Spring安全配置錯誤：bean具有相同的'order'值

Question

我有一個Web應用程序，我在其中實現spring security，我的spring-security.xml是

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- ENABLE HTTP SECURITY -->
    <http auto-config="false" access-denied-page="/accessDenied.html">

        <!-- INTERCEPT URL FOR RESOURCES ACCESS -->
        <intercept-url pattern="/admin/" access="hasRole('ADMIN_ROLE')" />
        <intercept-url pattern="/users/" access="hasRole('USER_ROLE')" />
        <intercept-url pattern="/**" access="permitAll" />

        <!-- CUSTOME FILTER -->
        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="AuthFilter" />

        <!-- SESSION MANAGEMENT CONFIG -->
        <session-management
            session-authentication-strategy-ref="session-management" />

        <!-- FORM LOGIN CONFIG -->
        <form-login login-page="/loginForm"
            authentication-failure-url="/error.html" default-target-url="/welcome.html" />
        <logout logout-success-url="/loggedout.html"
            invalidate-session="true" />
    </http>
    <!-- SERVICES  -->
    <beans:bean id="customEncoder" class="com.rep.security.CustomPasswordEncoder"></beans:bean>
    <beans:bean id="customUserService" class="com.rep.security.CustomUserDetailService"></beans:bean>

    <!-- AUTHENICATION MANAGER CONFIG -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserService">
            <password-encoder ref="customEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <!-- CONCURRENCY FILEER CONFIG -->
    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/timeout.html" />
    </beans:bean>

    <beans:bean id="AuthFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy"
            ref="session-management" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="session-management"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>

在jboss上運行應用程序時，我遇到了這個錯誤

15:40:02,470 ERROR [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 59) Context initialization failed: org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<AuthFilter>' and 'Root bean: class [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

任何人都可以告訴我我正在關注[Spring Doc ioc]進行會話管理的問題配置是什么

Answer 1

你應該閱讀4.3.6。 添加自己的過濾器和表1.標准過濾器別名和排序

如果您之前使用過Spring Security，那么您將知道該框架維護了一系列過濾器以便應用其服務。

使用命名空間時，始終嚴格執行過濾器的順序。 在創建應用程序上下文時，過濾器bean按名稱空間處理代碼進行排序，標准的Spring Security過濾器在名稱空間中都有一個別名和一個眾所周知的位置。

您的<login-form>正在使用帶別名FORM_LOGIN_FILTER的過濾器。 此外，您還添加了另一個具有相同位置的過濾器（ position="FORM_LOGIN_FILTER" ref="AuthFilter" ）。 所以你收到錯誤信息

過濾bean <AuthFilter>和Root bean: class [UsernamePasswordAuthenticationFilter]具有相同的order值

所以我認為如果你想要兩者，你需要改變位置：

<custom-filter after="FORM_LOGIN_FILTER" ref="AuthFilter" />

要么

<custom-filter before="FORM_LOGIN_FILTER" ref="AuthFilter" />

Answer 2

從春季安全文檔，B1.5節。 安全命名空間 ：

<form-login>元素 - 用於將UsernamePasswordAuthenticationFilter添加到過濾器堆棧。

基本上<form-login>元素將添加UsernamePasswordAuthenticationFilter，我認為它與您在“AuthFilter”bean中定義的過濾器沖突。