在spring security中如何自定义过滤规则

在 Spring Security 中，可以通过自定义过滤器来实现自定义的过滤规则。以下是实现自定义过滤器的步骤：

1. 创建自定义过滤器类

首先需要创建一个自定义过滤器类，该类需要继承 org.springframework.web.filter.GenericFilterBean 类，并重写 doFilter 方法。在 doFilter 方法中，可以实现自己的过滤逻辑。

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

public class CustomFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;

        // 自定义过滤逻辑
        String customHeader = httpRequest.getHeader("X-Custom-Header");
        if (customHeader != null && customHeader.equals("custom-value")) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication == null || !authentication.isAuthenticated()) {
                HttpServletResponse httpResponse = (HttpServletResponse) response;
                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
                return;
            }
        }

        // 继续执行后续过滤器
        chain.doFilter(request, response);
    }
}

2. 配置自定义过滤器

接下来需要在 Spring Security 配置类中配置自定义过滤器。首先需要创建一个 HttpSecurity 对象，然后调用 authorizeRequests 方法配置过滤规则，最后调用 addFilterBefore 或 addFilterAfter 方法将自定义过滤器添加到过滤器链中的指定位置。

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .addFilterBefore(new CustomFilter(), BasicAuthenticationFilter.class); // 将自定义过滤器添加到 BasicAuthenticationFilter 之前
    }
}

在上面的示例中，我们将自定义过滤器 CustomFilter 添加到了 BasicAuthenticationFilter 之前。可以根据需要将其添加到过滤器链中的其他位置。