发表新帖
发表新帖

spring-security - where can I find the list of ALL security filters registered when I use the element?

后端 未结
关注
3 1720
误落风尘
误落风尘 2020-12-25 14:38

There are a default set of filters registered when we use the element in our xml file. This mentions the ordering of filters (whichever we choose t

相关标签:
3条回答
  • 轻奢々
    2020-12-25 14:58

    If you turn on debug logging for org.springframework.security.web.FilterChainProxy you will see, for each request, every filter that it passes through.

    For example (I am also using Spring Security OAuth).

    11:18:39.123 FilterChainProxy - /user/login at position 1 of 17 in additional filter chain; firing Filter: 'BasicUserApprovalFilter'
11:18:39.123 FilterChainProxy - /user/login at position 2 of 17 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
11:18:39.124 FilterChainProxy - /user/login at position 3 of 17 in additional filter chain; firing Filter: 'LogoutFilter'
11:18:39.124 FilterChainProxy - /user/login at position 4 of 17 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
11:18:39.124 FilterChainProxy - /user/login at position 5 of 17 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
11:18:39.124 FilterChainProxy - /user/login at position 6 of 17 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
11:18:39.124 FilterChainProxy - /user/login at position 7 of 17 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
11:18:39.124 FilterChainProxy - /user/login at position 8 of 17 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 9 of 17 in additional filter chain; firing Filter: 'ForgotPasswordAuthenticationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 10 of 17 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 11 of 17 in additional filter chain; firing Filter: 'SessionManagementFilter'
11:18:39.125 FilterChainProxy - /user/login at position 12 of 17 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 13 of 17 in additional filter chain; firing Filter: 'OAuth2ExceptionHandlerFilter'
11:18:39.125 FilterChainProxy - /user/login at position 14 of 17 in additional filter chain; firing Filter: 'VerificationCodeFilter'
11:18:39.125 FilterChainProxy - /user/login at position 15 of 17 in additional filter chain; firing Filter: 'OAuth2AuthorizationFilter'
11:18:39.125 FilterChainProxy - /user/login at position 16 of 17 in additional filter chain; firing Filter: 'OAuth2ProtectedResourceFilter'
11:18:39.125 FilterChainProxy - /user/login at position 17 of 17 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

    If you want to get the filters programmatically you can inject the FilterChainProxy and get the filterChainMap's values.

    For example:

    @Autowired var filterChainProxy: FilterChainProxy = _
//...
val filterChains = filterChainProxy.getFilterChainMap.values

    If you only want to see the filters that <http> adds then you should look at the source for HttpSecurityBeanDefinitionParser.

    0 讨论(0)
  • 小蘑菇
    2020-12-25 15:08

    Another thing you can do in Spring Security 3.1 is add

    <sec:debug />

    or

    @EnableWebSecurity(debug = true)

    to your application context. This adds an extra filter which will (amongs other things) report the list of security filters that will be applied to each request.

    0 讨论(0)
  • 小鲜肉
    2020-12-25 15:14

    Almost complete list of Spring Security's filter types is here, although to have it all you may display all GenericFilterBean's subclasses in SEC and read chapters 8-13 of Spring Security reference manual because, for example, you can choose one of few AbstractPreAuthenticatedProcessingFilter implementations (and add you own by extending existing filters or GenericFilterBean).

    Example you have here uses bean configuration of FilterChainProxy via filter-chain element and is not a default chain - you must explicitly define your own chains in order to apply filters on requests.

    On the other hand you are asking about <http> element: it has auto-config attribute which does the following:

     <http>
    <form-login />
    <http-basic />
    <logout />
  </http>

    which is setting up form-login, basic authentication and logout handling services respectively.

    RequestCacheAwareFilter is called because it's probably included in filter chain of your application - your context.xml would be helpful here.

    AnonymousAuthenticationFilter (and any other filter) is added to chain if you add the bean via <sec:filter-chain> element and configure bean with given id (usually it's class name begining with lowercased letter i.e. anonymousAuthenticationFilter). For example:

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
  <constructor-arg>
    <list>
      <sec:filter-chain pattern="/anonym/**" filters="
           anonymousAuthenticationFilter" />
      <sec:filter-chain pattern="/**" filters="none" />
    </list>
  </constructor-arg>
</bean>

<bean id="anonymousAuthenticationFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
  <property name="key" value="foobar"/>
  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>

<bean id="authenticationManager"
     class="org.springframework.security.authentication.ProviderManager">
  <property name="providers">
    <list>
      <ref local="anonymousAuthenticationProvider"/>
    </list>
  </property>
</bean>

<bean id="anonymousAuthenticationProvider"
    class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
  <property name="key" value="foobar"/>
</bean>
    0 讨论(0)
 看不清?
提交回复
热议问题