如何使用不同的身份验证过滤器配置两个 Spring 安全 http 元素？

Posted 2023-02-27

技术标签:

【中文标题】如何使用不同的身份验证过滤器配置两个 Spring 安全 http 元素？【英文标题】：How can I configure two Spring security http elements with different authentication filters? 【发布时间】：2013-01-30 10:18:06 【问题描述】：

我正在使用带有 Spring 安全性的 Spring 3.1.1.RELEASE。我正在部署到 JBoss 7.1.1.Final 。我想配置两个 http 安全元素，每个元素都有不同的身份验证过滤器。我怎么做？使用下面的 Spring 安全配置，在部署我的 WAR 时出现异常“java.lang.IllegalArgumentException：在过滤器链中的其他模式之前定义了通用匹配模式（'/**'）”。如果我注释掉第二个 http 块（名为“pdSecurity”），一切正常。

<http pattern="/activities/**" security="none" />
<http pattern="/audio/**" security="none" />
<http pattern="/bootstrap/**" security="none" />
<http pattern="/bootstrap-editable/**" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/js/**" security="none" />
<http pattern="/resources/**" security="none" />
<http pattern="/temp/**" security="none" />
<http name="defaultSecurity" security-context-repository-ref="subcoSecurityContextRepository"
    auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager"
    access-denied-page="/denied" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <custom-filter position="FORM_LOGIN_FILTER"
        ref="subcoUsernamePasswordUrlAuthenticationFilter" />
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <intercept-url pattern="/denied" access="isAuthenticated()" />
    <intercept-url pattern="/welcome" access="permitAll" />
    <intercept-url pattern="/authenticate" access="permitAll" />
    <intercept-url pattern="/user"
        access="hasAnyRole('User','Administrator')" />
    <intercept-url pattern="/landing"
        access="hasAnyRole('User','Student','Teacher','Administrator')" />
    <intercept-url pattern="/book/*"
        access="hasAnyRole('User','Student','Teacher','Administrator')" />
    <intercept-url pattern="/admin" access="hasRole('Administrator')" />
    <intercept-url pattern="/admin/*" access="hasRole('Administrator')" />
    <intercept-url pattern="/getResource" access="hasAnyRole('Student','Teacher','Administrator')" />
    <logout invalidate-session="true" logout-success-url="/logout"
        logout-url="/j_spring_security_logout" />
</http>

<!--  Reg controller for PD -->
<http name="pdSecurity" auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager" access-denied-page="/denied" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <custom-filter position="FORM_LOGIN_FILTER" ref="pdUsernamePasswordUrlAuthenticationFilter"/>
    <intercept-url pattern="/pdregistration/regfailure" access="hasAnyRole('Teacher')"/>
    <intercept-url pattern="/pdregistration/regsuccess" access="hasAnyRole('Teacher')"/>
    <logout invalidate-session="true" 
        logout-success-url="/logout" 
        logout-url="/j_spring_security_logout" />
</http>

这是个例外……

08:52:23,730 ERROR [org.springframework.web.context.ContextLoader] (MSC service thread 1-5) Context initialization failed: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1455) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913) [spring-context-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464) [spring-context-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:385) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:284) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.apache.catalina.core.StandardContext.contextListenerStart(StandardContext.java:3392) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:3850) [jbossweb-7.0.13.Final.jar:]
    at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:90) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [classes.jar:1.6.0_37]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [classes.jar:1.6.0_37]
    at java.lang.Thread.run(Thread.java:680) [classes.jar:1.6.0_37]
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
    at org.springframework.security.config.http.DefaultFilterChainValidator.checkPathOrder(DefaultFilterChainValidator.java:49) [spring-security-config-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:39) [spring-security-config-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:149) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    ... 20 more

08:52:23,742 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/myproject]] (MSC service thread 1-5) Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1455) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913) [spring-context-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464) [spring-context-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:385) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:284) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111) [spring-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.apache.catalina.core.StandardContext.contextListenerStart(StandardContext.java:3392) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:3850) [jbossweb-7.0.13.Final.jar:]
    at org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:90) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [classes.jar:1.6.0_37]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [classes.jar:1.6.0_37]
    at java.lang.Thread.run(Thread.java:680) [classes.jar:1.6.0_37]
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
    at org.springframework.security.config.http.DefaultFilterChainValidator.checkPathOrder(DefaultFilterChainValidator.java:49) [spring-security-config-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:39) [spring-security-config-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:149) [spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452) [spring-beans-3.1.1.RELEASE.jar:3.1.1.RELEASE]
    ... 20 more

【问题讨论】：

你不能有两个不简单的pattern / security 定义的<http> 部分，即当你删除 <http ... 时它应该可以工作。 【参考方案1】：

在第二个 <http> 元素（名为 pdSecurity）上，使用 pattern 属性：<http pattern='/pdregistration/*'...，并将其移动到您的“defaultSecurity” 元素之前。

根据Spring Security docs：

从 Spring Security 3.1 开始，现在可以使用多个 http 元素为不同的请求模式定义单独的安全过滤器链配置。如果从 http 元素中省略了模式属性，则它匹配所有请求。

...以及关于多个<http> 元素here 的另一个相关部分：

每个元素在内部 FilterChainProxy 和应该映射到它的 URL 模式中创建一个过滤器链。元素将按照声明的顺序添加，因此必须再次首先声明最具体的模式。

【讨论】：

以上是关于如何使用不同的身份验证过滤器配置两个 Spring 安全 http 元素？的主要内容，如果未能解决你的问题，请参考以下文章

前后端分离的Web应用程序中使用Spring Security+Mybatis+JWT非对称加密+动态权限管理：身份验证过滤器

spring security - 针对不同 CURL 模式的多重身份验证

使用 Java Config 的 Spring Security 自定义身份验证过滤器

如何在 Spring Boot 中设计两个单独的授权/身份验证配置？

Spring Security 自定义身份验证过滤器和授权

必须指定 Spring Security authenticationmanager - 用于自定义过滤器