如何在不配置策略显式的情况下获取对SessionAuthenticationStrategy的引用? [英] How to get a reference to SessionAuthenticationStrategy without configuring the strategy explicit?
问题描述
在基于Spring Security 3.2的应用程序中,我有一个显式配置的 UsernamePasswordAuthenticationFilter ,需要引用 sessionAuthenticationStrategy (为了调用 .onAuthentication )。*
In a Spring Security 3.2 based application I have a explicit configured UsernamePasswordAuthenticationFilter, that need an reference to the sessionAuthenticationStrategy (in order to invoke .onAuthentication).*
sessionAuthenticationStrategy 是由< security:http> ( HttpSecurityBeanDefinitionParser )创建的默认值。
The sessionAuthenticationStrategy is the default one created by <security:http> (HttpSecurityBeanDefinitionParser).
我的问题:如何在不配置完整<$>的情况下获得对 SessionAuthenticationStrategy 的引用c $ c> SessionAuthenticationStrategy explicite,以便我可以在XML配置中注入此引用?
My question: Is how can I get an reference to the SessionAuthenticationStrategy without configuring the complete SessionAuthenticationStrategy explicite, so that I can inject this reference in XML configuration?
<security:http auto-config="false" use-expressions="true"
entry-point-ref="loginUrlAuthenticationEntryPoint"
access-decision-manager-ref="httpAccessDecisionManager">
...
<security:custom-filter
ref="usernamePasswordAuthenticationFilter"
position="FORM_LOGIN_FILTER"/>
...
</security:http>
...
<bean id="usernamePasswordAuthenticationFilter"
class=" o.s.scurity.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy" ref="????"> <!-- ?? ->
...
</bean>
*我的真实 UsernamePasswordAuthenticationFilter 是一个自定义的子类,但这对于这个问题无关紧要
*my real UsernamePasswordAuthenticationFilter is a customized subclass, but that should not matter for this question
推荐答案
我看过 HttpSecurityBeanDefinitionParser (以及 HttpConfigurationBuilder.createSessionManagementFilters())是负责解析安全性的类: http 标签和创建 SessionAuthenticationStrategy bean。
I have had a look at the HttpSecurityBeanDefinitionParser (and the HttpConfigurationBuilder.createSessionManagementFilters()) that is the class responsible to parse the security:http tag and for creating of SessionAuthenticationStrategy bean.
因此我知道Spring Security 3.2.5.RELEASE创建(在我的配置中)一个 CompositeSessionAuthenticationStrategy bean并将其用作会话策略。该bean将获得默认名称: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0
Therefore I know that Spring Security 3.2.5.RELEASE create (in my configuration) a CompositeSessionAuthenticationStrategy bean and uses this as session strategy. This bean will get the default name: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0
所以我目前的解决方法是通过名称来引用这个bean:
So my current workaround is to have a reference to this bean, by its name:
<bean id="usernamePasswordAuthenticationFilter"
class=" o.s.scurity.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy">
<ref
bean="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0"/>
</property>
...
</bean>
此解决方法有一些严重的限制:
This workaround has some serious limitations:
- 当一个较新版本的spring security以另一种方式工作时(创建另一个bean)然后它会失败。
- 当有另一个<$ c时$ c> CompositeSessionAuthenticationStrategy 这个名称是用
ReaderContext.generateBeanName创建的,那么这种方法可能会失败,因为#0可能会变成#1(取决于创建bean的顺序)
- when a newer version of spring security works in an other way (creating an other bean) then it will fail.
- when there is an other
CompositeSessionAuthenticationStrategythats name is created withReaderContext.generateBeanNamethen this approach may fail, because of#0maybe become#1(depends on the order in which the beans are created)
这篇关于如何在不配置策略显式的情况下获取对SessionAuthenticationStrategy的引用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
