随笔分类

随笔档案

2. 关于拦截器

在SpringBoot使用拦截器，流程如下：

// 1. 定义拦截器
package com.glodon.tot.interceptor;
 
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
 
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
 
/**
 * @author liuwg-a
 * @date 2018/11/26 14:55
 * @description 配置拦截器
 */
public class UrlInterceptor implements HandlerInterceptor {
 
    private static final Logger logger = LoggerFactory.getLogger(UrlInterceptor.class);
 
    private static final String GET_ALL = "getAll";
    private static final String GET_HEADER = "getHeader";
 
    /**
     * 进入Controller层之前拦截请求，默认是拦截所有请求
     * @param httpServletRequest request
     * @param httpServletResponse response
     * @param o object
     * @return 是否拦截当前请求，true表示拦截当前请求，false表示不拦截当前请求
     * @throws Exception 可能出现的异常
     */
    @Override
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
        logger.info("go into preHandle method ... ");
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI.contains(GET_ALL)) {
            return true;
        }
        if (requestURI.contains(GET_HEADER)) {
            httpServletResponse.sendRedirect("/user/redirect");
        }
        return true;
    }
 
    /**
     * 处理完请求后但还未渲染试图之前进行的操作
     * @param httpServletRequest request
     * @param httpServletResponse response
     * @param o object
     * @param modelAndView mv
     * @throws Exception E
     */
    @Override
    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
        logger.info("go into postHandle ... ");
    }
 
    /**
     * 视图渲染后但还未返回到客户端时的操作
     * @param httpServletRequest request
     * @param httpServletResponse response
     * @param o object
     * @param e exception
     * @throws Exception
     */
    @Override
    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
        logger.info("go into afterCompletion ... ");
    }
}
 
// 2. 注册拦截器
package com.glodon.tot.config;
 
import com.glodon.tot.interceptor.UrlInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 
/**
 * @author liuwg-a
 * @date 2018/11/26 15:30
 * @description 配置MVC
 */
@Configuration
public class MvcConfig implements WebMvcConfigurer {
 
    /**
     * 注册配置的拦截器
     * @param registry 拦截器注册器
     */
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // 这里的拦截器是new出来的，在Spring框架中可以交给IOC进行依赖注入，直接使用@Autowired注入
        registry.addInterceptor(new UrlInterceptor());
    }
 
}

主要就是上述的两个步骤，需要注意的是preHandle()方法只有返回true，Controller中接口方法才能执行，否则不能执行，直接在preHandle()返回后false结束流程。上述在配置WebMvcConfigurer实现类中注册拦截器时除了使用registry.addInterceptor(new UrlInterceptor())注册外，还可以指定哪些URL可以应用这个拦截器，如下：

// 使用自动注入的方式注入拦截器，添加应用、或不应用该拦截器的URI（addPathPatterns/excludePathPatterns）
// addPathPatterns 用于添加拦截的规则，excludePathPatterns 用于排除拦截的规则
registry.addInterceptor(urlInterceptor).addPathPatterns(new UrlInterceptor()).excludePathPatterns("/login");

上述注册拦截器路径时（即addPathPatterns和excludePathPatterns的参数），是支持通配符的，写法如下：

通配符说明
　　* 匹配单个字符，如/user/*匹配到/user/a等，又如/user/*/ab匹配到/user/p/ab；
　　** 匹配任意多字符（包括多级路径），如/user/**匹配到user/a、/user/abs/po等；
上述也可以混合使用，如/user/po*/**、/user/{userId}/*（pathValue是可以和通配符共存的）；

注：

Spring boot 2.0 后WebMvcConfigurerAdapter已经过时，所以这里并不是继承它，而是继承WebMvcConfigurer；
这里在实操时，使用IDEA工具继承WebMvcConfigurer接口时，使用快捷键Alt+Enter已经无论如何没有提示，进入查看发现这个接口中所有的方法变成了default方法（JDK8新特性，这个修饰符修饰的方法必须要有方法体，此时接口中允许有具体的方法，在实现该接口时，用户可以选择是否重写该方法，而不是必须重写了），所以没有提示，可以手动进入接口中复制对应的方法名（不包括default修饰符）。

