Question

我需要执行自定义授权，因此我已预先确定AuthenticationManager和LoginUrlAuthenticationEntryPoint并将其设置为UsernamePasswordAuthenticationFilter。

这是我的spring-security.xml：

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:http auto-config="false" entry-point-ref="alterAuthenticationEntryPoint" create-session="always" use-expressions="true">
        <security:intercept-url pattern="/blog**" access="hasRole('ROLE_ADMIN')"/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:user-service>
                <security:user name="d" password="secret" authorities="ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

    <security:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/><!--replace the default one-->

    <bean id="customizedFormLoginFilter"
          class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager"
                  ref="alterAuthenticationManager"/>
        <property name="allowSessionCreation" value="true"/> 
    </bean>

    <!--Custom auth manager-->
    <bean id="alterAuthenticationManager" class="com.fluid.ixtrm.newmodule.security.CustomAuthenticationManager"/>

    <!--Authentication entry point-->
    <bean id="alterAuthenticationEntryPoint" class="com.fluid.ixtrm.newmodule.security.CustomAuthenticationEntryPoint">
        <constructor-arg type="java.lang.String" value="/blog"/>
    </bean>

</beans>

这两个类（CustomAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint和CustomAuthenticationManager implements AuthenticationManager）都已实现，但代码示例太多（我不认为它们会导致问题）。

我收到以下错误：

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Security namespace does not support decoration of element [custom-filter]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]

我使用的是Spring Security 3.2.3，custom-filter中存在spring-security-3.2.xsd标记。请告诉我，我的安全配置中有什么不正确。

Answer 1

您的配置无效，请参阅Spring Security Reference：

41.1.19＆lt; custom-filter＆gt;

此元素用于向过滤器链添加过滤器。它不会创建任何其他bean，但会用于选择已在应用程序上下文中定义的类型为javax.servlet.Filter的bean，并将其添加到Spring Security维护的过滤器链中的特定位置。完整的详细信息可以在命名空间章节中找到。

＆lt; custom-filter＆gt;
的父元素

HTTP

您修改后的<security:http>配置：

<security:http auto-config="false" entry-point-ref="alterAuthenticationEntryPoint" create-session="always" use-expressions="true">
   <security:intercept-url pattern="/blog**" access="hasRole('ROLE_ADMIN')"/>
   <security:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
</security:http>

安全命名空间不支持元素[custom-filter]的装饰

1 个答案: