SpringBoot中过滤器Filter怎么用

# SpringBoot中过滤器Filter怎么用 ## 一、过滤器(Filter)基础概念 ### 1.1 什么是过滤器 过滤器(Filter)是Java Web开发中的核心组件之一，它可以在请求到达Servlet之前或响应返回客户端之前对HTTP请求和响应进行预处理和后处理。过滤器就像一个"筛子"，能够对Web应用中的请求和响应进行过滤操作。 在Spring Boot中，过滤器依然扮演着重要角色，尽管Spring提供了更高级的拦截器(Interceptor)机制，但过滤器在以下场景中仍不可替代： 1. 与Servlet容器紧密相关的功能（如编码设置） 2. 需要处理静态资源的场景 3. 在Spring上下文之外进行的处理 ### 1.2 过滤器的工作原理 过滤器基于责任链模式工作，多个过滤器可以形成一个过滤链(FilterChain)。当一个请求到达时，过滤器的执行流程如下： 

客户端请求 → 过滤器1 → 过滤器2 → … → Servlet → 过滤器2 → 过滤器1 → 客户端响应

 关键特点： - 先配置的过滤器先执行(请求阶段) - 后配置的过滤器后执行(响应阶段) - 可以通过FilterChain控制是否继续执行下一个过滤器 ### 1.3 过滤器与拦截器的区别 | 特性 | 过滤器(Filter) | 拦截器(Interceptor) | |------------|------------------------|------------------------| | 作用范围 | Servlet容器级别 | Spring MVC上下文级别 | | 依赖关系 | 不依赖Spring框架 | 依赖Spring MVC框架 | | 实现方式 | 实现javax.servlet.Filter| 实现HandlerInterceptor | | 执行时机 | 更早(进入Servlet前) | 稍晚(进入Controller前) | | 使用场景 | 编码转换、跨域处理等 | 权限校验、日志记录等 | ## 二、Spring Boot中过滤器的基本使用 ### 2.1 创建基础过滤器 在Spring Boot中创建一个过滤器非常简单，只需要实现`javax.servlet.Filter`接口： ```java import javax.servlet.*; import java.io.IOException; public class BasicFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { // 初始化方法 System.out.println("BasicFilter初始化..."); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { System.out.println("BasicFilter 前置处理"); // 执行后续过滤器或Servlet chain.doFilter(request, response); System.out.println("BasicFilter 后置处理"); } @Override public void destroy() { // 销毁方法 System.out.println("BasicFilter销毁..."); } } 

2.2 注册过滤器

在Spring Boot中有多种方式注册过滤器，以下是三种常见方式：

方式1：使用@WebFilter注解 + @ServletComponentScan

@WebFilter(urlPatterns = "/*") public class AnnotationFilter implements Filter { // 过滤器实现 } // 在启动类上添加扫描注解 @ServletComponentScan @SpringBootApplication public class Application { public static void main(String[] args) { SpringApplication.run(Application.class, args); } } 

方式2：通过FilterRegistrationBean注册

@Configuration public class FilterConfig { @Bean public FilterRegistrationBean<BasicFilter> registerBasicFilter() { FilterRegistrationBean<BasicFilter> registration = new FilterRegistrationBean<>(); registration.setFilter(new BasicFilter()); registration.addUrlPatterns("/*"); registration.setOrder(1); // 设置过滤器顺序 registration.setName("basicFilter"); return registration; } } 

方式3：使用@Component自动注册（不推荐）

@Component public class ComponentFilter implements Filter { // 过滤器实现 } 

注意：使用@Component注册的过滤器无法自定义URL模式，会默认过滤所有请求，且顺序难以控制。

2.3 过滤器执行顺序控制

当应用中有多个过滤器时，执行顺序非常重要。在Spring Boot中控制过滤器顺序的方式：

1. @WebFilter方式：通过实现javax.servlet.annotation.WebFilter的filterName属性按字母顺序执行
2. FilterRegistrationBean方式：通过setOrder()方法设置顺序值，值越小优先级越高
3. @Order注解：对@Component过滤器有效，但无法控制URL模式

最佳实践是使用FilterRegistrationBean，因为它提供了最灵活的控制：

@Configuration public class FilterConfig { @Bean public FilterRegistrationBean<FirstFilter> firstFilter() { FilterRegistrationBean<FirstFilter> bean = new FilterRegistrationBean<>(); bean.setFilter(new FirstFilter()); bean.addUrlPatterns("/*"); bean.setOrder(1); // 第一个执行 return bean; } @Bean public FilterRegistrationBean<SecondFilter> secondFilter() { FilterRegistrationBean<SecondFilter> bean = new FilterRegistrationBean<>(); bean.setFilter(new SecondFilter()); bean.addUrlPatterns("/*"); bean.setOrder(2); // 第二个执行 return bean; } } 

