弹簧安全：根据请求主体重定向用户

发布于 2025-02-06 13:20:46 字数 1594 浏览 1 评论 0原文

我有一个基于请求主体内容的方案，应允许用户访问SOAP服务的某些资源。我无法使用AntMatcher（**）来实现此目标，因为所有请求的路径相同。

我尝试通过添加一个过滤器：

public class MyFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest r = (HttpServletRequest)request;
    MyRequestWrapper req = new MyRequestWrapper(r);
    String body = req.getBody();

   if(body.indexOf("searchKeyOnBody")!=0){
        //Need to check if user has specified role or not 
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Set<String> roles = authentication.getAuthorities().stream()
            .map(r -> r.getAuthority()).collect(Collectors.toSet());
        boolean hasManagerRole = authentication.getAuthorities().stream()
            .anyMatch(r -> r.getAuthority().equals("ROLE_MANAGER"));

        if(!hasManagerRole){
           throwUnauthorized(response);
           return;
        }
    }

    chain.doFilter(req, response);
}

在Spring Security Config：

@Configuration
public class MyAppConfig extends WebSecurityConfigurerAdapter {
   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http.**.addFilterAfter(new MyFilter (), UsernamePasswordAuthenticationFilter.class)

此处的问题是身份验证身份验证= SecurityContexTholder.getContext（）。getAuthentication（）;在过滤器类中是null。因此，我无法检索用户信息，并且它是角色。

问题：有什么方法可以检索过滤器中的用户信息？有人对此有更好的主意吗？

原文

I have a scenario that based on the request body content, user should be allowed to access certain resource on SOAP services. I can't achieve this using antMatcher(**) because the path is same for all request.

I tried by adding a filter:

public class MyFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest r = (HttpServletRequest)request;
    MyRequestWrapper req = new MyRequestWrapper(r);
    String body = req.getBody();

   if(body.indexOf("searchKeyOnBody")!=0){
        //Need to check if user has specified role or not 
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Set<String> roles = authentication.getAuthorities().stream()
            .map(r -> r.getAuthority()).collect(Collectors.toSet());
        boolean hasManagerRole = authentication.getAuthorities().stream()
            .anyMatch(r -> r.getAuthority().equals("ROLE_MANAGER"));

        if(!hasManagerRole){
           throwUnauthorized(response);
           return;
        }
    }

    chain.doFilter(req, response);
}

In spring security config:

@Configuration
public class MyAppConfig extends WebSecurityConfigurerAdapter {
   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http.**.addFilterAfter(new MyFilter (), UsernamePasswordAuthenticationFilter.class)

The problem here is Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); in filter class is null. So, I am not able to retrive the user info and it's role.

Question:
Is there any way to retrieve the user info in the filter?
Anybody have better idea for this?

分享到QQ

分享到微博