Spring安全配置错误:bean具有相同的顺序'值

时间:2014-03-28 10:19:45

标签: java spring spring-mvc spring-security

我有一个Web应用程序,我正在实现Spring spring-security.xml

的Spring安全性 
<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- ENABLE HTTP SECURITY -->
    <http auto-config="false" access-denied-page="/accessDenied.html">

        <!-- INTERCEPT URL FOR RESOURCES ACCESS -->
        <intercept-url pattern="/admin/" access="hasRole('ADMIN_ROLE')" />
        <intercept-url pattern="/users/" access="hasRole('USER_ROLE')" />
        <intercept-url pattern="/**" access="permitAll" />

        <!-- CUSTOME FILTER -->
        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="AuthFilter" />

        <!-- SESSION MANAGEMENT CONFIG -->
        <session-management
            session-authentication-strategy-ref="session-management" />

        <!-- FORM LOGIN CONFIG -->
        <form-login login-page="/loginForm"
            authentication-failure-url="/error.html" default-target-url="/welcome.html" />
        <logout logout-success-url="/loggedout.html"
            invalidate-session="true" />
    </http>
    <!-- SERVICES  -->
    <beans:bean id="customEncoder" class="com.rep.security.CustomPasswordEncoder"></beans:bean>
    <beans:bean id="customUserService" class="com.rep.security.CustomUserDetailService"></beans:bean>

    <!-- AUTHENICATION MANAGER CONFIG -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserService">
            <password-encoder ref="customEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <!-- CONCURRENCY FILEER CONFIG -->
    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/timeout.html" />
    </beans:bean>

    <beans:bean id="AuthFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy"
            ref="session-management" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="session-management"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>

在jboss上运行应用程序时,我遇到了这个错误

15:40:02,470 ERROR [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 59) Context initialization failed: org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<AuthFilter>' and 'Root bean: class [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

任何人都可以告诉我我正在关注[{3}}

的[Spring Doc ioc]问题配置是什么

2 个答案:

答案 0 :(得分:9)

您应该阅读4.3.6. Adding in Your Own FiltersTable 1. Standard Filter Aliases and Ordering

  

如果您之前使用过Spring Security,那么您就会知道该框架   维护一系列过滤器以应用其服务。

     

使用时,始终严格执行过滤器的顺序   命名空间。在创建应用程序上下文时,过滤器   bean按命名空间处理代码和标准排序   Spring Security过滤器每个在命名空间中都有一个别名和一个   众所周知的立场。

您的<login-form>正在使用别名为FORM_LOGIN_FILTER的过滤器。此外,您还要添加另一个具有相同位置(position="FORM_LOGIN_FILTER" ref="AuthFilter")的过滤器。所以你收到错误信息

  

过滤器bean <AuthFilter>Root bean: class [UsernamePasswordAuthenticationFilter]具有相同的order

所以我认为如果你想要两者,你需要改变位置:

<custom-filter after="FORM_LOGIN_FILTER" ref="AuthFilter" />


<custom-filter before="FORM_LOGIN_FILTER" ref="AuthFilter" />

答案 1 :(得分:1)

从春季安全文档,B1.5节。 The Security Namespace

  

&LT;表单登录&GT; element - 用于添加   UsernamePasswordAuthenticationFilter到过滤器堆栈。

基本上&lt; form-login&gt; element将添加UsernamePasswordAuthenticationFilter,我认为它与您在“AuthFilter”bean中定义的过滤器冲突。

相关问题
最新问题