三、过滤器的核心应用场景

3.1 请求日志记录

public class LoggingFilter implements Filter { private static final Logger logger = LoggerFactory.getLogger(LoggingFilter.class); @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; long startTime = System.currentTimeMillis(); // 记录请求信息 logger.info("请求开始: {} {}, 参数: {}", req.getMethod(), req.getRequestURI(), getRequestParams(req)); chain.doFilter(request, response); long duration = System.currentTimeMillis() - startTime; logger.info("请求完成: 耗时{}ms", duration); } private String getRequestParams(HttpServletRequest req) { return req.getParameterMap().entrySet().stream() .map(entry -> entry.getKey() + "=" + Arrays.toString(entry.getValue())) .collect(Collectors.joining(", ")); } } 

3.2 认证与授权检查

public class AuthFilter implements Filter { private static final List<String> WHITE_LIST = Arrays.asList("/login", "/public"); @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; // 白名单检查 if (WHITE_LIST.contains(req.getRequestURI())) { chain.doFilter(request, response); return; } // 检查认证token String token = req.getHeader("Authorization"); if (!validateToken(token)) { res.sendError(HttpServletResponse.SC_UNAUTHORIZED, "无效的认证信息"); return; } chain.doFilter(request, response); } private boolean validateToken(String token) { // 实际项目中应实现完整的token验证逻辑 return token != null && token.startsWith("Bearer "); } } 

3.3 跨域处理(CORS)

虽然Spring Boot提供了@CrossOrigin注解和全局CORS配置，但有时仍需要使用过滤器处理：

public class CorsFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse) response; res.setHeader("Access-Control-Allow-Origin", "*"); res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); res.setHeader("Access-Control-Max-Age", "3600"); res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type"); if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) request).getMethod())) { res.setStatus(HttpServletResponse.SC_OK); } else { chain.doFilter(request, response); } } } 

3.4 请求参数处理

统一字符编码

public class EncodingFilter implements Filter { private String encoding = "UTF-8"; @Override public void init(FilterConfig filterConfig) { String encodingParam = filterConfig.getInitParameter("encoding"); if (encodingParam != null) { encoding = encodingParam; } } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { request.setCharacterEncoding(encoding); response.setCharacterEncoding(encoding); chain.doFilter(request, response); } } 

XSS防护

public class XssFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssRequestWrapper((HttpServletRequest) request), response); } private static class XssRequestWrapper extends HttpServletRequestWrapper { // 实现XSS防护逻辑 } } 

四、高级过滤器应用技巧

4.1 过滤器异常处理

public class ExceptionHandlingFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { try { chain.doFilter(request, response); } catch (BusinessException e) { handleBusinessException((HttpServletResponse) response, e); } catch (Exception e) { handleUnexpectedException((HttpServletResponse) response, e); } } private void handleBusinessException(HttpServletResponse response, BusinessException e) throws IOException { response.setStatus(HttpServletResponse.SC_BAD_REQUEST); response.getWriter().write("{\"error\":\"" + e.getMessage() + "\"}"); response.getWriter().flush(); } private void handleUnexpectedException(HttpServletResponse response, Exception e) throws IOException { response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.getWriter().write("{\"error\":\"系统异常\"}"); response.getWriter().flush(); } } 

4.2 性能监控过滤器

public class MetricsFilter implements Filter { private final MetricRegistry metricRegistry; public MetricsFilter(MetricRegistry metricRegistry) { this.metricRegistry = metricRegistry; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; String metricName = "request." + req.getMethod() + "." + req.getRequestURI() .replaceAll("/", "."); Timer.Context timerContext = metricRegistry.timer(metricName).time(); try { chain.doFilter(request, response); } finally { timerContext.stop(); } } } 

4.3 请求/响应内容修改

public class ContentModificationFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { ContentCachingResponseWrapper responseWrapper = new ContentCachingResponseWrapper((HttpServletResponse) response); chain.doFilter(request, responseWrapper); byte[] content = responseWrapper.getContentAsByteArray(); if (content.length > 0) { String contentStr = new String(content, response.getCharacterEncoding()); // 修改响应内容 String modifiedContent = contentStr.replace("old", "new"); responseWrapper.resetBuffer(); responseWrapper.getWriter().write(modifiedContent); } responseWrapper.copyBodyToResponse(); } } 

4.4 与Spring Security集成

当同时使用过滤器和Spring Security时，需要注意执行顺序：

@Configuration public class SecurityFilterConfig { @Bean public FilterRegistrationBean<CustomSecurityFilter> securityFilterRegistration() { FilterRegistrationBean<CustomSecurityFilter> registration = new FilterRegistrationBean<>(); registration.setFilter(new CustomSecurityFilter()); registration.addUrlPatterns("/*"); registration.setOrder(Ordered.HIGHEST_PRECEDENCE + 1); // 在Spring Security之前执行 return registration; } } 