对于WebMvcConfigurer接口中的常用方法有如下使用示例，可以选择性重写：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

@Configuration
public class MvcConfig implements WebMvcConfigurer {
 
    @Autowired
    private HandlerInterceptor urlInterceptor;
 
    private static List<String> myPathPatterns = new ArrayList<>();
 
    /**
     * 在初始化Servlet服务时（在Servlet构造函数执行之后、init()之前执行），@PostConstruct注解的方法被调用
     */
    @PostConstruct
    void init() {
        System.out.println("Servlet init ... ");
        // 添加匹配的规则， /** 表示匹配所有规则，任意路径
        myPathPatterns.add("/**");
    }
 
    /**
     * 在卸载Servlet服务时（在Servlet的destroy()方法之前执行），@PreDestroy注解的方法被调用
     */
    @PreDestroy
    void destroy() {
        System.out.println("Servlet destory ... ");
    }
 
    /**
     * 注册配置的拦截器
     * @param registry 拦截器注册器
     */
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // addPathPatterns 用于添加拦截规则
        // excludePathPatterns 用户排除拦截
        registry.addInterceptor(urlInterceptor).addPathPatterns(myPathPatterns).excludePathPatterns("/user/login");
    }
 
    // 下面的方法可以选择性重写
    /**
     * 添加类型转换器和格式化器
     * @param registry
     */
    @Override
    public void addFormatters(FormatterRegistry registry) {
//        registry.addFormatterForFieldType(LocalDate.class, new USLocalDateFormatter());
    }
 
    /**
     * 跨域支持
     * @param registry
     */
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("*")
                .allowCredentials(true)
                .allowedMethods("GET", "POST", "DELETE", "PUT")
                .maxAge(3600 * 24);
    }
 
    /**
     * 添加静态资源映射--过滤swagger-api
     * @param registry
     */
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        //过滤swagger
        registry.addResourceHandler("swagger-ui.html")
                .addResourceLocations("classpath:/META-INF/resources/");
 
        registry.addResourceHandler("/webjars/**")
                .addResourceLocations("classpath:/META-INF/resources/webjars/");
 
        registry.addResourceHandler("/swagger-resources/**")
                .addResourceLocations("classpath:/META-INF/resources/swagger-resources/");
 
        registry.addResourceHandler("/swagger/**")
                .addResourceLocations("classpath:/META-INF/resources/swagger*");
 
        registry.addResourceHandler("/v2/api-docs/**")
                .addResourceLocations("classpath:/META-INF/resources/v2/api-docs/");
 
    }
 
    /**
     * 配置消息转换器--这里用的是ali的FastJson
     * @param converters
     */
    @Override
    public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
        //1. 定义一个convert转换消息的对象;
        FastJsonHttpMessageConverter fastJsonHttpMessageConverter = new FastJsonHttpMessageConverter();
        //2. 添加fastJson的配置信息，比如：是否要格式化返回的json数据;
        FastJsonConfig fastJsonConfig = new FastJsonConfig();
        fastJsonConfig.setSerializerFeatures(SerializerFeature.PrettyFormat,
                SerializerFeature.WriteMapNullValue,
                SerializerFeature.WriteNullStringAsEmpty,
                SerializerFeature.DisableCircularReferenceDetect,
                SerializerFeature.WriteNullListAsEmpty,
                SerializerFeature.WriteDateUseDateFormat);
        //3处理中文乱码问题
        List<MediaType> fastMediaTypes = new ArrayList<>();
        fastMediaTypes.add(MediaType.APPLICATION_JSON_UTF8);
        //4.在convert中添加配置信息.
        fastJsonHttpMessageConverter.setSupportedMediaTypes(fastMediaTypes);
        fastJsonHttpMessageConverter.setFastJsonConfig(fastJsonConfig);
        //5.将convert添加到converters当中.
        converters.add(fastJsonHttpMessageConverter);
    }
 
