我已经实现了自己的LowerCaseUsernamePasswordAuthenticationFilter,它只是UsernamePasswordAuthenticationFilter的一个子类.
但是现在我的问题是如何配置Spring的安全性来使用这个过滤器.
到目前为止,我使用:
<security:http auto-config="true" use-expressions="true">
<security:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:intercept-url pattern="/**" access="isAuthenticated()" requires-channel="${cfma.security.channel}" />
</security:http>
我真的要打开自动配置,需要手动配置所有的过滤器吗? – 如果这是真的,有人可以提供一个例子吗?
<security:http ...> <security:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" /> <security:custom-filter ref="lowerCaseUsernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER"/> ... </security:http>
确实导致该消息的异常:
Configuration problem: Filter beans
<lowerCaseUsernamePasswordAuthenticationFilter>and ‘Root bean: class [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factorybeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null’ have the same ‘order’ value. When using custom filters,please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from and avoiding the use of .
解决方法
我已经通过手工编写所需的自动配置的bean来完成.这是结果:
<!-- HTTP security configurations -->
<security:http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<!--
<security:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
replaced by lowerCaseUsernamePasswordAuthenticationFilter
the custom-filter with position FORM_LOGIN_FILTER requries that auto-config is false!
-->
<security:custom-filter ref="lowerCaseUsernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER"/>
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login"/>
</bean>
<bean id="lowerCaseUsernamePasswordAuthenticationFilter"
class="com.queomedia.cfma.infrastructure.security.LowerCaseUsernamePasswordAuthenticationFilter">
<property name="filterProcessesUrl" value="/resources/j_spring_security_check"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login?login_error=t"/>
</bean>
</property>
</bean>
