Spring安全过滤器调用了两次

时间:2015-09-17 20:18:00

标签: spring spring-security spring-security-oauth2

我刚刚意识到在我的OAuth auth服务器中访问受保护资源/我时,会调用OAuth2AuthenticationProcessingFilter两次:

enter image description here

我的xml配置的摘要:

<http pattern="/me/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" use-expressions="true"
    xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <intercept-url pattern="/me/**"
        access="hasRole('ROLE_USER') and #oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.hasScope('read')" />
    <!-- Protect the resource with oauth by using the resourceServerFilter-->
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
    <expression-handler ref="oauthWebExpressionHandler" />
    <request-cache ref="requestCache" />
</http>

<http access-denied-page="/login?authorization_error=true" disable-url-rewriting="true"
    xmlns="http://www.springframework.org/schema/security" use-expressions="true">
    <intercept-url pattern="/oauth/**" access="hasRole('ROLE_USER')" />
    <!-- /secure/** is protected and for users only. Don't allow oauth2 clients to access protected UI pages.
         Put all secured web pages under /secure (e.g. /secure/profile) -->
    <intercept-url pattern="/secure/**" access="hasRole('ROLE_USER') and #oauth2.denyOAuthClient()" />
    <!-- Allow access to everything else -->
    <intercept-url pattern="/**" access="permitAll()" />

    <form-login authentication-failure-handler-ref="authenticationFailureHandler"
        login-page="/login" login-processing-url="/login.do" authentication-success-handler-ref="customAuthenticationSuccessHandler" />

    <!-- See also LogoutFilterPostProcessor -->
    <logout logout-url="/logout.do" delete-cookies="JSESSIONID"  success-handler-ref="lclSessionCookieDeletingLogoutHandler" />
    <anonymous />

    <!-- Allow the usage of oauth web expressions (e.g. '#oauth2.denyOAuthClient()') -->
    <expression-handler ref="oauthWebExpressionHandler" />
    <request-cache ref="requestCache" />
    <csrf token-repository-ref="csrfTokenRepository"/>
    <remember-me services-ref="persistentTokenBasedRememberMeServices" key="abcdefg"/>
    <custom-filter ref="forcePasswordResetFilter" before="REQUEST_CACHE_FILTER" />
</http>

似乎在调用/ me时,也会应用来自第二个<http/>部分的过滤器(例如ForcePasswordResetFilter) - 这不是我所期望的。任何想法为什么不仅仅考虑第一个<http/>部分匹配/ me / **?

0 个答案:

没有答案