public class FilterChainProxy
extends java.lang.Object
implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationContextAware
Filter
requests to a list of Spring-managed beans.
As of version 2.0, you shouldn't need to explicitly configure a FilterChainProxy bean in your application
context unless you need very fine control over the filter chain contents. Most cases should be adequately covered
by the default <security:http /> namespace configuration options.
The FilterChainProxy
is loaded via a standard Spring DelegatingFilterProxy
declaration in
web.xml
. FilterChainProxy
will then pass init(FilterConfig)
, destroy()
and doFilter(ServletRequest, ServletResponse, FilterChain)
invocations through to each Filter
defined against FilterChainProxy
.
As of version 2.0, FilterChainProxy is configured using an ordered Map of path patterns to Lists
of Filter objects. In previous
versions, a FilterInvocationDefinitionSource
was used. This is now deprecated in favour of namespace-based
configuration which provides a more robust and simplfied syntax. The Map instance will normally be
created while parsing the namespace configuration, so doesn't have to be set explicitly.
Instead the <filter-chain-map> element should be used within the FilterChainProxy bean declaration.
This in turn should have a list of child <filter-chain> elements which each define a URI pattern and the list
of filters (as comma-separated bean names) which should be applied to requests which match the pattern.
An example configuration might look like this:
<bean id="myfilterChainProxy" class="org.springframework.security.util.FilterChainProxy"> <security:filter-chain-map pathType="ant"> <security:filter-chain pattern="/do/not/filter" filters="none"/> <security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/> </security:filter-chain-map> </bean>The names "filter1", "filter2", "filter3" should be the bean names of Filter instances defined in the application context. The order of the names defines the order in which the filters will be applied. As shown above, use of the value "none" for the "filters" can be used to exclude Please consult the security namespace schema file for a full list of available configuration options.
Each possible URI pattern that FilterChainProxy
should service must be entered.
The first matching URI pattern for a given request will be used to define all of the
Filter
s that apply to that request. NB: This means you must put most specific URI patterns at the top
of the list, and ensure all Filter
s that should apply for a given URI pattern are entered against the
respective entry. The FilterChainProxy
will not iterate the remainder of the URI patterns to locate
additional Filter
s.
FilterChainProxy
respects normal handling of Filter
s that elect not to call Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
, in that the remainder of the original or FilterChainProxy
-declared filter
chain will not be called.
Note the Filter
lifecycle mismatch between the servlet container and IoC
container. As described in the DelegatingFilterProxy
JavaDocs, we recommend you allow the IoC
container to manage the lifecycle instead of the servlet container. By default the DelegatingFilterProxy
will never call this class' init(FilterConfig)
and destroy()
methods, which in turns means that
the corresponding methods on the filter beans managed by this class will never be called. If you do need your filters to be
initialized and destroyed, please set the targetFilterLifecycle initialization parameter against the
DelegatingFilterProxy
to specify that servlet container lifecycle management should be used. You don't
need to worry about this in most cases.
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
TOKEN_NONE |
Constructor and Description |
---|
FilterChainProxy() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain) |
java.util.Map |
getFilterChainMap()
Returns a copy of the underlying filter chain map.
|
java.util.List |
getFilters(java.lang.String url)
Returns the first filter chain matching the supplied URL.
|
UrlMatcher |
getMatcher() |
void |
init(javax.servlet.FilterConfig filterConfig) |
protected javax.servlet.Filter[] |
obtainAllDefinedFilters()
Obtains all of the unique
Filter instances registered in the map of
filter chains. |
void |
setApplicationContext(org.springframework.context.ApplicationContext applicationContext) |
void |
setFilterChainMap(java.util.Map filterChainMap)
Sets the mapping of URL patterns to filter chains.
|
void |
setFilterInvocationDefinitionSource(FilterInvocationDefinitionSource fids)
Deprecated.
Use namespace configuration or call setFilterChainMap instead.
|
void |
setFirewall(HttpFirewall firewall) |
void |
setMatcher(UrlMatcher matcher) |
void |
setStripQueryStringFromUrls(boolean stripQueryStringFromUrls)
If set to 'true', the query string will be stripped from the request URL before
attempting to find a matching filter chain.
|
java.lang.String |
toString() |
public static final java.lang.String TOKEN_NONE
public void afterPropertiesSet() throws java.lang.Exception
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
java.lang.Exception
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void destroy()
destroy
in interface javax.servlet.Filter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
java.io.IOException
javax.servlet.ServletException
public java.util.List getFilters(java.lang.String url)
url
- the request URLprotected javax.servlet.Filter[] obtainAllDefinedFilters()
Filter
instances registered in the map of
filter chains.
This is useful in ensuring a Filter
is not initialized or destroyed twice.
Filter
instances in the application context which have an entry
in the map (only one entry is included in the array for
each Filter
that actually exists in application context, even if a given
Filter
is defined multiples times in the filter chain map)public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException
setApplicationContext
in interface org.springframework.context.ApplicationContextAware
org.springframework.beans.BeansException
public void setFilterInvocationDefinitionSource(FilterInvocationDefinitionSource fids)
public void setFilterChainMap(java.util.Map filterChainMap)
filterChainMap
- the map of path Strings to Filter[]s.public java.util.Map getFilterChainMap()
public void setMatcher(UrlMatcher matcher)
public UrlMatcher getMatcher()
public void setFirewall(HttpFirewall firewall)
public void setStripQueryStringFromUrls(boolean stripQueryStringFromUrls)
public java.lang.String toString()
toString
in class java.lang.Object