root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update docs on HandlerInterceptor 

Closes gh-32729
This commit is contained in:
rstoyanchev 2024-05-13 11:38:58 +01:00
parent a5a1ef6b30
commit d03ea0bf19
3 changed files with 32 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
framework-docs/modules/ROOT/pages/web/webmvc/mvc-config/interceptors.adoc
View File

@ -52,14 +52,10 @@ The following example shows how to achieve the same configuration in XML:
</mvc:interceptors> </mvc:interceptors>
---- ----
NOTE: Interceptors are not ideally suited as a security layer due to the potential WARNING: Interceptors are not ideally suited as a security layer due to the potential for
for a mismatch with annotated controller path matching, which can also match trailing a mismatch with annotated controller path matching. Generally, we recommend using Spring
slashes and path extensions transparently, along with other path matching options. Many Security, or alternatively a similar approach integrated with the Servlet filter chain,
of these options have been deprecated but the potential for a mismatch remains. and applied as early as possible.
Generally, we recommend using Spring Security which includes a dedicated
https://docs.spring.io/spring-security/reference/servlet/integrations/mvc.html#mvc-requestmatcher[MvcRequestMatcher]
to align with Spring MVC path matching and also has a security firewall that blocks many
unwanted characters in URL paths.
NOTE: The XML config declares interceptors as `MappedInterceptor` beans, and those are in NOTE: The XML config declares interceptors as `MappedInterceptor` beans, and those are in
turn detected by any `HandlerMapping` bean, including those from other frameworks. turn detected by any `HandlerMapping` bean, including those from other frameworks.

41
framework-docs/modules/ROOT/pages/web/webmvc/mvc-servlet/handlermapping-interceptor.adoc
View File

@ -1,34 +1,29 @@
[[mvc-handlermapping-interceptor]] [[mvc-handlermapping-interceptor]]
= Interception = Interception
All `HandlerMapping` implementations support handler interceptors that are useful when All `HandlerMapping` implementations support handler interception which is useful when
you want to apply specific functionality to certain requests -- for example, checking for you want to apply functionality across requests. A `HandlerInterceptor` can implement the
a principal. Interceptors must implement `HandlerInterceptor` from the following:
`org.springframework.web.servlet` package with three methods that should provide enough
flexibility to do all kinds of pre-processing and post-processing:
* `preHandle(..)`: Before the actual handler is run * `preHandle(..)` -- callback before the actual handler is run that returns a boolean.
* `postHandle(..)`: After the handler is run If the method returns `true`, execution continues; if it returns `false`, the rest of the
* `afterCompletion(..)`: After the complete request has finished execution chain is bypassed and the handler is not called.
* `postHandle(..)` -- callback after the handler is run.
* `afterCompletion(..)` -- callback after the complete request has finished.
The `preHandle(..)` method returns a boolean value. You can use this method to break or NOTE: For `@ResponseBody` and `ResponseEntity` controller methods, the response is written
continue the processing of the execution chain. When this method returns `true`, the and committed within the `HandlerAdapter`, before `postHandle` is called. That means it is
handler execution chain continues. When it returns false, the `DispatcherServlet` too late to change the response, such as to add an extra header. You can implement
assumes the interceptor itself has taken care of requests (and, for example, rendered an `ResponseBodyAdvice` and declare it as an
appropriate view) and does not continue executing the other interceptors and the actual xref:web/webmvc/mvc-controller/ann-advice.adoc[Controller Advice] bean or configure it
handler in the execution chain. directly on `RequestMappingHandlerAdapter`.
See xref:web/webmvc/mvc-config/interceptors.adoc[Interceptors] in the section on MVC configuration for examples of how to See xref:web/webmvc/mvc-config/interceptors.adoc[Interceptors] in the section on MVC configuration for examples of how to
configure interceptors. You can also register them directly by using setters on individual configure interceptors. You can also register them directly by using setters on individual
`HandlerMapping` implementations. `HandlerMapping` implementations.
`postHandle` method is less useful with `@ResponseBody` and `ResponseEntity` methods for WARNING: Interceptors are not ideally suited as a security layer due to the potential for
which the response is written and committed within the `HandlerAdapter` and before a mismatch with annotated controller path matching. Generally, we recommend using Spring
`postHandle`. That means it is too late to make any changes to the response, such as adding Security, or alternatively a similar approach integrated with the Servlet filter chain,
an extra header. For such scenarios, you can implement `ResponseBodyAdvice` and either and applied as early as possible.
declare it as an xref:web/webmvc/mvc-controller/ann-advice.adoc[Controller Advice] bean or configure it directly on
`RequestMappingHandlerAdapter`.

14
spring-webmvc/src/main/java/org/springframework/web/servlet/HandlerInterceptor.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -30,9 +30,9 @@ import org.springframework.web.method.HandlerMethod;
* *
* <p>A HandlerInterceptor gets called before the appropriate HandlerAdapter * <p>A HandlerInterceptor gets called before the appropriate HandlerAdapter
* triggers the execution of the handler itself. This mechanism can be used * triggers the execution of the handler itself. This mechanism can be used
* for a large field of preprocessing aspects, e.g. for authorization checks, * for a large field of preprocessing aspects, or common handler behavior
* or common handler behavior like locale or theme changes. Its main purpose * like locale or theme changes. Its main purpose is to allow for factoring
* is to allow for factoring out repetitive handler code. * out repetitive handler code.
* *
* <p>In an asynchronous processing scenario, the handler may be executed in a * <p>In an asynchronous processing scenario, the handler may be executed in a
* separate thread while the main thread exits without rendering or invoking the * separate thread while the main thread exits without rendering or invoking the
@ -63,6 +63,12 @@ import org.springframework.web.method.HandlerMethod;
* forms and GZIP compression. This typically shows when one needs to map the * forms and GZIP compression. This typically shows when one needs to map the
* filter to certain content types (e.g. images), or to all requests. * filter to certain content types (e.g. images), or to all requests.
* *
* <p><strong>Note:</strong> Interceptors are not ideally suited as a security
* layer due to the potential for a mismatch with annotated controller path matching.
* Generally, we recommend using Spring Security, or alternatively a similar
* approach integrated with the Servlet filter chain, and applied as early as
* possible.
*
* @author Juergen Hoeller * @author Juergen Hoeller
* @since 20.06.2003 * @since 20.06.2003
* @see HandlerExecutionChain#getInterceptors * @see HandlerExecutionChain#getInterceptors