java - 当第二个过滤器尝试写入响应流时，2 个链接的 AbstractAuthenticationProcessingFilter 导致 302 重定向

Question

我有 2 个过滤器，Filter1 和 Filter2，它们都扩展了 AbstractAuthenticationProcessingFilter。 Filter1 已成功完成其工作并将请求链接到 Filter2。现在，当 Filter2 抛出 AuthenticationException 并由 Filter2 的 onAuthenticationFailure 方法处理时，响应将通过 HttpStatus 403 写入响应流，从而提交响应。但是在调用 doFilter 方法(在 Filter1 中)后，控件被链接回 Filter1 ，并且它重定向到“/”url，这导致 302 重定向状态，而不是我期望的 403 状态。有谁知道如何在异常期间跳过过滤器以避免重定向到“/”url？

它是 spring-boot 应用程序，两个过滤器都在 ApplicationConfig.java 中配置，并具有单独的 ErrorHandlers Errorhandler1 和 Errorhandler2。FirstFilter 已将身份验证状态设置为 true，第二个过滤器引发异常。但由于 Response 已由链中第二个过滤器的 Errorhandler2 ('AuthenticationFailureHandler') 提交，但控制权仍转到 Filter1 并重定向到“/”。

@Component
public class Filter2CustomErrorhandler implements AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        CustomError error = new CustomError();
        response.setContentType("application/json;charset=UTF-8");
        response.setStatus(403);
        response.getWriter().write(convertObjectToJson(error));
    }

    private String convertObjectToJson(Object object) throws JsonProcessingException {
        ObjectMapper mapper = new ObjectMapper();
        return mapper.writeValueAsString(object);
    }

}

public class Filter1 extends AbstractAuthenticationProcessingFilter {

    public Filter1(RequestMatcher requiresAuthenticationRequestMatcher) {
        super(requiresAuthenticationRequestMatcher);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        Authentication authentication = new CustomAuthenticationToken("some-principal-1", "some-credential-1");
        authentication.setAuthenticated(true);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        return authentication;
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
                                            Authentication authResult) throws IOException, ServletException {
        super.successfulAuthentication(request, response, chain, authResult);
            chain.doFilter(request, response);
    }

    @Override
    public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler) {
        super.setAuthenticationFailureHandler(failureHandler);
    }
}   


public class Filter2 extends AbstractAuthenticationProcessingFilter {

    public Filter2(RequestMatcher requiresAuthenticationRequestMatcher) {
        super(requiresAuthenticationRequestMatcher);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        Authentication authentication = new CustomAuthenticationToken("some-principal-2", "some-credential-2");
        authentication.setAuthenticated(true);

        throw new SecurityAuthenticationException("some-exception-message", new CustomException());

        //SecurityContextHolder.getContext().setAuthentication(authentication);
        //return authentication;
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
                                            Authentication authResult) throws IOException, ServletException {
        super.successfulAuthentication(request, response, chain, authResult);
            chain.doFilter(request, response);
    }

    @Override
    public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler) {
        super.setAuthenticationFailureHandler(failureHandler);
    }
} 

我期待 RestClient 中出现 HttpStatus 403。

Answer 1

解决方案:

• 因此，实现此目的的另一种方法是使用单个AbstractAuthenticationProcessingFilter 和多个提供程序。

• 各个提供者可以实现重写的支持方法特定的身份验证类型(例如ExampleAuthInstance扩展
身份验证)。

• 当您从过滤器调用提供程序时，例如this.getAuthenticationManager().authenticate( exampleAuthInstance ),支持 ExampleAuthInstance 的提供者，验证方法该提供程序的将被调用。

• AuthenticationException 必须从过滤器本身抛出，而不是从提供者抛出。提供者可以抛出带有所需 HttpStatus 的 CustomSecurityException，然后将其包装在 AuthenticationException 中并在过滤器级别抛出。然后将其委托(delegate)给可能需要响应流的适当的预配置故障处理程序。