Class AuthorizationFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.intercept.AuthorizationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public class AuthorizationFilter
extends org.springframework.web.filter.GenericFilterBean
An authorization filter that restricts access to the URL using
AuthorizationManager
.- Since:
- 5.5
-
Field Summary
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
ConstructorDescriptionAuthorizationFilter
(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager) Creates an instance. -
Method Summary
Modifier and TypeMethodDescriptionvoid
doFilter
(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain chain) AuthorizationManager<jakarta.servlet.http.HttpServletRequest>
Gets theAuthorizationManager
used by this filterboolean
void
setAuthorizationEventPublisher
(AuthorizationEventPublisher eventPublisher) Use thisAuthorizationEventPublisher
to publishAuthorizationDeniedEvent
s andAuthorizationGrantedEvent
s.void
setFilterAsyncDispatch
(boolean filterAsyncDispatch) If set to true, the filter will be applied to the async dispatcher.void
setFilterErrorDispatch
(boolean filterErrorDispatch) If set to true, the filter will be applied to error dispatcher.void
setObserveOncePerRequest
(boolean observeOncePerRequest) Sets whether this filter apply only once per request.void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setShouldFilterAllDispatcherTypes
(boolean shouldFilterAllDispatcherTypes) Deprecated, for removal: This API element is subject to removal in a future version.Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
AuthorizationFilter
public AuthorizationFilter(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager) Creates an instance.- Parameters:
authorizationManager
- theAuthorizationManager
to use
-
-
Method Details
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain chain) throws jakarta.servlet.ServletException, IOException - Throws:
jakarta.servlet.ServletException
IOException
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
setAuthorizationEventPublisher
Use thisAuthorizationEventPublisher
to publishAuthorizationDeniedEvent
s andAuthorizationGrantedEvent
s.- Parameters:
eventPublisher
- theApplicationEventPublisher
to use- Since:
- 5.7
-
getAuthorizationManager
Gets theAuthorizationManager
used by this filter- Returns:
- the
AuthorizationManager
-
setShouldFilterAllDispatcherTypes
@Deprecated(since="6.1", forRemoval=true) public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) Deprecated, for removal: This API element is subject to removal in a future version.Permit access to theDispatcherType
instead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
Sets whether to filter all dispatcher types.- Parameters:
shouldFilterAllDispatcherTypes
- should filter all dispatcher types. Default istrue
- Since:
- 5.7
-
isObserveOncePerRequest
public boolean isObserveOncePerRequest() -
setObserveOncePerRequest
public void setObserveOncePerRequest(boolean observeOncePerRequest) Sets whether this filter apply only once per request. By default, this isfalse
, meaning the filter will execute on every request. Sometimes users may wish it to execute more than once per request, such as when JSP forwards are being used and filter security is desired on each included fragment of the HTTP request.- Parameters:
observeOncePerRequest
- whether the filter should only be applied once per request
-
setFilterErrorDispatch
public void setFilterErrorDispatch(boolean filterErrorDispatch) If set to true, the filter will be applied to error dispatcher. Defaults totrue
.- Parameters:
filterErrorDispatch
- whether the filter should be applied to error dispatcher
-
setFilterAsyncDispatch
public void setFilterAsyncDispatch(boolean filterAsyncDispatch) If set to true, the filter will be applied to the async dispatcher. Defaults totrue
.- Parameters:
filterAsyncDispatch
- whether the filter should be applied to async dispatch
-
DispatcherType
instead.