如何在不配置策略显式的情况下获取对SessionAuthenticationStrategy的引用? [英] How to get a reference to SessionAuthenticationStrategy without configuring the strategy explicit?
问题描述
在基于Spring Security 3.2的应用程序中,我有一个显式配置的 UsernamePasswordAuthenticationFilter
,需要引用 sessionAuthenticationStrategy
(为了调用 .onAuthentication
)。*
In a Spring Security 3.2 based application I have a explicit configured UsernamePasswordAuthenticationFilter
, that need an reference to the sessionAuthenticationStrategy
(in order to invoke .onAuthentication
).*
sessionAuthenticationStrategy
是由< security:http>
( HttpSecurityBeanDefinitionParser
)创建的默认值。
The sessionAuthenticationStrategy
is the default one created by <security:http>
(HttpSecurityBeanDefinitionParser
).
我的问题:如何在不配置完整<$>的情况下获得对 SessionAuthenticationStrategy
的引用c $ c> SessionAuthenticationStrategy explicite,以便我可以在XML配置中注入此引用?
My question: Is how can I get an reference to the SessionAuthenticationStrategy
without configuring the complete SessionAuthenticationStrategy
explicite, so that I can inject this reference in XML configuration?
<security:http auto-config="false" use-expressions="true"
entry-point-ref="loginUrlAuthenticationEntryPoint"
access-decision-manager-ref="httpAccessDecisionManager">
...
<security:custom-filter
ref="usernamePasswordAuthenticationFilter"
position="FORM_LOGIN_FILTER"/>
...
</security:http>
...
<bean id="usernamePasswordAuthenticationFilter"
class=" o.s.scurity.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy" ref="????"> <!-- ?? ->
...
</bean>
*我的真实 UsernamePasswordAuthenticationFilter
是一个自定义的子类,但这对于这个问题无关紧要
*my real UsernamePasswordAuthenticationFilter
is a customized subclass, but that should not matter for this question
推荐答案
我看过 HttpSecurityBeanDefinitionParser
(以及 HttpConfigurationBuilder.createSessionManagementFilters()
)是负责解析安全性的类: http
标签和创建 SessionAuthenticationStrategy
bean。
I have had a look at the HttpSecurityBeanDefinitionParser
(and the HttpConfigurationBuilder.createSessionManagementFilters()
) that is the class responsible to parse the security:http
tag and for creating of SessionAuthenticationStrategy
bean.
因此我知道Spring Security 3.2.5.RELEASE创建(在我的配置中)一个 CompositeSessionAuthenticationStrategy
bean并将其用作会话策略。该bean将获得默认名称: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0
Therefore I know that Spring Security 3.2.5.RELEASE create (in my configuration) a CompositeSessionAuthenticationStrategy
bean and uses this as session strategy. This bean will get the default name: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0
所以我目前的解决方法是通过名称来引用这个bean:
So my current workaround is to have a reference to this bean, by its name:
<bean id="usernamePasswordAuthenticationFilter"
class=" o.s.scurity.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy">
<ref
bean="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0"/>
</property>
...
</bean>
此解决方法有一些严重的限制:
This workaround has some serious limitations:
- 当一个较新版本的spring security以另一种方式工作时(创建另一个bean)然后它会失败。
- 当有另一个<$ c时$ c> CompositeSessionAuthenticationStrategy 这个名称是用
ReaderContext.generateBeanName
创建的,那么这种方法可能会失败,因为#0
可能会变成#1
(取决于创建bean的顺序)
- when a newer version of spring security works in an other way (creating an other bean) then it will fail.
- when there is an other
CompositeSessionAuthenticationStrategy
thats name is created withReaderContext.generateBeanName
then this approach may fail, because of#0
maybe become#1
(depends on the order in which the beans are created)
这篇关于如何在不配置策略显式的情况下获取对SessionAuthenticationStrategy的引用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!