问题
I want to replace the default SessionManagementFilter
with my own, but I'm running into this
17:31:32,901 ERROR [[/accounts]] Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<accountsSessionManageFilter>' and 'Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.
Offending resource: ServletContext resource [/WEB-INF/spring-contexts/security.xml]
The problem seems to be that I'm using an <http>
element/attribute that sets the default filter at the same position. I'm not however (or if I am its unintentional).
This is my security context <http>
definition:
<http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
<!-- lots of intercept-url definitions (nothing else) -->
<custom-filter position="SESSION_MANAGEMENT_FILTER" ref="accountsSessionManageFilter"/>
<custom-filter position="FORM_LOGIN_FILTER" ref="accountsSsoFilter"/>
</http>
.......
<beans:bean id="accountsSessionManageFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:property name="sessionAuthenticationStrategy" ref="NullAuthenticatedSessionStrategy"/>
</beans:bean>
.......
<bean id="accountsSsoFilter" class="cayetano.core.base.service.impl.spring.filter.SsoUserPassAuthFilter">
<property name="authenticationManager" ref="ssoAuthManager" />
<property name="authenticationFailureHandler" ref="relativeLoginFailureHandler" />
<property name="authenticationSuccessHandler" ref="noopLoginSuccessHandler" />
<property name="authenticationService" ref="basicAuthenticatorService" />
<property name="authorityService" ref="userTypeBasedAuthotiryService" />
</bean>
So why does Spring complain that I'm using an <http>
element that uses the default filter ?
Also the documentation states that <session-management>
is the only <http>
element using the default filter, are there others ?
I'm using Spring Security 3.0.
Thanks,
回答1:
If you are trying to specify a custom SESSION_MANAGEMENT_FILTER
so that you can change the sessionAuthenticationStrategy
of the default class/instance, just use the session-authentication-strategy-ref attribute:
<http ...>
<session-management session-authentication-strategy-ref="NullAuthenticatedSessionStrategy"/>
</http>
This assumes of course that NullAuthenticatedSessionStrategy
is another bean defined in the context. Since this is also the name of a class in Spring Security, I think that what you really want is:
<http ...>
<session-management session-authentication-strategy-ref="sessionStrategy"/>
</http>
<bean id="sessionStrategy" class="org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy"/>
来源:https://stackoverflow.com/questions/10300369/replacing-the-default-filter-at-position-session-management-filter