问题
I'm trying to adjust my application configuration in order to setup ETag support.
I have just checked this SO question, so let me say where my code is different from it:
- I don't use any xml configuration file whatsoever.
- I'm using different configuration classes for each aspect of the system. My
WebConfiglooks like this:
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackages = { "xxx", "yyy" })
public class WebConfig extends WebMvcConfigurerAdapter {
@Bean
public Filter shallowETagHeaderFilter() {
return new ShallowEtagHeaderFilter();
}
...
}
- And my SecurityConfig looks like this:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint())
.and().authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").authenticated()
.antMatchers(HttpMethod.POST, "/**").authenticated()
.antMatchers(HttpMethod.HEAD, "/**").authenticated()
.and().csrf().disable()
.addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
- I also have an initializer class, which is empty:
@Order(value=1)
public class SecurityWebAppInitializer extends AbstractSecurityWebApplicationInitializer {
}
I don't see anywhere the ShallowEtagHeaderFilter been added to the default chain or anything, how can I use it in this setup?
回答1:
Alright,
According to this post:
[...] To help mitigate this Spring Security has added cache control support which will insert the following headers into you response.
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
So, what happened is that ETag support was added, but Spring Security invalidated it in the response. It seems that if you want to use both Spring Security and ETag support, you need to declare the following code line (highlighted by the arrow):
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint())
.and().authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").authenticated()
.antMatchers(HttpMethod.POST, "/**").authenticated()
.antMatchers(HttpMethod.HEAD, "/**").authenticated()
.and().csrf().disable()
.addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
===> http.headers().cacheControl().disable();
}
}
来源:https://stackoverflow.com/questions/26742207/add-shallowetagheaderfilter-in-spring-boot-mvc