Spring安全配置错误：bean具有相同的'order'值

Question

我有一个Web应用程序，我在其中实现spring security，我的spring-security.xml是

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- ENABLE HTTP SECURITY -->
    <http auto-config="false" access-denied-page="/accessDenied.html">

        <!-- INTERCEPT URL FOR RESOURCES ACCESS -->
        <intercept-url pattern="/admin/" access="hasRole('ADMIN_ROLE')" />
        <intercept-url pattern="/users/" access="hasRole('USER_ROLE')" />
        <intercept-url pattern="/**" access="permitAll" />

        <!-- CUSTOME FILTER -->
        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="AuthFilter" />

        <!-- SESSION MANAGEMENT CONFIG -->
        <session-management
            session-authentication-strategy-ref="session-management" />

        <!-- FORM LOGIN CONFIG -->
        <form-login login-page="/loginForm"
            authentication-failure-url="/error.html" default-target-url="/welcome.html" />
        <logout logout-success-url="/loggedout.html"
            invalidate-session="true" />
    </http>
    <!-- SERVICES  -->
    <beans:bean id="customEncoder" class="com.rep.security.CustomPasswordEncoder"></beans:bean>
    <beans:bean id="customUserService" class="com.rep.security.CustomUserDetailService"></beans:bean>

    <!-- AUTHENICATION MANAGER CONFIG -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserService">
            <password-encoder ref="customEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <!-- CONCURRENCY FILEER CONFIG -->
    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/timeout.html" />
    </beans:bean>

    <beans:bean id="AuthFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy"
            ref="session-management" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="session-management"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>

在jboss上运行应用程序时，我遇到了这个错误

15:40:02,470 ERROR [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 59) Context initialization failed: org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<AuthFilter>' and 'Root bean: class [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

任何人都可以告诉我我正在关注[Spring Doc ioc]进行会话管理的问题配置是什么

Answer 1

你应该阅读4.3.6。 添加自己的过滤器和表1.标准过滤器别名和排序

如果您之前使用过Spring Security，那么您将知道该框架维护了一系列过滤器以便应用其服务。

使用命名空间时，始终严格执行过滤器的顺序。 在创建应用程序上下文时，过滤器bean按名称空间处理代码进行排序，标准的Spring Security过滤器在名称空间中都有一个别名和一个众所周知的位置。

您的<login-form>正在使用带别名FORM_LOGIN_FILTER的过滤器。 此外，您还添加了另一个具有相同位置的过滤器（ position="FORM_LOGIN_FILTER" ref="AuthFilter" ）。 所以你收到错误信息

过滤bean <AuthFilter>和Root bean: class [UsernamePasswordAuthenticationFilter]具有相同的order值

所以我认为如果你想要两者，你需要改变位置：

<custom-filter after="FORM_LOGIN_FILTER" ref="AuthFilter" />

要么

<custom-filter before="FORM_LOGIN_FILTER" ref="AuthFilter" />

Answer 2

从春季安全文档，B1.5节。 安全命名空间 ：

<form-login>元素 - 用于将UsernamePasswordAuthenticationFilter添加到过滤器堆栈。

基本上<form-login>元素将添加UsernamePasswordAuthenticationFilter，我认为它与您在“AuthFilter”bean中定义的过滤器冲突。