如何在Spring Security 6中正确设置自定义的UsernamePasswordAuthenticationFilter的SecurityContextRepository?
如何在Spring Security 6中正确设置自定义的UsernamePasswordAuthenticationFilter的SecurityContextRepository?
从Spring Security 6.0开始,需要显式保存SecurityContextRepository:
这意味着,如果使用自定义的UsernamePasswordAuthenticationFilter,必须提供SecurityContextRepository以便持久化SecurityContext,如下所示:
@Component
public class InternalUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@PostConstruct
private void setup() {
super.setSecurityContextRepository(
new DelegatingSecurityContextRepository(
new RequestAttributeSecurityContextRepository(),
new HttpSessionSecurityContextRepository()));
}
//...
}
似乎只需要在AuthenticationFilter中指定SecurityContextRepository一次即可,尽管示例中的@Max在此处https://stackoverflow.com/a/75002996/13609359中也在SecurityFilterChain中设置了repository。
我已经测试了这两种变体,无论在FilterChain中是否指定SecurityContextRepository似乎都没有关系。是否为AuthenticationFilter和FilterChain使用一个bean或为每个创建新的repository似乎也没有关系,如下所示:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true)
public class WebSecurityConfig {
@Bean
public SecurityFilterChain mvcFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authorize -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
.requestMatchers("/", "/login/**").permitAll()
.anyRequest().authenticated())
.addFilterAt(internalUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.securityContext(securityContext -> securityContext
.securityContextRepository(
new DelegatingSecurityContextRepository(
new RequestAttributeSecurityContextRepository(),
new HttpSessionSecurityContextRepository()
)))
//...
}
}
这似乎表明只使用AuthenticationFilter的repository,而忽略了FilterChain的repository。
因此,我认为在AuthenticationFilter中创建SecurityContextRepository就足够了。
所以我的问题是:
- 我理解得对吗?
- 还是我应该定义一个bean?
- 在SecurityFilterChain中设置这个bean是否有任何原因?
非常感谢任何帮助和澄清。