 
    /**
     * 访问页面需要先创建个Controller控制类，再写方法跳转到页面
     * 这里的配置可实现直接访问http://localhost:8080/toLogin就跳转到login.jsp页面了
     * @param registry
     */
    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/toLogin").setViewName("login");
 
    }
 
    /**
     * 开启默认拦截器可用并指定一个默认拦截器DefaultServletHttpRequestHandler，比如在webroot目录下的图片：xx.png，
     * Servelt规范中web根目录（webroot）下的文件可以直接访问的，但DispatcherServlet配置了映射路径是/ ，
     * 几乎把所有的请求都拦截了，从而导致xx.png访问不到，这时注册一个DefaultServletHttpRequestHandler可以解决这个问题。
     * 其实可以理解为DispatcherServlet破坏了Servlet的一个特性（根目录下的文件可以直接访问），DefaultServletHttpRequestHandler
     * 可以帮助回归这个特性的
     * @param configurer
     */
    @Override
    public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
        configurer.enable();
        // 这里可以自己指定默认的拦截器
        configurer.enable("DefaultServletHttpRequestHandler");
    }
 
    /**
     * 在该方法中可以启用内容裁决解析器，configureContentNegotiation()方法是专门用来配置内容裁决参数的
     * @param configurer
     */
    @Override
    public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
        // 表示是否通过请求的Url的扩展名来决定media type
        configurer.favorPathExtension(true)
                // 忽略Accept请求头
                .ignoreAcceptHeader(true)
                .parameterName("mediaType")
                // 设置默认的mediaType
                .defaultContentType(MediaType.TEXT_HTML)
                // 以.html结尾的请求会被当成MediaType.TEXT_HTML
                .mediaType("html", MediaType.TEXT_HTML)
                // 以.json结尾的请求会被当成MediaType.APPLICATION_JSON
                .mediaType("json", MediaType.APPLICATION_JSON);
    }
 
}

3. 关于过滤器

过滤器是依赖于Servlet的，不依赖于Spring，下面使在SpringBoot中使用过滤器的基本流程：

package com.glodon.tot.filter;
 
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
 
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
 
/**
 * @author liuwg-a
 * @date 2018/11/28 9:13
 * @description 检验缓存中是否有用户信息
 */
@Order(2)
@WebFilter(urlPatterns = {"/user/*"}, filterName = "loginFilter")
public class SessionFilter implements Filter {
 
    private static final Logger logger = LoggerFactory.getLogger(SessionFilter.class);
 
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        logger.info("come into SessionFilter init...");
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        logger.info("come into SessionFilter and do processes...");
 
        // 实际业务处理，这里就是下面图中的before doFilter逻辑
        HttpServletRequest HRrequest = (HttpServletRequest) request;
        Cookie[] cookies = HRrequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName().equals("loginUser")) {
                    logger.info("find loginUser: " + cookie.getValue());
                    break;
                }
            }
        }
 
        // 当前过滤器处理完了交给下一个过滤器处理
        chain.doFilter(request, response);
 
        logger.info("SessionFilter's process has completed!");
    }
 
    @Override
    public void destroy() {
        logger.info("come into SessionFilter destroy...");
    }
}

上述的配置中，头部的有两个注解：

@Order注解：用于标注优先级，数值越小优先级越大；
@WebFilter注解：用于标注过滤器，urlPatterns指定过滤的URI（多个URI之间用逗号分隔），filterName指定名字；
注：使用@WebFilter注解，必须在Springboot启动类上加@ServletComponentScan注解，否则该注解不生效，过滤器无效！

