Overriding AUTHENTICATION_PROCESSING_FILTER

**Bjorn121** · Jul 1st, 2008, 01:00 AM

Ok, I misinterpreted that sentence in the previous posts

.

Maybe it's a good idea to add this to the reference guide, because that's not very clear at all when you read that part.

**banifou** · Jul 16th, 2008, 02:37 PM

Hello,
I'm using SWF 2.0.2 with Facelets. After updating to Spring Security 2.0.2 (from 2.0.0) my Configuration below is no more working, so I removed the form-login tag and added the AuthenticationProcessingFilterEntryPoint bean as Luke suggested but I still get the following exception:

Code:

ERROR: org.springframework.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.security.config.SecurityConfigurationException: Filters 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' and 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and not avoiding the use of <http auto-config='true'>.
Related cause: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name '_defaultLoginPageFilter': Unsatisfied dependency expressed through constructor argument with index 1 of type [org.springframework.security.ui.AbstractProcessingFilter]: Ambiguous constructor argument types - did you specify the correct bean references as constructor arguments?
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:478)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:220)
.
.
.
Caused by: org.springframework.security.config.SecurityConfigurationException: Filters 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' and 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and not avoiding the use of <http auto-config='true'>.
        at org.springframework.security.config.FilterChainProxyPostProcessor.postProcessBeforeInitialization(FilterChainProxyPostProcessor.java:65)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:350)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1329)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:471)
        ... 90 more

My Config is:

Code:

    <security:http auto-config="true" >
         <security:intercept-url pattern="/spring/login/login*" access="ROLE_ANONYMOUS"  requires-channel="https" />
         <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
        <!--<security:form-login login-page="/spring/login/login" /> -->
        <security:logout logout-url="/spring/login/logout" logout-success-url="/spring/home" />
    </security:http>

    <security:authentication-provider>
           <security:password-encoder ref="encoder" >
               <security:salt-source system-wide="*****" />
           </security:password-encoder>
           <security:jdbc-user-service data-source-ref="dataSource"  
           users-by-username-query="SELECT ******"
           authorities-by-username-query="SELECT *****" />
    </security:authentication-provider>
	
    <security:authentication-manager alias="authenticationManager"/>
    
  <bean id="authenticationEntryPoint"
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl" value="/spring/login/login" />
    <property name="forceHttps" value="true" />
  </bean>
  
<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/spring/login/login?login_error=1"/>
        <property name="defaultTargetUrl" value="/spring/auction"/>
        <property name="filterProcessesUrl" value="/spring/login/loginProcess"/>
        <property name="targetUrlResolver">
            <bean class="org.springframework.security.ui.TargetUrlResolverImpl">
                <property name="justUseSavedRequestOnGet" value="false"/>
            </bean>       
        </property>
        <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/> 
    </bean>

  <bean id="encoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
      
  <bean id="saltSource"
      class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
    <property name="systemWideSalt" value="yw4a79" />
  </bean>

    <bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>

Can anybody help?
Thanks in advance.

**Bjorn121** · Jul 16th, 2008, 03:15 PM

I don't know if that's the solution, but try adding <security:custom-entry-point /> (use code completion, because I don't know the correct code by heart) to your custom EntryPoint bean. And set aut-config to false too.

**banifou** · Jul 16th, 2008, 05:35 PM

So, now it works. The right config is as below and the added two lines in bold seems to be important otherwise it doesn't works!

Code:

    <security:http auto-config="false" entry-point-ref="authenticationEntryPoint" >
         <security:intercept-url pattern="/spring/login/login*" access="ROLE_ANONYMOUS"  requires-channel="https" />
         <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
        <security:logout logout-url="/spring/login/logout" logout-success-url="/spring/home" />
        <security:http-basic />
        <security:anonymous />
    </security:http>

Bye.

**banifou** · Jul 17th, 2008, 03:57 AM

Originally Posted by Luke Taylor

Yes, you're right. I've corrected the message.

Hi Luke, the error message is still:

Code:

not avoiding the use of <http auto-config='true'>.

Bye

**Luke Taylor** · Jul 17th, 2008, 06:36 AM

Not in 2.0.3, it shouldn't be:

http://static.springframework.org/sp...cessor.html#69

Thread: Overriding AUTHENTICATION_PROCESSING_FILTER

Thread Tools

Display

Update to Spring Security 2.0.2

wrong error message

Posting Permissions