堆栈内存溢出
  简体   繁体   English

Spring FilterChain + Security:用户是否记录日志请求

[英]Spring FilterChain + Security: log request with user or not

 原文  2018-12-20 15:13:15       java/ spring/ spring-mvc/ spring-security

问题描述

I have a Spring web-mvc REST-service with several initializers. 我有一个带有几个初始化程序的Spring web-mvc REST服务。

WebAppInitializer.java 

@Order(1)
public class MyFiltersInitializer implements WebApplicationInitializer {

    @Override
    public void onStartup(ServletContext servletContext) {
        FilterRegistration.Dynamic registration = servletContext.addFilter("myRequestFilter", DelegatingFilterProxy.class);
        // register other filters and DispatcherServlet
    }
}

SecurityWebAppInitializer.java 

@Order(2)
public class MySecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    @Override
    protected Set<SessionTrackingMode> getSessionTrackingModes() {
        return EnumSet.of(SessionTrackingMode.COOKIE, SessionTrackingMode.URL);
    }
}

As you can see, SecurityFilterChain is being added after all custom request filters. 如您所见,在所有自定义请求筛选器之后添加了SecurityFilterChain What I need to do is to log every request, and include User to log, if request is authorized 我需要做的是记录每个请求,并包括User记录,如果请求被授权

Something like MyRequestFilter.java : MyRequestFilter.java这样的东西: 

@Slf4j
public class RequestFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(final HttpServletRequest request,
                                    final HttpServletResponse response,
                                    final FilterChain filterChain) throws ServletException, IOException {
           MyUser user = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); //no auth yet
           log.debug("request {} start, user {}", request, user); 
           filterChain.doFilter(request, response); //may return 401 or 403, what also need to be logged
           log.debug("request {} end with response {}", request, response);
   }

There is an idea to add an LogBodyHolder , which keeps log body until SecurityChain is passed completely, and then call log.debug . 有一个想法是添加一个LogBodyHolder ,它保持日志体直到完全传递SecurityChain ,然后调用log.debug But is there any pretty way to solve this problem? 但有解决这个问题的任何漂亮的方式?

1 个解决方案

解决方案1
 0  2018-12-20 15:41:37

你可以创建一个扩展类的Spring bean AbstractRequestLoggingFilter这是由Spring提供,然后覆盖beforeRequest()afterRequest()方法,你想添加你的日志。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security 4无法在Tomcat 7上创建bean FilterChain - Spring Security 4 Cannot create bean FilterChain on Tomcat 7 在Spring Security过滤链中添加嵌套的自定义过滤器 - Add nested custom filters in Spring Security filterchain Spring Security为什么注销用户? - Why does spring security log out the user? 春季安全。 为用户登录添加限制 - Spring security. add restriction for user log in 使用Spring-Test-MVC对Spring-Security进行单元测试-集成FilterChain / ServletFilter - Using Spring-Test-MVC to unit test Spring-Security - Integrating the FilterChain / ServletFilter Spring 安全性 - 过滤器链错误 - 在 class 路径资源中定义名称为“filterChain”的 bean 创建错误 - Spring Security - Filter Chain Error - Error creating bean with name 'filterChain' defined in class path resource 如何在Spring Security中无需登录即可检查用户详细信息 - How to check user details without log-in in Spring security 如何使用spring security以编程方式记录用户 - how to log a user out programmatically using spring security Spring Security —检索当前尝试登录的用户的用户名 - Spring Security — Retrieving the Username of the user currently trying to log in 链接以使用Spring Security登录 - Link to log in with spring security
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM