WebFilter 和 RewriteConfiguration 冲突

Posted 2023-02-26

【中文标题】WebFilter 和 RewriteConfiguration 冲突

【英文标题】：WebFilter and RewriteConfiguration conflict

【发布时间】：2015-12-10 04:28:28

【问题描述】：

所以我有这个 RewriteConfiguration：

@RewriteConfiguration
public class ApplicationConfigurationProvider extends HttpConfigurationProvider 

    /**
     * Set the forwarding rules
     * @param context
     * @return The forwarding rules
     */
    @Override
    public Configuration getConfiguration(ServletContext context) 
        return ConfigurationBuilder.begin()
                .addRule()
                .when(Path.matches("/secure/path.xhtml?"))
                .perform(Log.message(Level.INFO, "Server requested path: /secure/path"))
                .addRule(Join.path("/login").to("/public/login.xhtml"))
                .perform(Log.message(Level.INFO, "Forwarded: login"))
                .addRule()
                .when(Path.matches("/path").andNot(Path.matches("/login")))
                .perform(Log.message(Level.INFO, "Forwarded': path"))
                .addRule()
                .when(Path.matches("/path"))
                .perform(Forward.to("/secure/path.xhtml"))
                ;
    

    /**
     *
     * @return
     */
    @Override
    public int priority() 
        return 0;
    

还有这个过滤器：

@WebFilter(filterName = "AuthorizationFilter", urlPatterns = "/secure/*")
public class AuthorizationFilter implements Filter 

    /**
     * Function that filters out unauthorized users and returns them to the login page
     * when they try to visit secured pages
     * @param request
     * @param response
     * @param chain
     * @throws ServletException
     * @throws IOException
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException 
        HttpServletRequest req = (HttpServletRequest) request;
        AuthorizationBean auth = (AuthorizationBean) req.getSession().getAttribute("authBean");        
        if (auth == null || !auth.isLoggedIn()) 
            // User is not logged in, so redirect to login page.
            HttpServletResponse res = (HttpServletResponse) response;
            res.sendRedirect(req.getContextPath() + "/public/login.xhtml");
         else 
            // User is logged in, so just continue request.
            chain.doFilter(request, response);
        
    

    /**
     *
     */
    @Override
    public void destroy() 
    

    /**
     *
     * @param fc
     */
    @Override
    public void init(FilterConfig fc) 
    

我面临的问题是，例如，当我访问页面“http://localhost:8080/webapp/profile”时，配置文件是安全文件，所以有一个页面“/secure/profile.xhtml”，但是由于rewriteConfiguration，只是“个人资料”也有效。但问题是 WebFiler 不捕获“配置文件”它只捕获“http://localhost:8080/webapp/secure/profile.xhtml”。

有没有办法让“安全”之外的重写页面也被过滤器捕获？这样当我访问页面“配置文件”时，它的处理方式与“/secure/profile.xhtml”相同。

【问题讨论】：

过滤器不会捕获您的webapp/profile，因为在您的过滤器中，您的网址映射是/secure/*，这意味着您的网址应该包含secure/*，后跟任何内容..

@Babel 所以我需要在过滤器中手动添加所有安全页面，添加到“/secure/*”？即使重写使用了不安全的内容。

【参考方案1】：

当重写过滤器在身份验证过滤器之前运行并且重写过滤器在内部对目标源执行RequestDispatcher#forward() 调用时，此构造确实会失败。

默认情况下，过滤器仅侦听直接请求。您需要显式添加 FORWARD 调度程序以让过滤器也侦听转发的请求。

@WebFilter(
    filterName = "authorizationFilter", 
    urlPatterns = "/secure/*",
    dispatcherTypes = DispatcherType.REQUEST, DispatcherType.FORWARD
)

或者web.xml风味：

<filter-mapping>
    <filter-name>authorizationFilter</filter-name>
    <url-pattern>/secure/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

【讨论】：

谢谢！我认为有一种简单的方法可以将转发的页面也包含到过滤器中，但找不到它。这解决了我遇到的问题。