【问题】

实操时，发现@Order(2)注解未生效，即过滤器的执行顺序没有被指定，而是按照默认过滤器类名的排列的顺序执行（即TestFilter.java在AbcFilter.java之后执行），然后发现，如果使用Spring组件注解标注过滤器，比如@Component（@Service等注解也是一样的，此时Springboot启动类上无须加@ServletComponentScan注解过滤器即可被扫描），@Order(2)注解生效，多个过滤器按指定顺序执行，但此时又出现一个问题，过滤器上@WebFilter注解设置的过滤URI和名字无效（即urlPatterns和filterName无效，其实此时整个@WebFilter注解都是无效的），在随后排查时，发现控制台有如下日志：

发现先初始化了sessionFilter，然后又初始化了一个loginFilter，但上述两个Filter实际就是上面定义的同一个Filter，即同一个Filter初始化了2次，按结果来看使用@Component注解初始化（过滤URI为/*）的内容覆盖了@WebFilter注解初始化（过滤URI为/school/*）的内容，所以导致@WebFilter注解不生效。

【解决方案】

最后发现是对@Order注解认识存在误区，这个注解是用于控制Spring组件被加载的顺序，但并不能决定过滤器的执行顺序，应该使用一个配置类来管理各个过滤器的执行顺序和过滤URI、名字等属性（此时，过滤器上不需要加任何注解，springboot启动类上也无需加@ServletComponentScan注解）：

package com.glodon.tot.config;
 
import com.glodon.tot.filter.SessionFilter;
import com.glodon.tot.filter.TestFilter2;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
 
import javax.servlet.Filter;
import java.util.Arrays;
import java.util.List;
 
/**
 * @author liuwg-a
 * @date 2018/11/28 17:59
 * @description 配置过滤器
 */
@Configuration
public class FilterConfig {
 
// 这种方式过滤器上不需要加任何注解
   @Bean
   public Filter sessionFilter() {
       System.out.println("create sessionFilter...");
       return new SessionFilter();
   }
 
   @Bean
   public Filter testFilter() {
       System.out.println("create testFilter2...");
       return new TestFilter2();
   }
 
    // 下面这种方式需要在过滤器上加@Component这类注解，然后完成自动注入
    // @Autowired
    // private Filter sessionFilter;
 
    // @Autowired
    // private Filter testFilter;
 
// 有多少个过滤器要配置就写多少，没特殊要求也可以不写
    @Bean
    public FilterRegistrationBean loginFilterRegistration() {
        String[] arr = {"/user/go", "/user/login"};
        List patternList = Arrays.asList(arr);
 
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
       filterRegistrationBean.setFilter(sessionFilter());
        // filterRegistrationBean.setFilter(sessionFilter);
        filterRegistrationBean.setUrlPatterns(patternList);
        filterRegistrationBean.setOrder(2);
        return filterRegistrationBean;
    }
 
    @Bean
    public FilterRegistrationBean testFilterRegistration() {
//        String[] arr = {"/school/all"};
        String[] arr = {"/user/go", "/user/login"};
        List patternList = Arrays.asList(arr);
 
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
       filterRegistrationBean.setFilter(testFilter());
        // filterRegistrationBean.setFilter(testFilter);
        filterRegistrationBean.setUrlPatterns(patternList);
        filterRegistrationBean.setOrder(1);
        return filterRegistrationBean;
    }
}

综合来看拦截器和过滤器，如果过滤器和拦截器有且仅各一个的情况下，运行的流程如下：

登录流程可以使用过滤器过滤器所有的URI，在里面检测当前用户是否已经登录，从而判定有无权限访问。

3. 1 关于过滤器链

这一块主要是将上述定义的过滤器封装成一个自定义链，暴露的问题还比较多，下面是自定义链的过程：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

// 过滤器1
@Component("sessionFilter")
public class SessionFilter implements Filter {
 
    private static final Logger logger = LoggerFactory.getLogger(SessionFilter.class);
 
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        logger.info("come into SessionFilter init...");
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        logger.info("come into SessionFilter and do processes...");
 
        // 实际业务处理...
 
        chain.doFilter(request, response);
        logger.info("SessionFilter's process has completed!");
    }
 
    @Override
    public void destroy() {
        logger.info("come into SessionFilter destroy...");
    }
}
 
// 过滤器2
@Component("testFilter")
public class TestFilter2 implements Filter {
 
    private static final Logger logger = LoggerFactory.getLogger(TestFilter2.class);
 
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        logger.info("come into TestFilter2's init...");
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        logger.info("come into TestFilter2 and do processes...");
 
        // 实际业务处理...
 
        chain.doFilter(request, response);
        logger.info("TestFilter2's process has completed!");
    }
 
    @Override
    public void destroy() {
        logger.info("come into TestFilter2's destroy...");
    }
}
 
// 封装过滤器List
@Configuration
public class FilterChainBean {
 
    @Autowired
    private Filter sessionFilter;
    @Autowired
    private Filter testFilter;
 
    @Bean(name = "allMyFilter")
    public List<Filter> registerFilter() {
        List<Filter> allMyFilter = new ArrayList<>();
        allMyFilter.add(sessionFilter);
        allMyFilter.add(testFilter);
        return allMyFilter;
    }
}
 
// 装链
@Service("myFilterChain")
@Order(1)
public class MyChain implements Filter {
 
    @Autowired
    private List<Filter> allMyFilter;
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (allMyFilter == null || allMyFilter.size() == 0) {
            chain.doFilter(request, response);
            return;
        }
        VirtualFilterChain virtualFilterChain = new VirtualFilterChain(chain, allMyFilter);
        virtualFilterChain.doFilter(request, response);
    }
 
    // 封装过滤器链，参照CompositeFilter中的VirtualFilterChain类代码编写
    private class VirtualFilterChain implements FilterChain {
        private final FilterChain originalChain;
        private final List<Filter> additionalFilters;
        private final int n;
        private int pos = 0;
 
        private VirtualFilterChain(FilterChain chain, List<Filter> additionalFilters) {
            this.originalChain = chain;
            this.additionalFilters = additionalFilters;
            this.n = additionalFilters.size();
        }
 
        @Override
        public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
            if (pos >= n) {
                originalChain.doFilter(request, response);
            } else {
                Filter nextFilter = additionalFilters.get(pos++);
                nextFilter.doFilter(request, response, this);
            }
        }
    }
 
}

　　链上没有指定过滤器的URI，默认是拦截所有URI，测试上述链的工作流程，发现结果如下：

可以发现两个过滤器执行了2次，重复执行并不是想要的，开始着手追踪原因，在追踪到MyChain中的doFilter()方法时，发现上述自定义链中的内容如下：

猜测问题就是出现在这里，结合debug查看，过滤器链是沿着ApplicationFilterChain不断调用的，内部涉及到链操作的执行函数doFilter()的源码如下：

100

101

102

103

104

105

106

107

108

109

110

@Override
public void doFilter(ServletRequest request, ServletResponse response)
    throws IOException, ServletException {
 
    if( Globals.IS_SECURITY_ENABLED ) {
        final ServletRequest req = request;
        final ServletResponse res = response;
        try {
            java.security.AccessController.doPrivileged(
                new java.security.PrivilegedExceptionAction<Void>() {
                    @Override
                    public Void run()
                        throws ServletException, IOException {
                        internalDoFilter(req,res);
                        return null;
                    }
                }
            );
        } catch( PrivilegedActionException pe) {
            Exception e = pe.getException();
            if (e instanceof ServletException)
                throw (ServletException) e;
            else if (e instanceof IOException)
                throw (IOException) e;
            else if (e instanceof RuntimeException)
                throw (RuntimeException) e;
            else
                throw new ServletException(e.getMessage(), e);
        }
    } else {
        internalDoFilter(request,response);
    }
}
 
private void internalDoFilter(ServletRequest request,
                              ServletResponse response)
    throws IOException, ServletException {
 
    // 调用链中下一个过滤器（如果存在的话），可以在这里打断点查看
    if (pos < n) {
        ApplicationFilterConfig filterConfig = filters[pos++];
        try {
            Filter filter = filterConfig.getFilter();
 
            if (request.isAsyncSupported() && "false".equalsIgnoreCase(
                    filterConfig.getFilterDef().getAsyncSupported())) {
                request.setAttribute(Globals.ASYNC_SUPPORTED_ATTR, Boolean.FALSE);
            }
            if( Globals.IS_SECURITY_ENABLED ) {
                final ServletRequest req = request;
                final ServletResponse res = response;
                Principal principal =
                    ((HttpServletRequest) req).getUserPrincipal();
 
                Object[] args = new Object[]{req, res, this};
                SecurityUtil.doAsPrivilege ("doFilter", filter, classType, args, principal);
            } else {
                filter.doFilter(request, response, this);
            }
        } catch (IOException | ServletException | RuntimeException e) {
            throw e;
        } catch (Throwable e) {
            e = ExceptionUtils.unwrapInvocationTargetException(e);
            ExceptionUtils.handleThrowable(e);
            throw new ServletException(sm.getString("filterChain.filter"), e);
        }
        return;
    }
 
    // We fell off the end of the chain -- call the servlet instance
    try {
        if (ApplicationDispatcher.WRAP_SAME_OBJECT) {
            lastServicedRequest.set(request);
            lastServicedResponse.set(response);
        }
 
        if (request.isAsyncSupported() && !servletSupportsAsync) {
            request.setAttribute(Globals.ASYNC_SUPPORTED_ATTR,
                    Boolean.FALSE);
        }
        // Use potentially wrapped request from this point
        if ((request instanceof HttpServletRequest) &&
                (response instanceof HttpServletResponse) &&
                Globals.IS_SECURITY_ENABLED ) {
            final ServletRequest req = request;
            final ServletResponse res = response;
            Principal principal =
                ((HttpServletRequest) req).getUserPrincipal();
            Object[] args = new Object[]{req, res};
            SecurityUtil.doAsPrivilege("service",
                                       servlet,
                                       classTypeUsedInService,
                                       args,
                                       principal);
        } else {
            servlet.service(request, response);
        }
    } catch (IOException | ServletException | RuntimeException e) {
        throw e;
    } catch (Throwable e) {
        e = ExceptionUtils.unwrapInvocationTargetException(e);
        ExceptionUtils.handleThrowable(e);
        throw new ServletException(sm.getString("filterChain.servlet"), e);
    } finally {
        if (ApplicationDispatcher.WRAP_SAME_OBJECT) {
            lastServicedRequest.set(null);
            lastServicedResponse.set(null);
        }
    }
}

　　上述Demo中没有使用Spring security内容，所以关注点主要集中在internalDoFilter()函数上，说的简单点就是不断调用数组中的过滤器，通过debug查看链的执行流程如下：

其中右侧的过滤器是MyChain自定义链，其他的characterEncodingFilter、hiddenHttpMethodFilter、formContentFilter、requestContextFilter过滤器是Spring框架内部帮我们自动实现的几个过滤器，不管Spring帮我们定义多少个过滤器，因为过滤器是Servlet规范中的，所以这些过滤器最终还有要汇总到Servelet容器中，对于上述情况具体来说，就是要汇总到ApplicationFilterChain（包位置：org.apache.catalina.core，嗯，更明白了），而Servlet把外部定义的过滤器（包括Spring框架定义的一些必要的过滤器）全部放到我们手动定义的过滤器链中，所以执行了2次，而且不仅仅是我们上面手写的SessionFilter和TestFilter2，还有Spring提供的过滤器实际都执行了2次。

解决方案：原因找了，理论上可以想到两种方案：一种是不要让Spring帮我们自定过滤器了，所有的过滤器都由自己实现管理，最后交给Servlet的过滤器链；第二种就是我们所有的过滤器都交给Spring管理，不直接和Filter发生联系，而是通过Spring间接和Filter联系，包括最后链的交接也由Spring和Filter去搞。

方案1

过滤器由自己管理，不通过IOC自动注入，手动new：

// 过滤器1，不加Spring注解
public class SessionFilter implements Filter {
    // 内容不变，省去...
}
 
// 过滤器2
public class TestFilter2 implements Filter {
    // 内容不变，省去...
}
 
// 封装过滤器List
@Configuration
public class FilterChainBean {
 
    @Bean(name = "allMyFilter")
    public List<Filter> registerFilter() {
        List<Filter> allMyFilter = new ArrayList<>();
        // 通过 new 的方式加入
        allMyFilter.add(new SessionFilter());
        allMyFilter.add(new TestFilter2());
        return allMyFilter;
    }
}
 
// 装链
@Service("myFilterChain")
@Order(1)
public class MyChain implements Filter {
    // 内容不变...
}

　　捉摸着这样不就把ApplicationFilterChain主链中的重复的sessionFilter和testFilter2去除了吗，只有自定义的链MyChain中有这两个过滤器，实际发现，并没有那么简单，debug和结果如下：

我去，发现我自己写的2个过滤器没有起作用，然后找了一下，最后的发现：

主链中确实没有sessionFilter和testFilter2了，但期望发现List中的additionalFilters也没有这两个过滤器，搞得有点懵，为什么通过new的方式没有将上述两个过滤器放进List中，答案未知。。。

方案1：设置标志位

结合account的代码和网络资料以及OncePerRequestFilter源码发现，可以通过在过滤器中设置标志位来解决问题（GenericFilterBean是Spring框架对Filter的实现），代码如下：

// 过滤器1
@Component("sessionFilter")
public class SessionFilter extends GenericFilterBean {
 
    private static final Logger logger = LoggerFactory.getLogger(SessionFilter.class);
    /**
     * 标识位，存入request中
     */
    private static final String FILTER_APPLIED = SessionFilter.class.getName() + ".FILTERED";
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (request.getAttribute(FILTER_APPLIED) != null) {
            // 如果已经执行过了就啥也不干，直接执行下一个过滤器，执行完直接返回
            System.out.println("SessionFilter:非第一次执行，啥也不干。。。");
            chain.doFilter(request, response);
            System.out.println("SessionFilter: 非第一次执行，下一个Filter执行完毕，即将结束扫尾工作。。。");
            return;
        } else {
            // 设置已执行的标识位，放入request中
            request.setAttribute(FILTER_APPLIED, true);
            // 实际业务处理...
            System.out.println("SessionFilter：第一次开始执行，可以在这里进行业务处理");
            Cookie[] cookies = ((HttpServletRequest) request).getCookies();
            if (cookies != null) {
                for (Cookie cookie : cookies) {
                    if (cookie.getName().equals("loginUser")) {
                        logger.info("find loginUser: " + cookie.getValue());
                        break;
                    }
                }
            }
            chain.doFilter(request, response);
            System.out.println("SessionFilter: 第一次执行成功");
 
        }
 
    }
 
    @Override
    public void destroy() {
        logger.info("come into SessionFilter destroy...");
    }
}
 
 
// 过滤器2
@Component("testFilter")
public class TestFilter2 extends GenericFilterBean {
 
    private static final Logger logger = LoggerFactory.getLogger(TestFilter2.class);
    /**
     * 标识符
     */
    private static final String FILTER_APPLIED = TestFilter2.class.getName() + ".FILTERED";
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
 
        if (request.getAttribute(FILTER_APPLIED) != null) {
            // 如果已经执行过了就啥也不干，直接执行下一个过滤器，执行完直接返回
            System.out.println("TestFilter2:非第一次执行，我啥也不干。。。");
            chain.doFilter(request, response);
            System.out.println("TestFilter2:非第一次执行，下一个Filter执行完毕，即将结束扫尾工作。。。");
            return;
        } else {
            // 设置已执行的标识位，放入request中
            request.setAttribute(FILTER_APPLIED, true);
            // 实际业务处理...
            System.out.println("TestFilter2：第一次开始执行，可以在这里进行逻辑业务处理");
            chain.doFilter(request, response);
            System.out.println("TestFilter2:初次执行成功");
        }
 
