具有摘要式身份验证的Spring Security自定义预身份验证筛选器

Question

我有一个使用摘要式身份验证的应用。我想通过检查除Digest方法之外的自定义HTTP标头来自定义身份验证过程。如果请求中存在标头，则认证应该像以前一样进行，如果不是，那么应该拒绝用户。我尝试通过定义自定义预身份验证过滤器来做到这一点，但不知何故它不能与Digest过滤器一起使用。

<security:http entry-point-ref="digestEntryPoint">
    <security:custom-filter ref="customPreauthFilter" position="PRE_AUTH_FILTER"/>
    <security:custom-filter ref="digestFilter" before="BASIC_AUTH_FILTER"/>
    <security:anonymous enabled="false"/>
</security:http>


<bean id="customPreauthFilter" class="com.myapp.messaging.security.SoundianRequestHeaderAuthenticationFilter">
    <property name="authenticationManager" ref="appControlAuthenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="customUserDetailsService"/>
        </bean>
    </property>
</bean>

<security:authentication-manager alias="appControlAuthenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
    <security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="customUserDetailsService"/>
</bean>

<!-- Digest authentication -->
<bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
    <security:authentication-provider ref="preauthAuthProvider" />
    <!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->
</bean>

<bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
    <property name="realmName" value="myvalue"/>
    <property name="key" value="acegi"/>
    <property name="nonceValiditySeconds" value="10"/>
</bean>

Preauthentication过滤器成功，但我仍然获得401结果。

如果我取消注释

<!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->

然后忽略预身份验证过滤器。