Merge pull request #817 from TsukasaHwan/dev

feat: 调整安全过滤器顺序

knife4j/knife4j-core/src/main/java/com/github/xiaoymin/knife4j/extend/filter/basic/AbstractSecurityFilter.java

@@ -32,7 +32,12 @@
  */
 @Data
 public abstract class AbstractSecurityFilter extends BasicFilter {
-
+
+    /**
+     * Spring过滤器顺序
+     */
+    public static final int SPRING_FILTER_ORDER = Integer.MAX_VALUE;
+
     /***
      * 是否开启basic验证,默认不开启
      */

knife4j/knife4j-openapi3-jakarta-spring-boot-starter/src/main/java/com/github/xiaoymin/knife4j/spring/configuration/Knife4jAutoConfiguration.java

@@ -18,17 +18,21 @@
 package com.github.xiaoymin.knife4j.spring.configuration;
 
 import com.github.xiaoymin.knife4j.core.conf.GlobalConstants;
+import com.github.xiaoymin.knife4j.extend.filter.basic.AbstractSecurityFilter;
 import com.github.xiaoymin.knife4j.extend.filter.basic.JakartaServletSecurityBasicAuthFilter;
 import com.github.xiaoymin.knife4j.spring.extension.Knife4jJakartaOperationCustomizer;
 import com.github.xiaoymin.knife4j.spring.extension.Knife4jOpenApiCustomizer;
 import com.github.xiaoymin.knife4j.spring.filter.JakartaProductionSecurityFilter;
 import com.github.xiaoymin.knife4j.spring.util.EnvironmentUtils;
+import jakarta.servlet.DispatcherType;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springdoc.core.properties.SpringDocConfigProperties;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
@@ -48,10 +52,10 @@
 @EnableConfigurationProperties({Knife4jProperties.class, Knife4jSetting.class, Knife4jHttpBasic.class})
 @ConditionalOnProperty(name = "knife4j.enable", havingValue = "true")
 public class Knife4jAutoConfiguration {
-    
+
     private final Knife4jProperties properties;
     private final Environment environment;
-    
+
     /**
      * 增强自定义配置
      * @return
@@ -62,7 +66,7 @@ public Knife4jOpenApiCustomizer knife4jOpenApiCustomizer(SpringDocConfigProperti
         log.debug("Register Knife4jOpenApiCustomizer");
         return new Knife4jOpenApiCustomizer(this.properties, docProperties);
     }
-    
+
     @Bean
     @ConditionalOnMissingBean
     public Knife4jJakartaOperationCustomizer knife4jJakartaOperationCustomizer() {
@@ -90,16 +94,16 @@ public CorsFilter corsFilter() {
         CorsFilter corsFilter = new CorsFilter(source);
         return corsFilter;
     }
-    
+
     /**
      * Security with Basic Http
      * @param knife4jProperties Basic Properties
      * @return BasicAuthFilter
      */
     @Bean
     @ConditionalOnMissingBean(JakartaServletSecurityBasicAuthFilter.class)
-    @ConditionalOnProperty(name = "knife4j.basic.enable", havingValue = "true")
-    public JakartaServletSecurityBasicAuthFilter securityBasicAuthFilter(Knife4jProperties knife4jProperties) {
+    @ConditionalOnExpression("${knife4j.production:false} && ${knife4j.basic.enable:true}")
+    public FilterRegistrationBean<JakartaServletSecurityBasicAuthFilter> securityBasicAuthFilter(Knife4jProperties knife4jProperties) {
         JakartaServletSecurityBasicAuthFilter authFilter = new JakartaServletSecurityBasicAuthFilter();
         if (knife4jProperties == null) {
             authFilter.setEnableBasicAuth(EnvironmentUtils.resolveBool(environment, "knife4j.basic.enable", Boolean.FALSE));
@@ -118,13 +122,17 @@ public JakartaServletSecurityBasicAuthFilter securityBasicAuthFilter(Knife4jProp
                 authFilter.addRule(knife4jProperties.getBasic().getInclude());
             }
         }
-        return authFilter;
+        FilterRegistrationBean<JakartaServletSecurityBasicAuthFilter> registration = new FilterRegistrationBean<>();
+        registration.setDispatcherTypes(DispatcherType.REQUEST);
+        registration.setFilter(authFilter);
+        registration.setOrder(AbstractSecurityFilter.SPRING_FILTER_ORDER);
+        return registration;
     }
-    
+
     @Bean
     @ConditionalOnMissingBean(JakartaProductionSecurityFilter.class)
     @ConditionalOnProperty(name = "knife4j.production", havingValue = "true")
-    public JakartaProductionSecurityFilter productionSecurityFilter(Environment environment) {
+    public FilterRegistrationBean<JakartaProductionSecurityFilter> productionSecurityFilter(Environment environment) {
         boolean prod = false;
         JakartaProductionSecurityFilter p = null;
         if (properties == null) {
@@ -139,8 +147,11 @@ public JakartaProductionSecurityFilter productionSecurityFilter(Environment envi
         } else {
             p = new JakartaProductionSecurityFilter(properties.isProduction());
         }
-
-        return p;
+        FilterRegistrationBean<JakartaProductionSecurityFilter> registration = new FilterRegistrationBean<>();
+        registration.setDispatcherTypes(DispatcherType.REQUEST);
+        registration.setFilter(p);
+        registration.setOrder(AbstractSecurityFilter.SPRING_FILTER_ORDER - 1);
+        return registration;
     }
-    
+
 }

