spring security 3.2 自定义过滤器冲突问题

diypyh 2014-09-16 09:28:48

自定义登录过滤一直在报冲突。

这是JAVA类：

package com.job.security;



import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.http.HttpSession;



import org.springframework.security.authentication.AuthenticationServiceException;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.AuthenticationException;

import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import org.springframework.util.StringUtils;



import com.job.model.User;

import com.job.service.UserServiceI;



public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

	public static final String VALIDATE_CODE = "validateCode";

	public static final String USERNAME = "username";

	public static final String PASSWORD = "password";



	private UserServiceI userService;



	@Override

	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

		if (!request.getMethod().equals("POST")) {

			throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());

		}

		// 检测验证码

		checkValidateCode(request);



		String username = obtainUsername(request);

		String password = obtainPassword(request);



		// 验证用户账号与密码是否对应

		username = username.trim();



		User user = null;

		try {

			user = userService.selectUserByName(username);

		} catch (Exception e) {

			e.printStackTrace();

		}



		if (user == null || !user.getPassword().equals(password)) {

			/*

			 * 在我们配置的simpleUrlAuthenticationFailureHandler处理登录失败的处理类在这么一段 这样我们可以在登录失败后，向用户提供相应的信息。 if (forwardToDestination) { request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception); } else { HttpSession session = request.getSession(false);

			 * 

			 * if (session != null || allowSessionCreation) { request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception); } }

			 */

			throw new AuthenticationServiceException("用户名或者密码错误！");

		}



		// UsernamePasswordAuthenticationToken实现 Authentication

		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

		// Place the last username attempted into HttpSession for views



		// 允许子类设置详细属性

		setDetails(request, authRequest);



		// 运行UserDetailsService的loadUserByUsername 再次封装Authentication

		return this.getAuthenticationManager().authenticate(authRequest);

	}



	protected void checkValidateCode(HttpServletRequest request) {

		HttpSession session = request.getSession();



		String sessionValidateCode = obtainSessionValidateCode(session);

		// 让上一次的验证码失效

		session.setAttribute(VALIDATE_CODE, null);

		String validateCodeParameter = obtainValidateCodeParameter(request);

		if (StringUtils.isEmpty(validateCodeParameter) || !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {

			throw new AuthenticationServiceException("验证码错误！");

		}

	}



	private String obtainValidateCodeParameter(HttpServletRequest request) {

		Object obj = request.getParameter(VALIDATE_CODE);

		return null == obj ? "" : obj.toString();

	}



	protected String obtainSessionValidateCode(HttpSession session) {

		Object obj = session.getAttribute(VALIDATE_CODE);

		return null == obj ? "" : obj.toString();

	}



	@Override

	protected String obtainUsername(HttpServletRequest request) {

		Object obj = request.getParameter(USERNAME);

		return null == obj ? "" : obj.toString();

	}



	@Override

	protected String obtainPassword(HttpServletRequest request) {

		Object obj = request.getParameter(PASSWORD);

		return null == obj ? "" : obj.toString();

	}



	public UserServiceI getUserService() {

		return userService;

	}



	public void setUserService(UserServiceI userService) {

		this.userService = userService;

	}



}

这是XML：

<http use-expressions="true" access-denied-page="/403.do">

		<intercept-url pattern="/core/**" access="hasRole('ROLE_USER')" />

		

		<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />

		<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />

	</http>

报以下错误：
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<loginFilter>' and '<org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

如果将<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />改为<custom-filter ref="loginFilter" before="FORM_LOGIN_FILTER" />，则报这个错误：
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#5' while setting bean property 'sourceList' with key [5]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#5': Cannot resolve reference to bean 'loginFilter' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginFilter' defined in class path resource [spring-security.xml]: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: authenticationManager must be specified

按照网上给的解决方案都试了，还是一直报错。有哪位大神知道什么问题吗？

...全文