弹簧安全自定义sessionmanagementfilter相同的顺序值错误 [英] spring security custom sessionmanagementfilter same order value error

问题描述

我试图自定义Spring Security的会话管理过滤器，但是我得到错误，说我的过滤器和默认的过滤器有相同的顺序值（虽然我没有任何< code>< http> 配置中的< session-managent> ，我的autoconfig = false，就像Spring Security在文档中所说的那样）。

这里是我的Spring Security配置：

 < http auto -config =falseuse-expressions =true> 
 
< custom-filter position =SESSION_MANAGEMENT_FILTERref =filtroGestionSesion/> 
 
< intercept-url pattern =/ resources / **filters =none/> 
< intercept-url pattern =/ faces / javax.faces.resource / **filters =none/> 
< intercept-url pattern =/ faces / inicio.xhtmlaccess =permitAll/> 
< intercept-url pattern =/ faces / paginas / autenticacion / login.xhtml *access =permitAll/> 
< intercept-url pattern =/ faces / paginas / administracion / **access =isAuthenticated（）/> 
< intercept-url pattern =/ faces / paginas / barco / **access =isAuthenticated（）/> 
< intercept-url pattern =/ faces / paginas / catalogo / **access =permitAll/> 
< intercept-url pattern =/ faces / paginas / error / **access =permitAll/> 
< intercept-url pattern =/ faces / paginas / plantillas / **access =permitAll/> 
< intercept-url pattern =/ **access =denyAll/> 
 
  login-page =/ faces / paginas / autenticacion / login.xhtml
 default-target -url =/ faces / paginas / administracion / inicioAdmon.xhtml
 always-use-default-target =true
 authentication-failure-url =/ faces / paginas / autenticacion / login。 xhtml？error = authentication/> 
 
将注销注销-URL = / j_spring_security_logout 
注销-成功-URL = /面/ inicio.xhtml 
无效会话= 真/> ; 
< / http> 
 
< global-method-security pre-post-annotations =enabled/> 
 
< authentication-manager> 
< authentication-provider> 
< user-service> 
< user name =myuserpassword =myuserauthorities =/> 
< / user-service> 
< / authentication-provider> 
< / authentication-manager> 
 
< beans：bean id =filtroGestionSesionclass =springSecurity.FiltroGestionSesion> 
< beans：constructor-arg ref =securityContextRepository/> 
< beans：property name =invalidSessionUrlvalue =/ faces / paginas / autenticacion / login.xhtml？error = timeout/> 
< / beans：bean> 
 
< beans：bean id =securityContextRepositoryclass =org.springframework.security.web.context.HttpSessionSecurityContextRepository/> 
  

使用我自定义过滤器（springSecurity.FiltroGestionSesion）的类是从Spring安全性（org.springframework.security.web.session.SessionManagementFilter），但改变了包名，类名和我添加到doFilter方法的一些自定义代码。

为什么它不工作，并抛出错误，说这两个过滤器有相同的顺序？

我已经通过删除相应的子元素 < code>< http>< / code>中的，以便我的过滤器的位置不会与默认过滤器冲突。 p>



是否必须删除其他元素或定制其他元素？



任何人都知道如何执行自定义过滤器工作在SESSION_MANAGEMENT_FILTER禁用默认的位置？

感谢您提前。

解决方案

我找到了终于如果有人感兴趣，我把它放在这里。

禁用默认会话管理过滤器的方法不是去掉< session-mangement> < http> 中的元素，但通过添加没有会话固定保护：

 < session-management session-fixation-protection =none/> 
  

这样，默认会话管理过滤器不会触发，您可以将自定义过滤器添加到在过滤器链中没有任何冲突。

我已经检查过它在我的webapp中查看spring security的调试日志。

希望能帮到别人。

I'm trying to customize the session management filter of Spring Security, but I get the error saying that my filter and the default one have the same 'order' value (although I don't have any <session-managent> in my <http> configuration and I have autoconfig=false, as Spring Security says in its documentation).

Here's my configuration of Spring Security:

<http auto-config="false" use-expressions="true">

    <custom-filter position="SESSION_MANAGEMENT_FILTER" ref="filtroGestionSesion" />

    <intercept-url pattern="/resources/**" filters="none"/>
    <intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>
    <intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
    <intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
    <intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
    <intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
    <intercept-url pattern="/**" access="denyAll" />

    <form-login login-processing-url="/j_spring_security_check"
                login-page="/faces/paginas/autenticacion/login.xhtml"
                default-target-url="/faces/paginas/administracion/inicioAdmon.xhtml"
                always-use-default-target="true"
                authentication-failure-url="/faces/paginas/autenticacion/login.xhtml?error=authentication" />

    <logout logout-url="/j_spring_security_logout"
            logout-success-url="/faces/inicio.xhtml"
            invalidate-session="true" />
</http>

<global-method-security pre-post-annotations="enabled" />

<authentication-manager>
    <authentication-provider>
      <user-service>
        <user name="myuser" password="myuser" authorities="" />
      </user-service>
    </authentication-provider>
</authentication-manager>

<beans:bean id="filtroGestionSesion" class="springSecurity.FiltroGestionSesion">
    <beans:constructor-arg ref="securityContextRepository" />
    <beans:property name="invalidSessionUrl" value="/faces/paginas/autenticacion/login.xhtml?error=timeout" />
</beans:bean>

<beans:bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

The class with my custom filter (springSecurity.FiltroGestionSesion) is a copy-paste from the one from Spring Security (org.springframework.security.web.session.SessionManagementFilter) but changing the package name, the class name and some custom code I added to the doFilter method.

Why doesn't it work and throws the error saying both filters have the same order?

I already disabled the default filter by removing the corresponding child element <session-mangement> from <http>, so that the position of my filter doesn't conflict with the default filter.

Do I have to remove any element else or customize anything else?

Any one knows how to do a custom filter works in the position of SESSION_MANAGEMENT_FILTER disabling the default one?

Thank you in advance.

解决方案

I've found the solution finally. I put it here if someone is interesting.

The way to disable the default session management filter is not by removing the <session-mangement> element from <http>, but by adding it with no session fixation protection:

<session-management session-fixation-protection="none" />

This way, the default session management filter doesn't fire, and you can add your custom filter in that position with no conflict in the filter chain.

I've checked it looking at the debug logs of spring security in my webapp.

Hope it helps someone.

这篇关于弹簧安全自定义sessionmanagementfilter相同的顺序值错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！