knife4j/knife4j-openapi3-spring-boot-starter/src/main/java/com/github/xiaoymin/knife4j/spring/configuration/Knife4jAutoConfiguration.java

@@ -18,6 +18,7 @@
 package com.github.xiaoymin.knife4j.spring.configuration;
 
 import com.github.xiaoymin.knife4j.core.conf.GlobalConstants;
+import com.github.xiaoymin.knife4j.extend.filter.basic.AbstractSecurityFilter;
 import com.github.xiaoymin.knife4j.extend.filter.basic.ServletSecurityBasicAuthFilter;
 import com.github.xiaoymin.knife4j.spring.extension.Knife4jOpenApiCustomizer;
 import com.github.xiaoymin.knife4j.spring.extension.Knife4jOperationCustomizer;
@@ -27,16 +28,20 @@
 import org.slf4j.LoggerFactory;
 import org.springdoc.core.SpringDocConfigProperties;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
+import javax.servlet.DispatcherType;
+
 /***
  * Knife4j 基础自动配置类
  * @since  2.0.0
@@ -101,8 +106,8 @@ public CorsFilter corsFilter() {
      */
     @Bean
     @ConditionalOnMissingBean(ServletSecurityBasicAuthFilter.class)
-    @ConditionalOnProperty(name = "knife4j.basic.enable", havingValue = "true")
-    public ServletSecurityBasicAuthFilter securityBasicAuthFilter(Knife4jProperties knife4jProperties) {
+    @ConditionalOnExpression("${knife4j.production:false} && ${knife4j.basic.enable:true}")
+    public FilterRegistrationBean<ServletSecurityBasicAuthFilter> securityBasicAuthFilter(Knife4jProperties knife4jProperties) {
         ServletSecurityBasicAuthFilter authFilter = new ServletSecurityBasicAuthFilter();
         if (knife4jProperties == null) {
             authFilter.setEnableBasicAuth(EnvironmentUtils.resolveBool(environment, "knife4j.basic.enable", Boolean.FALSE));
@@ -121,13 +126,17 @@ public ServletSecurityBasicAuthFilter securityBasicAuthFilter(Knife4jProperties
                 authFilter.addRule(knife4jProperties.getBasic().getInclude());
             }
         }
-        return authFilter;
+        FilterRegistrationBean<ServletSecurityBasicAuthFilter> registration = new FilterRegistrationBean<>();
+        registration.setDispatcherTypes(DispatcherType.REQUEST);
+        registration.setFilter(authFilter);
+        registration.setOrder(AbstractSecurityFilter.SPRING_FILTER_ORDER);
+        return registration;
     }
 
     @Bean
     @ConditionalOnMissingBean(ProductionSecurityFilter.class)
     @ConditionalOnProperty(name = "knife4j.production", havingValue = "true")
-    public ProductionSecurityFilter productionSecurityFilter(Knife4jProperties knife4jProperties) {
+    public FilterRegistrationBean<ProductionSecurityFilter> productionSecurityFilter(Knife4jProperties knife4jProperties) {
         boolean prod = false;
         ProductionSecurityFilter p = null;
         if (knife4jProperties == null) {
@@ -142,8 +151,11 @@ public ProductionSecurityFilter productionSecurityFilter(Knife4jProperties knife
         } else {
             p = new ProductionSecurityFilter(knife4jProperties.isProduction());
         }
-
-        return p;
+        FilterRegistrationBean<ProductionSecurityFilter> registration = new FilterRegistrationBean<>();
+        registration.setDispatcherTypes(DispatcherType.REQUEST);
+        registration.setFilter(p);
+        registration.setOrder(AbstractSecurityFilter.SPRING_FILTER_ORDER - 1);
+        return registration;
     }
 
 }