Jersey 过滤器 servlet 容器忽略 spring 安全过滤器链
Jersey filter servlet container ignores spring security filter chain
我正在尝试部署我的 spring 应用程序,它确实部署得很好,但是请求没有被 spring 安全过滤器拦截,如果我使用 它工作得很好但是当我切换到 它突然停止工作,这是我的 web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Campus</display-name>
<context-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
ar.com.campus.config.WebConfig,
ar.com.campus.security.config.WebSecurityConfig
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>jersey</filter-name>
<filter-class>org.glassfish.jersey.servlet.ServletContainer</filter-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>
ar.com.campus.controllers,
ar.com.campus.security.api.exceptionmapper
</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.contextPath</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>
org.glassfish.jersey.media.multipart.MultiPartFeature,
org.glassfish.jersey.tests.integration.servlettests.FilterForwardOn404Resource
</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.forwardOn404</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>jersey</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
查看我的日志,过滤器似乎已初始化:
02:38:50.762 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.web.filter.DelegatingFilterProxy - Initializing filter 'springSecurityFilterChain'
02:38:50.763 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'springSecurityFilterChain'
02:38:50.763 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.web.filter.DelegatingFilterProxy - Filter 'springSecurityFilterChain' configured successfully
但是当我向我拥有的任何映射端点发出请求时,它不会通过 spring 安全过滤器,这是我的 WebSecurityConfig:
@Configuration
@EnableWebSecurity
@ComponentScan({"ar.com.campus.security" })
@PropertySource(value= {"classpath:application.properties"})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
...
@Override
protected void configure(final HttpSecurity http) throws Exception {
CharacterEncodingFilter filter = new CharacterEncodingFilter();
filter.setEncoding("UTF-8");
filter.setForceEncoding(true);
http
.cors()
.and()
.csrf()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, API_PREFIX + "/user").hasAuthority("USER")
.antMatchers("/**").permitAll();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
configuration.setExposedHeaders(Arrays.asList("x-auth-token", "authorization", "X-Total-Pages", "Content-Disposition"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
public void configure(final WebSecurity web) {
web
.ignoring()
.antMatchers("/");
}
}
过滤器按照定义的顺序执行。 filter-mapping 的定义顺序。在您的情况下,您在 securityFilterChain.
之前定义了 jersey 过滤器
如果您切换顺序,securityFilterChain 将首先被调用。
我正在尝试部署我的 spring 应用程序,它确实部署得很好,但是请求没有被 spring 安全过滤器拦截,如果我使用
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Campus</display-name>
<context-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
ar.com.campus.config.WebConfig,
ar.com.campus.security.config.WebSecurityConfig
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>jersey</filter-name>
<filter-class>org.glassfish.jersey.servlet.ServletContainer</filter-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>
ar.com.campus.controllers,
ar.com.campus.security.api.exceptionmapper
</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.contextPath</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>
org.glassfish.jersey.media.multipart.MultiPartFeature,
org.glassfish.jersey.tests.integration.servlettests.FilterForwardOn404Resource
</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.forwardOn404</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>jersey</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
查看我的日志,过滤器似乎已初始化:
02:38:50.762 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.web.filter.DelegatingFilterProxy - Initializing filter 'springSecurityFilterChain'
02:38:50.763 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'springSecurityFilterChain'
02:38:50.763 [RMI TCP Connection(3)-127.0.0.1] DEBUG o.s.web.filter.DelegatingFilterProxy - Filter 'springSecurityFilterChain' configured successfully
但是当我向我拥有的任何映射端点发出请求时,它不会通过 spring 安全过滤器,这是我的 WebSecurityConfig:
@Configuration
@EnableWebSecurity
@ComponentScan({"ar.com.campus.security" })
@PropertySource(value= {"classpath:application.properties"})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
...
@Override
protected void configure(final HttpSecurity http) throws Exception {
CharacterEncodingFilter filter = new CharacterEncodingFilter();
filter.setEncoding("UTF-8");
filter.setForceEncoding(true);
http
.cors()
.and()
.csrf()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, API_PREFIX + "/user").hasAuthority("USER")
.antMatchers("/**").permitAll();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
configuration.setExposedHeaders(Arrays.asList("x-auth-token", "authorization", "X-Total-Pages", "Content-Disposition"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
public void configure(final WebSecurity web) {
web
.ignoring()
.antMatchers("/");
}
}
过滤器按照定义的顺序执行。 filter-mapping 的定义顺序。在您的情况下,您在 securityFilterChain.
jersey 过滤器
如果您切换顺序,securityFilterChain 将首先被调用。