Spring security configuration error: beans have the same 'order' value

Question

I have a Web Application in which i am implementing spring security my spring-security.xml is

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- ENABLE HTTP SECURITY -->
    <http auto-config="false" access-denied-page="/accessDenied.html">

        <!-- INTERCEPT URL FOR RESOURCES ACCESS -->
        <intercept-url pattern="/admin/" access="hasRole('ADMIN_ROLE')" />
        <intercept-url pattern="/users/" access="hasRole('USER_ROLE')" />
        <intercept-url pattern="/**" access="permitAll" />

        <!-- CUSTOME FILTER -->
        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="AuthFilter" />

        <!-- SESSION MANAGEMENT CONFIG -->
        <session-management
            session-authentication-strategy-ref="session-management" />

        <!-- FORM LOGIN CONFIG -->
        <form-login login-page="/loginForm"
            authentication-failure-url="/error.html" default-target-url="/welcome.html" />
        <logout logout-success-url="/loggedout.html"
            invalidate-session="true" />
    </http>
    <!-- SERVICES  -->
    <beans:bean id="customEncoder" class="com.rep.security.CustomPasswordEncoder"></beans:bean>
    <beans:bean id="customUserService" class="com.rep.security.CustomUserDetailService"></beans:bean>

    <!-- AUTHENICATION MANAGER CONFIG -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserService">
            <password-encoder ref="customEncoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <!-- CONCURRENCY FILEER CONFIG -->
    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/timeout.html" />
    </beans:bean>

    <beans:bean id="AuthFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy"
            ref="session-management" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="session-management"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>

At the time of running the application on jboss i am facing this error

15:40:02,470 ERROR [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 59) Context initialization failed: org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<AuthFilter>' and 'Root bean: class [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

Can any one tell me what is problem configuration i am following [Spring Doc ioc] for session management

Answer 1

You should read 4.3.6. Adding in Your Own Filters and Table 1. Standard Filter Aliases and Ordering

If you’ve used Spring Security before, you’ll know that the framework maintains a chain of filters in order to apply its services.

The order of the filters is always strictly enforced when using the namespace. When the application context is being created, the filter beans are sorted by the namespace handling code and the standard Spring Security filters each have an alias in the namespace and a well-known position.

Your <form-login> is using a filter with alias FORM_LOGIN_FILTER. And also you are adding another filter with the same position (position="FORM_LOGIN_FILTER" ref="AuthFilter"). So you're getting the error message

Filter beans <AuthFilter> and Root bean: class [UsernamePasswordAuthenticationFilter] have the same order value

So I think you need to change the position if you want the both:

<custom-filter after="FORM_LOGIN_FILTER" ref="AuthFilter" />

or

<custom-filter before="FORM_LOGIN_FILTER" ref="AuthFilter" />

Answer 2

From the spring security docs, section B1.5. The Security Namespace:

<form-login> element - Used to add an UsernamePasswordAuthenticationFilter to the filter stack.

Basically <form-login> element will add UsernamePasswordAuthenticationFilter and I think it conflicts with the filter you define in "AuthFilter" bean.