问题
I am using Spring Security 3.0 with JSPs. I have created a RequireVerificationFilter that redirects unverified users to a "verify your email" page.
I added the filter to the spring security filter stack in last place like so:
Bean definition in my app-config.xml:
<bean id="requireVerificationFilter" class="com.ebisent.web.RequireVerificationFilter" />
Filter added to spring security filter list in my security-config.xml:
<custom-filter ref="requireVerificationFilter" after="LAST" />
The filter works, but it filters its own redirect URL. That is, the filter redirects unverified users to /access/verify, but that URL is also caught by the filter, which attempts the redirect ad infinitum.
I tried using the <filter-mapping> tag to restrict the URLs this new filter applies to, but that does not seem to work the way I thought it would. Here is the web.xml entry I added anyway:
<filter>
<filter-name>requireVerificationFilter</filter-name>
<filter-class>com.ebisent.web.RequireVerificationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requireVerificationFilter</filter-name>
<url-pattern>/account/*</url-pattern>
</filter-mapping>
I read through "Adding in Your Own Filters" in the spring security documention, but did not find an answer.
My question is, How can I specify which URLs my filter applies to?
UPDATE:
I got this working by specifying the URL to allow within the filter itself. This works fine for me, but if there is a better/more "springy" way to do it, I would be glad to hear it.
回答1:
You have to do this inside the actual configuration xml (same place you have the <custom-filter ref="requireVerificationFilter" after="LAST" /> .
<http ...>
<intercept-url pattern="/access" ... filters="..., requireVerificationFilter, ..." />
<intercept-url pattern="/verify" ... filters="none" />
...
</http>
Something along those lines, you can specify a list of the filters you want to run and exclude those you don't (and "none" means none). You should not need to add tyour filter to the web.xml - only inline with the Spring Security filter chain.
回答2:
You should use org.springframework.security.web.FilterChainProxy for this. the attribute filter should only containts none:
<http ...>
<custom-filter ref="requireVerificationFilterChain" after="LAST" />
</http>
<b:bean id="requireVerificationFilterChain" class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map request-matcher="ant">
<filter-chain pattern="/account/*" filters="requireVerificationFilter"/>
</filter-chain-map>
</b:bean>
<b:bean id="requireVerificationFilter" class="com.ebisent.web.RequireVerificationFilter" />
来源:https://stackoverflow.com/questions/3954930/spring-security-3-0-how-do-i-specify-urls-to-which-a-custom-filter-applies