1

我正在使用 Spring MVC 和 Spring security 开发一个 Web 应用程序。实际上我没有错误,而是警告。看起来这个警告很快就会出现错误:)

当我尝试部署我的应用程序时,它已成功部署,但出现警告:

“警告:可能的错误:位置 7 和 8 的过滤器都是 org.springframework.security.web.session.SessionManagementFilter 的实例”

我的 spring-security xml 中有 sessionManagementFilter 和 preAuthenticationFilter 。

我已经用谷歌搜索了这个问题,但似乎没有人得到同样的警告。这是什么警告?它会导致错误吗?我该如何解决?我无法解决问题,如果有人帮助我,我将不胜感激。谢谢你。

我的spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http create-session="never" use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
        <custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
        <intercept-url pattern="/restricted/**" access="isAuthenticated()" />
        <custom-filter position="PRE_AUTH_FILTER" ref="myPreAuthFilter" />
        <session-management>
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/invalid-session.xhtml?concurrent=true" />
        </session-management>
        <logout logout-url="/cikis" invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="myLogoutHandler" />
    </http>

    <beans:bean id="myLogoutHandler" class="com.test.MyLogoutHandler" />
    <beans:bean id="userDetailsServiceImpl" class="com.test.UserDetailsServiceImpl" />
    <beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="com.test.ForbiddenURLEntryPoint" />
    <beans:bean id="preAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <beans:property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceImpl" />
    </beans:bean>
    <beans:bean id="myPreAuthFilter" class="com.test.MyPreAuthenticationFilter">
        <beans:property name="authenticationManager" ref="appControlAuthenticationManager" />
    </beans:bean>
    <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
        <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
        <beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
    </beans:bean>
    <beans:bean id="jsfRedirectStrategy" class="com.test.JsfRedirectStrategy"/>
    <beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>


    <authentication-manager alias="appControlAuthenticationManager">
        <authentication-provider ref="preAuthenticationProvider" />
    </authentication-manager>
</beans:beans>
4

1 回答 1

0

Spring security 在启动时默认包含 SessionManagementFilter。
如果你想指定你自己的 SESSION_MANAGEMENT_FILTER 你必须禁用 session-fixation-protection,只需输入:

<http create-session="never" use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
        <session-management session-fixation-protection="none"/>
        <custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />

        <...>
</http>
于 2014-02-06T10:53:17.277 回答