我正在尝试从Spring 3.x迁移到Spring 4.x,但Spring Security XML文件无法正确加载。
我认为需要更改XML配置,但我无法通过INTERNET找到相同的内容。与Spring 3.x一起使用的XML配置不适用于4.0.1.RELEASE。
这是我的XML配置
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-4.0.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="false" use-expressions="true"
entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" >
<!-- Below URL's will be intercepted by spring security -->
<security:intercept-url pattern="/access/login" access="permitAll"/>
<security:intercept-url pattern="/analytics/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')"/>
<security:intercept-url pattern="/access/auth/**" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/access/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<security:intercept-url pattern="/auth/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<!-- Logout Configuration -->
<security:logout invalidate-session="true" logout-success-url="/access/login" logout-url="/access/logout" />
<!-- Authentication -->
<security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" />
<!-- Concurrent Session -->
<!-- <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> -->
<security:session-management session-authentication-strategy-ref="sas"/> <!-- invalid-session-url="/access/session-expired" -->
</security:http>
<!-- Permission Evaluator Configuration -->
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
<!-- Custom Permission Evaluator -->
<bean id="permissionEvaluator" class="com.space.um.security.CustomPermissionEvaluator"/>
<!-- Custom filter for username and password. The real customization is done in the customAthenticationManager -->
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="authenticationFailureHandler"
p:authenticationSuccessHandler-ref="authenticationSuccessHandler" />
<!-- Custom authentication manager. In order to authenticate, username and password must not be the same -->
<bean id="authenticationManager" class="com.space.um.security.CustomAuthenticationManager" />
<!-- We just actually need to set the default failure url here -->
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/access/login?error=true" />
<!-- We just actually need to set the default target url here -->
<bean id="authenticationSuccessHandler" class="com.space.um.security.AuthenticationSuccessHandler"
p:defaultTargetUrl="/access/welcome" />
<!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
whenever the server sends back a response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/access/login"/>
<!-- Custom Concurrency Manager -->
<!-- <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry"/> --> <!-- p:expiredUrl="/access/session-expired" -->
<!-- Custom Concurrency Control Strategy -->
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy" p:maximumSessions="1">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<!-- Session Registry Implementation in use -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/access/access-denied"/>
</bean>
<!-- AccessDecisionManager -->
<!-- <bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy" p:maximumSessions="1">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean> -->
<!-- The tag below has no use but Spring Security needs it to autowire the parent property of
org.springframework.security.authentication.ProviderManager. Otherwise we get an error
A probable bug. This is still under investigation-->
<security:authentication-manager/>
</beans>
这是例外......
May 16, 2015 9:52:06 AM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot create inner bean '(inner bean)#6bd58dff' of type [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter] while setting constructor argument with key [7]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#6bd58dff': Cannot resolve reference to bean 'authenticationEntryPoint' while setting bean property 'authenticationEntryPoint'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/space-security.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:382)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1477)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1222)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:537)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:736)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:757)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:480)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4939)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5434)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot create inner bean '(inner bean)#6bd58dff' of type [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter] while setting constructor argument with key [7]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#6bd58dff': Cannot resolve reference to bean 'authenticationEntryPoint' while setting bean property 'authenticationEntryPoint'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/space-security.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:129)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:382)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:634)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1139)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1042)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
... 26 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#6bd58dff': Cannot resolve reference to bean 'authenticationEntryPoint' while setting bean property 'authenticationEntryPoint'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/space-security.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1477)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1222)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:537)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:299)
... 40 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/space-security.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1101)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
... 46 more
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:85)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1094)
... 54 more
Caused by: java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
at java.lang.Class.getConstructor0(Class.java:2892)
at java.lang.Class.getDeclaredConstructor(Class.java:2058)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:80)
... 55 more
答案 0 :(得分:13)
根据Migrating from Spring Security 3.x to 4.x (XML Configuration)
Chapter 4.7.5. LoginUrlAuthenticationEntryPoint
LoginUrlAuthenticationEntryPoint默认构造函数和 删除了setLoginFormUrl方法,转而使用构造函数注入。
<b:bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:property name="loginFormUrl" value="/login"/>
</b:bean>
应替换为:
<b:bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:constructor-arg value="/login"/>
</b:bean>
注意:Spring Security 4有很多变化 - 我强烈建议您阅读完整的Migration Guid!