    }
 
    @Override
    public void destroy() {
        logger.info("come into TestFilter2's destroy...");
    }
}

方案2：交给CompositeFilter管理

在方案1中，无意间发现CompositeFilter这个类，源码如下：

public class CompositeFilter implements Filter {
 
    private List<? extends Filter> filters = new ArrayList<>();
 
 
    public void setFilters(List<? extends Filter> filters) {
        this.filters = new ArrayList<>(filters);
    }
 
    @Override
    public void init(FilterConfig config) throws ServletException {
        for (Filter filter : this.filters) {
            filter.init(config);
        }
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
 
        new VirtualFilterChain(chain, this.filters).doFilter(request, response);
    }
 
    @Override
    public void destroy() {
        for (int i = this.filters.size(); i-- > 0;) {
            Filter filter = this.filters.get(i);
            filter.destroy();
        }
    }
 
    private static class VirtualFilterChain implements FilterChain {
 
        private final FilterChain originalChain;
 
        private final List<? extends Filter> additionalFilters;
 
        private int currentPosition = 0;
 
        public VirtualFilterChain(FilterChain chain, List<? extends Filter> additionalFilters) {
            this.originalChain = chain;
            this.additionalFilters = additionalFilters;
        }
 
        @Override
        public void doFilter(final ServletRequest request, final ServletResponse response)
                throws IOException, ServletException {
 
            if (this.currentPosition == this.additionalFilters.size()) {
                this.originalChain.doFilter(request, response);
            }
            else {
                this.currentPosition++;
                Filter nextFilter = this.additionalFilters.get(this.currentPosition - 1);
                nextFilter.doFilter(request, response, this);
            }
        }
    }
 
}

　　发现猜测它可以帮我们管理手写的过滤器，唯一要做的就是将过滤器通过setFilters()方法塞进去就好了，会自动封装一个虚拟链（之前自定义的封装连代码可以直接丢弃），详细代码如下：

// 过滤器1
public class SessionFilter extends GenericFilterBean {
 
    private static final Logger logger = LoggerFactory.getLogger(SessionFilter.class);
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // 实际业务处理...
        System.out.println("SessionFilter：开始执行，可以在这里进行业务处理");
        Cookie[] cookies = ((HttpServletRequest) request).getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName().equals("loginUser")) {
                    logger.info("find loginUser: " + cookie.getValue());
                    break;
                }
            }
        }
        chain.doFilter(request, response);
        System.out.println("SessionFilter: 执行成功");
    }
 
    @Override
    public void destroy() {
        logger.info("come into SessionFilter destroy...");
    }
}
 
 
// 过滤器2
public class TestFilter2 extends GenericFilterBean {
 
    private static final Logger logger = LoggerFactory.getLogger(TestFilter2.class);
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // 实际业务处理...
        System.out.println("TestFilter2：开始执行，可以在这里进行逻辑业务处理");
        chain.doFilter(request, response);
        System.out.println("TestFilter2:执行成功");
    }
 
    @Override
    public void destroy() {
        logger.info("come into TestFilter2's destroy...");
    }
}
 
 
// 配置符合过滤器（无需手写虚拟链，全部塞进CompositeFilter即可自动封装，无需再写MyChain）
@Configuration
public class FilterChainBean {
    @Bean("myChain")
    public CompositeFilter addFilterInChain() {
        List<Filter> allMyFilter = new ArrayList<>();
        allMyFilter.add(new SessionFilter());
        allMyFilter.add(new TestFilter2());
        CompositeFilter compositeFilter = new CompositeFilter();
        compositeFilter.setFilters(allMyFilter);
        return compositeFilter;
    }
}