY_POINT,FORM_BASED_LOGIN_ENTRY_POINT, CSRF_ENTRY_POINT);
        SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT);
        JwtTokenAuthenticationProcessingFilter filter = new JwtTokenAuthenticationProcessingFilter(failureHandler, tokenExtractor, matcher,objectMapper,jwtTokenFactory);
        filter.setAuthenticationManager(this.authenticationManager);
        return filter;
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(loginAuthenticationProvider);
        auth.authenticationProvider(jwtAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
        .exceptionHandling()
        .authenticationEntryPoint(this.authenticationEntryPoint)

        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

        .and()
            .authorizeRequests()
                .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
                .antMatchers(CSRF_ENTRY_POINT).permitAll()
//              .antMatchers(MIQA_FORUM_ENTRY_POINT).permitAll()
        .and()
            .authorizeRequests()
                .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points
        .and().cors().and()
            .addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterAfter(new MultiSessionCustomLMSFilter(),UsernamePasswordAuthenticationFilter.class);

    }

在启动期间调用筛选器时，应用程序日志：

    Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1,
 [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@a457c2b,
 org.springframework.security.web.context.SecurityContextPersistenceFilter@464aeb09,
 org.springframework.security.web.header.HeaderWriterFilter@32da97fd,
 org.springframework.web.filter.CorsFilter@16a6dc21,
 org.springframework.security.web.authentication.logout.LogoutFilter@c0c8f96,
 com.egmat.lms.security.auth.login.LoginProcessingFilter@5773d271,
 com.egmat.lms.security.auth.jwt.JwtTokenAuthenticationProcessingFilter@59f45950,
 com.egmat.lms.security.MultiSessionCustomLMSFilter@7871d261,
 org.springframework.security.web.savedrequest.RequestCacheAwareFilter@59d6642a,
 org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@288728e,
 org.springframework.security.web.authentication.AnonymousAuthenticationFilter@58164e9a,
 org.springframework.security.web.session.SessionManagementFilter@4aa22cc2,
 org.springframework.security.web.access.ExceptionTranslationFilter@e01a26b,
 org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5c70d7f0]

Answer 1

LoginProcessingFilter和JwtTokenAuthenticationProcessingFilter是否继续筛选链？

之前的过滤器需要通过执行以下操作来继续筛选链：

chain.doFilter(request, response);