(#filters)1.2. Filters 1.2. 过滤器
预计阅读时间: 8 分钟The spring-web module provides some useful filters:
The spring-web module provides some useful filters: 该 spring-web 模块提供了一些有用的过滤器:
(#filters-http-put)1.2.1. Form Data 1.2.1. 表单数据
Browsers can submit form data only through HTTP GET or HTTP POST but non-browser clients can also use HTTP PUT, PATCH,
and DELETE. The Servlet API requires ServletRequest.getParameter*() methods to support form field access only for HTTP
POST.
浏览器只能通过 HTTP GET 或 HTTP POST 提交表单数据,但非浏览器客户端也可以使用 HTTP PUT、PATCH 和 DELETE。Servlet API 要求
ServletRequest.getParameter*() 方法仅支持 HTTP POST 的表单字段访问。
The spring-web module provides FormContentFilter to intercept HTTP PUT, PATCH, and DELETE requests with a content
type of application/x-www-form-urlencoded, read the form data from the body of the request, and wrap the
ServletRequest to make the form data available through the ServletRequest.getParameter*() family of methods.
spring-web 模块提供 FormContentFilter 来拦截具有内容类型为 application/x-www-form-urlencoded 的 HTTP PUT、PATCH 和
DELETE 请求,从请求体中读取表单数据,并将 ServletRequest 包装以通过 ServletRequest.getParameter*() 方法族使表单数据可用。
As a request goes through proxies (such as load balancers) the host, port, and scheme may change, and that makes it a
challenge to create links that point to the correct host, port, and scheme from a client perspective.
随着请求通过代理(如负载均衡器),主机、端口和方案可能会改变,这给从客户端角度创建指向正确主机、端口和方案的链接带来了挑战。
RFC 7239 defines the Forwarded HTTP header that proxies can use to provide
information about the original request. There are other non-standard headers, too, including X-Forwarded-Host,
X-Forwarded-Port, X-Forwarded-Proto, X-Forwarded-Ssl, and X-Forwarded-Prefix.
RFC 7239 定义了代理可以使用的 Forwarded HTTP 头部,以提供有关原始请求的信息。还有其他非标准头部,包括
X-Forwarded-Host , X-Forwarded-Port , X-Forwarded-Proto , X-Forwarded-Ssl ,和 X-Forwarded-Prefix 。
ForwardedHeaderFilter is a Servlet filter that modifies the request in order to a) change the host, port, and scheme
based on Forwarded headers, and b) to remove those headers to eliminate further impact. The filter relies on wrapping
the request, and therefore it must be ordered ahead of other filters, such as RequestContextFilter, that should work
with the modified and not the original request.
ForwardedHeaderFilter 是一个 Servlet 过滤器,用于修改请求,以便 a) 根据基于 Forwarded 的头信息更改主机、端口和方案,以及
b) 删除这些头信息以消除进一步的影响。该过滤器依赖于包装请求,因此它必须在其他过滤器之前排序,例如 RequestContextFilter
,这些过滤器应该与修改后的请求而不是原始请求一起工作。
There are security considerations for forwarded headers since an application cannot know if the headers were added by a
proxy, as intended, or by a malicious client. This is why a proxy at the boundary of trust should be configured to
remove untrusted Forwarded headers that come from the outside. You can also configure the ForwardedHeaderFilter with
removeOnly=true, in which case it removes but does not use the headers.
存在对转发头部的安全考虑,因为应用程序无法知道这些头部是由代理按预期添加,还是由恶意客户端添加。这就是为什么在信任边界的代理应该配置为删除来自外部的未信任的
Forwarded 头部。您还可以使用 removeOnly=true 配置 ForwardedHeaderFilter ,在这种情况下,它会删除但不使用这些头部。
In order to support asynchronous requests and error dispatches this filter should be mapped with
DispatcherType.ASYNC and also DispatcherType.ERROR. If using Spring Framework’s
AbstractAnnotationConfigDispatcherServletInitializer (see Servlet Config) all filters are
automatically registered for all dispatch types. However if registering the filter via web.xml or in Spring Boot via a
FilterRegistrationBean be sure to include DispatcherType.ASYNC and DispatcherType.ERROR in addition to
DispatcherType.REQUEST.
为了支持异步请求和错误分发,此过滤器应映射为 DispatcherType.ASYNC 和 DispatcherType.ERROR 。如果使用 Spring 框架的
AbstractAnnotationConfigDispatcherServletInitializer (参见 Servlet 配置),则所有过滤器都会自动注册到所有分发类型。但是,如果通过
web.xml 或 Spring Boot 中的 FilterRegistrationBean 注册过滤器,请确保除了 DispatcherType.REQUEST 之外,还包括
DispatcherType.ASYNC 和 DispatcherType.ERROR 。
(#filters-shallow-etag)1.2.3. Shallow ETag 1.2.3. 浅层 ETag
The ShallowEtagHeaderFilter filter creates a “shallow” ETag by caching the content written to the response and
computing an MD5 hash from it. The next time a client sends, it does the same, but it also compares the computed value
against the If-None-Match request header and, if the two are equal, returns a 304 (NOT_MODIFIED).
ShallowEtagHeaderFilter 过滤器通过缓存写入响应的内容并从中计算 MD5 哈希值来创建一个“浅层”ETag。下次客户端发送请求时,它也会这样做,但它还会将计算出的值与
If-None-Match 请求头进行比较,如果两者相等,则返回 304(未修改)。
This strategy saves network bandwidth but not CPU, as the full response must be computed for each request. Other
strategies at the controller level, described earlier, can avoid the computation. See HTTP Caching.
这种策略节省了网络带宽但不会节省 CPU,因为每个请求都必须计算完整的响应。之前描述的控制器级别的其他策略可以避免计算。参见
HTTP 缓存。
This filter has a writeWeakETag parameter that configures the filter to write weak ETags similar to the following:
W/"02a2d595e6ed9a0b24f027f2b63b134d6" (as defined
in RFC 7232 Section 2.3).
此过滤器有一个 writeWeakETag 参数,用于配置过滤器写入类似于以下弱 ETags: W/"02a2d595e6ed9a0b24f027f2b63b134d6" (如
RFC 7232 第 2.3 节定义)。
In order to support asynchronous requests this filter must be mapped with DispatcherType.ASYNC so
that the filter can delay and successfully generate an ETag to the end of the last async dispatch. If using Spring
Framework’s AbstractAnnotationConfigDispatcherServletInitializer (see Servlet Config) all
filters are automatically registered for all dispatch types. However if registering the filter via web.xml or in
Spring Boot via a FilterRegistrationBean be sure to include DispatcherType.ASYNC.
为了支持异步请求,此过滤器必须使用 DispatcherType.ASYNC 进行映射,以便过滤器可以延迟并成功生成一个 ETag 到最后的异步分发结束。如果使用
Spring 框架的 AbstractAnnotationConfigDispatcherServletInitializer (参见 Servlet 配置),则所有过滤器都会自动注册到所有分发类型。然而,如果通过
web.xml 或 Spring Boot 中的 FilterRegistrationBean 注册过滤器,请务必包含 DispatcherType.ASYNC 。
(#filters-cors)1.2.4. CORS 1.2.4. CORS 跨源资源共享
Spring MVC provides fine-grained support for CORS configuration through annotations on controllers. However, when used
with Spring Security, we advise relying on the built-in CorsFilter that must be ordered ahead of Spring Security’s
chain of filters.
Spring MVC 通过控制器上的注解提供了对 CORS 配置的细粒度支持。然而,当与 Spring Security 一起使用时,我们建议依赖内置的
CorsFilter ,必须在 Spring Security 的过滤器链之前进行排序。
See the sections on CORS and the CORS Filter for more details.
查看 CORS 和 CORS 过滤器的相关部分以获取更多详细信息。