stackoom
  简体   繁体   中英

How exactly works the Spring Security filter declared into the web.xml of a Spring MVC application?

 原文  2015-10-17 11:53:28       java/ spring/ spring-mvc/ spring-security

Question

I am pretty new in Spring and I have some doubt about how exactly work a Spring Security project on which I am studying on.

So this is the content of my web.xml file: 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
  <display-name>Spring_Web_App</display-name>
  <welcome-file-list>
    <welcome-file>/WEB-INF/jsp/index.jsp</welcome-file>
  </welcome-file-list>
  <servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>/WEB-INF/config/spring-servlet.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/config/spring-security.xml</param-value>
  </context-param>

  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>

  <servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>
</web-app>

From what I know the content of this settings: 

  <servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>

is not related to the Spring Security configuration but it specify that all the request have to be handled by a servlet named Spring which configuration is in a file having name spring-servlet.xml . Is it right?

So analyzing the Spring Security statement into the web.xml file I found that the configuration of this component is declared into the /WEB-INF/config/spring-security.xml file by this statement:

contextConfigLocation /WEB-INF/config/spring-security.xml

Then I have the filter declaration. I am not so into filter and this is the topic that is creating me some problem.

From what I have understand a filter is something that intercept a request (as a servlet does) but differently from a servlet do not return a response to the caller (a JSP page to the user or something like this) but simply perform some operation before fast forward the request to the servlet that have to handle it and that provide a response for this request. So the filter are used to provide some extra logic that have to be outside the servlet code because represent some specific task.

For example filters are used in the user authentication task because say if a user is authenticated or not should be an independent task and have not to be coded inside the servlet. Is it my reasoning true?

So from what I have understand reading some documentation I have to declare a filter, by this line: 

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

and then I specify that the filter is applied to all the request by this line: 

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

So I think that authentication work in the following way: each HTTP request is intercepted by the filter before it is passed to the servlet and if the user is not authorized (have not the right credential or have not the right rule settled) the request is not handled by the servlet and he can't access to the page.

Is it my reasoning correct?

Form what I have understand trying to study the Spring architecture the DelegatingFilterProxy delegates to a chain of Spring-managed filters that:

  • Drive authentication
  • Enforce authorization
  • Manage logout
  • Maintain SecurityContext in HttpSession
  • etc.

1 answers

solution1
 4 ACCPTED  2015-10-17 12:01:45

Yes, you are right. Filters exist in the servlet spec for cross-cutting concerns, like "middleware" in other web stacks. All filters are called before the request is handled by the Servlet. They can choose to short-circuit the request or let it move down the chain. You would typically use a filter to enable gzip, authenticate, add CORS headers and the like.

Spring intercepts all requests through their filter. They basically hijack all requests through this mechanism and use their own internal routing algos and security from that point on. This is why you don't have to register your handlers as servlet in web.xml, but only in Spring.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to implement correctly web.xml for spring-mvc and spring-security together Spring security custom authentication filter without web.xml Protect Spring web MVC app with Spring security and error pages in a web.xml Issue with Web.xml for Spring MVC Adding ContextLoaderListener to web.xml in Spring MVC Spring MVC web.xml mappings Spring mvc web.xml error How to configure transaction without web.xml in Spring MVC Spring Security: Error during artifact deployment caused by <filter> and <filter-mapping> sections in web.xml How to map content properly in web.xml for a Spring application?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM