配置Spring Security以使用自定义UsernamePasswordAuthenticationFilter

Question

我已经实现了我自己的LowerCaseUsernamePasswordAuthenticationFilter，它只是UsernamePasswordAuthenticationFilter的一个子类。

但现在我的问题是，如何配置Spring安全使用此过滤器。

到现在为止我所用：

<security:http auto-config="true" use-expressions="true"> 
    <security:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" /> 
    <security:logout logout-url="/resources/j_spring_security_logout" /> 

    <security:intercept-url pattern="/**" access="isAuthenticated()" requires-channel="${cfma.security.channel}" /> 
</security:http> 

我真的转的auto-config和需要配置手工所有过滤器？ - 如果这是真的，任何人都可以提供一个例子吗？

---

只需添加一个security:custom-filter方式：

<security:http ...> 

    <security:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" /> 
    <security:custom-filter ref="lowerCaseUsernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER"/> 
    ... 
</security:http> 

并导致与该消息的异常：

配置问题：过滤豆<lowerCaseUsernamePasswordAuthenticationFilter>和“根bean：类[ org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter];范围=;抽象= FALSE; lazyInit = FALSE; autowireMode = 0; dependencyCheck = 0; autowireCandidate = TRUE;初级= FALSE; factoryBeanName = NULL; factoryMethodName = NULL; initMethodName = NULL; destroyMethodName = null'具有相同的'order'值。 使用自定义过滤器时，请确保位置与默认过滤器不冲突。或者，您可以通过删除相应的子元素并避免使用，来禁用默认过滤器。

Answer 1

我已经通过手动编写需要的自动配置的豆来完成它。这是结果：

<!-- HTTP security configurations --> 
<security:http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint"> 

    <!-- 
    <security:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" /> 
     replaced by lowerCaseUsernamePasswordAuthenticationFilter 
     the custom-filter with position FORM_LOGIN_FILTER requries that auto-config is false! 
    --> 
    <security:custom-filter ref="lowerCaseUsernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER"/> 
    <security:logout logout-url="/resources/j_spring_security_logout" /> 

    <security:intercept-url pattern="/**" access="isAuthenticated()" /> 
</security:http> 

<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <property name="loginFormUrl" value="/login"/> 
</bean> 

<bean id="lowerCaseUsernamePasswordAuthenticationFilter" 
    class="com.queomedia.cfma.infrastructure.security.LowerCaseUsernamePasswordAuthenticationFilter"> 
    <property name="filterProcessesUrl" value="/resources/j_spring_security_check"/> 
    <property name="authenticationManager" ref="authenticationManager"/> 
    <property name="authenticationFailureHandler"> 
     <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> 
      <property name="defaultFailureUrl" value="/login?login_error=t"/>  
     </bean> 
    </property> 
</bean> 

Answer 2

这里是一个在斯卡拉的例子。我必须这样做来替换Spring Security OAuth提供的过滤器。

基本上这个想法是，注入FilterChainProxy和你想要替换到你的过滤器的现有过滤器。找到filterChainMap中的现有过滤器，并将其替换为您的过滤器。

import org.springframework.security.oauth2.provider.verification.{VerificationCodeFilter => SpringVerificationCodeFilter} 

@Component 
class VerificationCodeFilter extends SpringVerificationCodeFilter with InitializingBean { 
    @Autowired var filterChainProxy: FilterChainProxy = _ 
    @Autowired var springVerificationCodeFilter: SpringVerificationCodeFilter = _ 


    override def afterPropertiesSet() { 
    super.afterPropertiesSet() 

    val filterChainMap = filterChainProxy.getFilterChainMap 
    val filterChain = 
     filterChainMap.find(_._2.exists(_.isInstanceOf[SpringVerificationCodeFilter])). 
      getOrElse(throw new Exception("Could not find VerificationCodeFilter in FilterChainMap"))._2 
    val index = filterChain.indexOf(springVerificationCodeFilter) 
    filterChain.remove(index) 
    filterChain.add(index, this) 
    } 
}