我们使用Spring Security 4.x,我想覆盖BasicAuthenticationFilter。
遗憾的是,我无法找到BasicAuthenticationFilter的类名称,也无法在http元素中找到架构配置的http-basic元素。
如何使用架构配置覆盖BasicAuthenticationFilter?
我尝试使用自定义过滤器覆盖BasicAuthenticationFilter但未成功 - 架构继续创建默认BasicAuthenticationFilter。
加
很奇怪。我配置了auto-config="false,但我仍然可以看到默认BasicAuthenticationFilter的创建。
不应根据文档http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#nsa-http
创建它加
没有bean定义的配置
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:global-method-security pre-post-annotations="enabled">
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</sec:global-method-security>
<sec:http use-expressions="true" auto-config="true" pattern="/api/**" disable-url-rewriting="false" entry-point-ref="authenticationEntryPoint">
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/api/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:logout logout-url="/logout.faces" success-handler-ref="logoutSuccessHandlerImpl" />
<sec:http-basic entry-point-ref="authenticationEntryPoint"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<!--<sec:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER"/>-->
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
<bean class="org.primefaces.webapp.filter.FileUploadFilter" name="fileUploadFilter"/>
<sec:http use-expressions="true" auto-config="true" disable-url-rewriting="false">
<sec:custom-filter ref="fileUploadFilter" before="FIRST"/>
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/login.faces" access="isAnonymous()"/>
<sec:intercept-url pattern="/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/img/**" access="permitAll" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<sec:form-login login-page="/login.faces"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.faces"
default-target-url="/pages/defaultPage.faces"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<sec:logout logout-url="/logout.faces"
success-handler-ref="logoutSuccessHandlerImpl"
/>
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
...
</beans>
答案 0 :(得分:2)
根据xsd中的架构文档,如果要替换过滤器,则需要使用位置标记:
<sec:custom-filter ref="customBasicAuth" position="BASIC_AUTH_FILTER"/>
此外,如果您包含<sec:http-basic元素,则默认的基本身份验证过滤器将添加到过滤器链中。
auto-config是遗留属性,可以删除(无需将其设置为false)