|
1 | 1 | [[mvc-handlermapping-interceptor]] |
2 | 2 | = Interception |
3 | 3 |
|
4 | | -All `HandlerMapping` implementations support handler interceptors that are useful when |
5 | | -you want to apply specific functionality to certain requests -- for example, checking for |
6 | | -a principal. Interceptors must implement `HandlerInterceptor` from the |
7 | | -`org.springframework.web.servlet` package with three methods that should provide enough |
8 | | -flexibility to do all kinds of pre-processing and post-processing: |
9 | | - |
10 | | -* `preHandle(..)`: Before the actual handler is run |
11 | | -* `postHandle(..)`: After the handler is run |
12 | | -* `afterCompletion(..)`: After the complete request has finished |
13 | | - |
14 | | -The `preHandle(..)` method returns a boolean value. You can use this method to break or |
15 | | -continue the processing of the execution chain. When this method returns `true`, the |
16 | | -handler execution chain continues. When it returns false, the `DispatcherServlet` |
17 | | -assumes the interceptor itself has taken care of requests (and, for example, rendered an |
18 | | -appropriate view) and does not continue executing the other interceptors and the actual |
19 | | -handler in the execution chain. |
| 4 | +All `HandlerMapping` implementations support handler interception which is useful when |
| 5 | +you want to apply functionality across requests. A `HandlerInterceptor` can implement the |
| 6 | +following: |
| 7 | + |
| 8 | +* `preHandle(..)` -- callback before the actual handler is run that returns a boolean. |
| 9 | +If the method returns `true`, execution continues; if it returns `false`, the rest of the |
| 10 | +execution chain is bypassed and the handler is not called. |
| 11 | +* `postHandle(..)` -- callback after the handler is run. |
| 12 | +* `afterCompletion(..)` -- callback after the complete request has finished. |
| 13 | + |
| 14 | +NOTE: For `@ResponseBody` and `ResponseEntity` controller methods, the response is written |
| 15 | +and committed within the `HandlerAdapter`, before `postHandle` is called. That means it is |
| 16 | +too late to change the response, such as to add an extra header. You can implement |
| 17 | +`ResponseBodyAdvice` and declare it as an |
| 18 | +xref:web/webmvc/mvc-controller/ann-advice.adoc[Controller Advice] bean or configure it |
| 19 | +directly on `RequestMappingHandlerAdapter`. |
20 | 20 |
|
21 | 21 | See xref:web/webmvc/mvc-config/interceptors.adoc[Interceptors] in the section on MVC configuration for examples of how to |
22 | 22 | configure interceptors. You can also register them directly by using setters on individual |
23 | 23 | `HandlerMapping` implementations. |
24 | 24 |
|
25 | | -`postHandle` method is less useful with `@ResponseBody` and `ResponseEntity` methods for |
26 | | -which the response is written and committed within the `HandlerAdapter` and before |
27 | | -`postHandle`. That means it is too late to make any changes to the response, such as adding |
28 | | -an extra header. For such scenarios, you can implement `ResponseBodyAdvice` and either |
29 | | -declare it as an xref:web/webmvc/mvc-controller/ann-advice.adoc[Controller Advice] bean or configure it directly on |
30 | | -`RequestMappingHandlerAdapter`. |
31 | | - |
32 | | - |
33 | | - |
| 25 | +WARNING: Interceptors are not ideally suited as a security layer due to the potential for |
| 26 | +a mismatch with annotated controller path matching. Generally, we recommend using Spring |
| 27 | +Security, or alternatively a similar approach integrated with the Servlet filter chain, |
| 28 | +and applied as early as possible. |
34 | 29 |
|
0 commit comments