我使用的是Spring security 3.2.5。我有2个身份验证提供程序 我有一个无法解决的循环引用问题。 第一个security.xml:
<security:http use-expressions="true" auto-config="false"
entry-point-ref="loginUrlAuthenticationEntryPoint">
<security:intercept-url pattern="/**" access="permitAll"
method="OPTIONS" />
<security:intercept-url pattern="/user/login"
access="permitAll" />
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="twoFactorAuthenticationFilter" />
<security:logout logout-url="/user/logout"
logout-success-url="/demo/user/logoutSuccess" />
<security:session-management
session-authentication-strategy-ref="sas" />
</security:http>
<bean id="sas"
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="false" />
</bean>
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/demo/user/login" />
</bean>
<bean id="twoFactorAuthenticationFilter" class="com.xxx.filter.TwoFactorAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureHandler" ref="failureHandler" />
<property name="authenticationSuccessHandler" ref="userAuthenticationSuccessHandler" />
<property name="postOnly" value="true" />
</bean>
<bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login?login_error=true" />
</bean>
<bean id="bCryptPasswordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="authenticationProvider">
</security:authentication-provider>
<security:authentication-provider
ref="restAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
其余的安全-context.xml中:
<security:http create-session="stateless"
entry-point-ref="digestEntryPoint" pattern="/provider/**"
use-expressions="true">
<security:intercept-url pattern="/provider/**"
access="isAuthenticated()" />
<security:http-basic />
<security:custom-filter ref="digestFilter"
after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="digestFilter"
class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
<property name="userDetailsService" ref="customerDetailsServiceImpl" />
<property name="authenticationEntryPoint" ref="digestEntryPoint" />
</bean>
<bean id="digestEntryPoint"
class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
<property name="realmName" value="Contacts Realm via Digest Authentication" />
<property name="key" value="acegi" />
</bean>
的顺序是:
<import resource="/rest-security-context.xml" />
<import resource="/security.xml" />
我收到此错误:
org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'org.springframework.security.authenticationManager': Requested bean is currently in creation: Is there an unresolvable circular reference?
如果我在应用程序上下文中更改顺序,则会收到此错误:
A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored.
答案 0 :(得分:0)
更改文件的顺序,现在我看到了第二个错误的问题:
你有:
// Below url says, all urls must be permitted for everyone
<security:intercept-url pattern="/**" access="permitAll"
method="OPTIONS" />
<security:intercept-url pattern="/user/login"
access="permitAll" />
// Below line says, all URLS must be authenticated, how is that possible without reaching authentication page. remove below
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
所以看起来应该是这样的:
// I wouldnt recomment the below URL to permit /** for all, not good.
<security:intercept-url pattern="/**" access="permitAll"
method="OPTIONS" />
<security:intercept-url pattern="/user/login"
access="permitAll" />
这是我的猜测。试试看。让我知道它是否有效,或者我删除了我的答案。