Error creating bean with name '_loginCommandPostProcessor'

Question

I'm currently using spring-flex integration and want to add webservices that are secured through spring as well.

To that end I am trying to create two http tags?

spring-security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-4.2.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-4.3.xsd">

    <context:component-scan base-package="com.somenamespace.login" />   
     <context:annotation-config/>

     <beans:bean id="entryPoint"
        class="org.springframework.flex.security4.FlexAuthenticationEntryPoint"/>


    <http entry-point-ref="entryPoint" pattern="/messagebroker/**">
        <intercept-url pattern="/**" access="authenticated"/>
        <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
        <session-management session-authentication-strategy-ref="sas"/>
    </http>

    <http  pattern="*">
    <intercept-url pattern="/**" access="authenticated"/>
        <http-basic />
        <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
        <session-management session-authentication-strategy-ref="sas"/>
    </http>

    <beans:bean id="myAuthFilter" class=
"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy" ref="sas" />
        <beans:property name="authenticationManager" ref="authenticationManager" />

    </beans:bean>
    <beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />

    <beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
        <beans:property name="userDetailsService" ref="customAuthenticationProvider"/>
        <beans:property name="switchUserUrl" value="/admin/impersonate"/>
        <beans:property name="targetUrl" value="/cre/CRE.html"/>
        <beans:property name="switchFailureUrl" value="/admin/switchUser"/>
    </beans:bean> 


    <beans:bean id="defaultMessageTemplate" class="org.springframework.flex.messaging.MessageTemplate" />

    <beans:bean id="customAuthenticationProvider" class="com.somenamespace.login.CustomAuthenticationProvider"/>

    <authentication-manager alias="authenticationManager">  
    <authentication-provider ref="customAuthenticationProvider"/>  <    
    </authentication-manager>

</beans:beans>

I'm getting the following error:

Error creating bean with name '_loginCommandPostProcessor': Unsatisfied dependency expressed through bean property 'sessionAuthenticationStrategy'; nested exception is org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type 'org.springframework.security.web.authentication.session.SessionAuthenticationStrategy' available: expected single matching bean but found 3: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0,org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#1,sas

Answer 1

<context:component-scan base-package="com.somenamespace.login" /> -- by this you are telling Spring: "Please, scan com.somenamespace.login and initialize any beans marked with annotations: @Component, @Repository, @Service, @Controller into my application context".

So, you have 3 beans initialized into the context which are candidates to be autowired into property sessionAuthenticationStrategy:

1. sas -- initialized by scanning com.somenamespace.login (see the declaration at the beginning of this answer).
2. org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0 -- the bean you didn't expect to be initialized; probably you may have another one in other xml spring context files (if they exist in your application -- I don't know that).
3. org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#1- see point 2.

Spring doesn't know which one to choose. Thus you are getting the error.

I may suggest you two possible solutions:

1. The dirty one, but fast. You mark your sas bean as a primary. Like this: <beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" primary=true/> Please, also be advised, that if you need to inject bean of CompositeSessionAuthenticationStrategy class or any other bean which implements SessionAuthenticationStrategy somewhere in your application, but not sas, this solution won't suit you, as it will always inject sas.

2. More cleaner solution, but may require more time: find out what can provoke the unexpected beans to be initiliazed and fix it. From my point of view, as I said, it could be additional <context:component-scan /> declaration somewhere in your spring context xml files (if there are more than one).

   Good luck! I hope this could help.