五、常见问题与最佳实践

5.1 常见问题排查

问题1：过滤器不生效

• 可能原因：未正确注册过滤器
• 解决方案：
  1. 检查是否添加了@ServletComponentScan（对于@WebFilter）
  2. 检查FilterRegistrationBean是否被@Configuration类加载
  3. 检查过滤器URL模式是否匹配目标请求

问题2：过滤器执行顺序不符合预期

• 可能原因：多个过滤器顺序配置冲突
• 解决方案：
  1. 统一使用FilterRegistrationBean设置order
  2. 避免混合使用不同的注册方式

问题3：性能问题

• 可能原因：过滤器链过长或单个过滤器处理耗时
• 解决方案：
  1. 优化过滤器逻辑，减少不必要的操作
  2. 考虑使用异步处理
  3. 对静态资源使用不同的过滤器链

5.2 性能优化建议

1. 减少过滤器数量：合并功能相似的过滤器
2. 使用条件过滤：对静态资源跳过某些过滤器
3. 异步处理：对于耗时操作考虑使用异步过滤器
4. 缓存策略：在过滤器中合理使用缓存

public class CacheFilter implements Filter { private CacheManager cacheManager; @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; String cacheKey = generateCacheKey(req); // 检查缓存 if (cacheManager.get(cacheKey) != null) { writeCachedResponse(response, cacheManager.get(cacheKey)); return; } // 缓存响应 ContentCachingResponseWrapper responseWrapper = new ContentCachingResponseWrapper((HttpServletResponse) response); chain.doFilter(request, responseWrapper); byte[] responseData = responseWrapper.getContentAsByteArray(); cacheManager.put(cacheKey, responseData); responseWrapper.copyBodyToResponse(); } } 

5.3 测试策略

单元测试

public class AuthFilterTest { @Test public void testWhiteListAccess() throws Exception { AuthFilter filter = new AuthFilter(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain chain = mock(FilterChain.class); request.setRequestURI("/login"); filter.doFilter(request, response, chain); verify(chain).doFilter(request, response); } } 

集成测试

@SpringBootTest @AutoConfigureMockMvc public class FilterIntegrationTest { @Autowired private MockMvc mockMvc; @Test public void testAuthFilterWithValidToken() throws Exception { mockMvc.perform(get("/api/resource") .header("Authorization", "Bearer valid-token")) .andExpect(status().isOk()); } @Test public void testAuthFilterWithoutToken() throws Exception { mockMvc.perform(get("/api/resource")) .andExpect(status().isUnauthorized()); } } 

六、实际案例：构建API网关过滤器

6.1 需求分析

假设我们需要实现一个API网关过滤器，需要处理以下功能： 1. 请求认证 2. 限流控制 3. 请求/响应日志 4. 耗时统计

6.2 实现代码

public class ApiGatewayFilter implements Filter { private final RateLimiter rateLimiter; private final Logger logger = LoggerFactory.getLogger(getClass()); public ApiGatewayFilter(RateLimiter rateLimiter) { this.rateLimiter = rateLimiter; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; // 1. 认证检查 if (!authenticate(req)) { sendError(res, HttpServletResponse.SC_UNAUTHORIZED, "认证失败"); return; } // 2. 限流检查 if (!rateLimiter.tryAcquire()) { sendError(res, HttpServletResponse.SC_TOO_MANY_REQUESTS, "请求过于频繁"); return; } // 3. 记录请求日志 long startTime = System.currentTimeMillis(); logRequest(req); // 4. 处理请求 ContentCachingResponseWrapper responseWrapper = new ContentCachingResponseWrapper(res); try { chain.doFilter(request, responseWrapper); } finally { // 5. 记录响应日志和耗时 long duration = System.currentTimeMillis() - startTime; logResponse(req, responseWrapper, duration); responseWrapper.copyBodyToResponse(); } } // 其他辅助方法... } 

6.3 配置与使用

@Configuration public class ApiGatewayConfig { @Bean public FilterRegistrationBean<ApiGatewayFilter> apiGatewayFilter() { FilterRegistrationBean<ApiGatewayFilter> bean = new FilterRegistrationBean<>(); bean.setFilter(new ApiGatewayFilter(new RedisRateLimiter())); bean.addUrlPatterns("/api/*"); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); bean.setName("apiGatewayFilter"); return bean; } } 

七、总结与展望

7.1 关键点回顾

1. 过滤器基础：理解过滤器的生命周期和工作原理
2. 注册方式：掌握@WebFilter、FilterRegistrationBean等注册方式及适用场景
3. 执行顺序：熟练控制多个过滤器的执行顺序
4. 应用场景：灵活运用过滤器解决实际问题

7.2 发展趋势

随着技术的演进，过滤器在以下方面有新的发展： 1. 云原生适配：与Service Mesh集成