如何将Spring Security过滤器声明到Spring MVC应用程序的web.xml中？(How exactly works the Spring Security filter declar

如何将Spring Security过滤器声明到Spring MVC应用程序的web.xml中？(How exactly works the Spring Security filter declared into the web.xml of a Spring MVC application?) java Spring

我在Spring中很新，我对如何正确处理我正在研究的S​​pring Security项目有所怀疑。

这是我的web.xml文件的内容：

<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>Spring_Web_App</display-name> <welcome-file-list> <welcome-file>/WEB-INF/jsp/index.jsp</welcome-file> </welcome-file-list> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/config/spring-servlet.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/config/spring-security.xml</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>

据我所知，这个设置的内容：

<servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping>

与Spring Security配置无关，但它指定所有请求都必须由名为Spring的servlet处理，该配置位于名为spring-servlet.xml的文件中。 这样对吗？

因此，将Spring Security语句分析到web.xml文件中，我发现此组件的配置通过以下语句声明到/WEB-INF/config/spring-security.xml文件中：

contextConfigLocation /WEB-INF/config/spring-security.xml

然后我有过滤声明。 我不是那么过滤器，这是给我带来一些问题的话题。

根据我的理解，过滤器是拦截请求的东西（作为servlet所做的）但与servlet不同的是不向调用者返回响应（对用户的JSP页面或类似的东西），而只是在之前执行某些操作将请求快进到必须处理它并为此请求提供响应的servlet。 因此，过滤器用于提供一些必须在servlet代码之外的额外逻辑，因为它代表了一些特定的任务。

例如，在用户身份验证任务中使用过滤器，因为如果用户是否经过身份验证，则应该是一个独立的任务，并且不必在servlet内编码。 这是我的推理吗？

所以从我所理解的阅读一些文档，我必须通过这一行声明一个过滤器：

<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter>

然后我指定过滤器应用于此行的所有请求：

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

所以我认为身份验证以下列方式工作：每个HTTP请求在传递给servlet之前被过滤器截获，如果用户未被授权（没有正确的凭据或没有正确的规则已经解决）请求是不由servlet处理，他无法访问该页面。

这是我的推理正确吗？

形成我所理解的尝试研究Spring架构的DelegatingFilterProxy委托给一系列Spring管理的过滤器：

驱动身份验证 强制授权 管理注销 在HttpSession中维护SecurityContext 等等

I am pretty new in Spring and I have some doubt about how exactly work a Spring Security project on which I am studying on.

So this is the content of my web.xml file:

<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>Spring_Web_App</display-name> <welcome-file-list> <welcome-file>/WEB-INF/jsp/index.jsp</welcome-file> </welcome-file-list> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/config/spring-servlet.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/config/spring-security.xml</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>

From what I know the content of this settings:

<servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping>

is not related to the Spring Security configuration but it specify that all the request have to be handled by a servlet named Spring which configuration is in a file having name spring-servlet.xml. Is it right?

So analyzing the Spring Security statement into the web.xml file I found that the configuration of this component is declared into the /WEB-INF/config/spring-security.xml file by this statement:

contextConfigLocation /WEB-INF/config/spring-security.xml

Then I have the filter declaration. I am not so into filter and this is the topic that is creating me some problem.

From what I have understand a filter is something that intercept a request (as a servlet does) but differently from a servlet do not return a response to the caller (a JSP page to the user or something like this) but simply perform some operation before fast forward the request to the servlet that have to handle it and that provide a response for this request. So the filter are used to provide some extra logic that have to be outside the servlet code because represent some specific task.

For example filters are used in the user authentication task because say if a user is authenticated or not should be an independent task and have not to be coded inside the servlet. Is it my reasoning true?

So from what I have understand reading some documentation I have to declare a filter, by this line:

<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter>

and then I specify that the filter is applied to all the request by this line:

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

So I think that authentication work in the following way: each HTTP request is intercepted by the filter before it is passed to the servlet and if the user is not authorized (have not the right credential or have not the right rule settled) the request is not handled by the servlet and he can't access to the page.

Is it my reasoning correct?

Form what I have understand trying to study the Spring architecture the DelegatingFilterProxy delegates to a chain of Spring-managed filters that:

Drive authentication Enforce authorization Manage logout Maintain SecurityContext in HttpSession etc.

最满意答案

是的，你是对的。 servlet规范中存在过滤器，用于横切关注，例如其他Web堆栈中的“中间件”。 在Servlet处理请求之前调用所有过滤器。 他们可以选择短路请求或让它沿着链路移动。 您通常会使用过滤器来启用gzip，验证，添加CORS标头等。

Spring通过其过滤器拦截所有请求。 他们基本上通过这种机制劫持所有请求，并从那时起使用他们自己的内部路由算法和安全性。 这就是为什么您不必在web.xml中将处理程序注册为servlet，而只在Spring中注册。

Yes, you are right. Filters exist in the servlet spec for cross-cutting concerns, like "middleware" in other web stacks. All filters are called before the request is handled by the Servlet. They can choose to short-circuit the request or let it move down the chain. You would typically use a filter to enable gzip, authenticate, add CORS headers and the like.

Spring intercepts all requests through their filter. They basically hijack all requests through this mechanism and use their own internal routing algos and security from that point on. This is why you don't have to register your handlers as servlet in web.xml, but only in Spring.