14

In XML configuration, I can use security namespace to enable support for security, such as:

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="authenticator" />
</security:authentication-manager>

<security:global-method-security pre-post-annotations="enabled" />

<bean id="authenticator"
    class="org.springframework.security.authentication.TestingAuthenticationProvider" />

I try to use Spring without XML, with only @Configuration classes. What is the plain Java equivalent of such configuration as the XML sample above?

Konrad Garus
  • 53,145
  • 43
  • 157
  • 230
  • possible duplicate of [Code-based Spring Security Configuration](http://stackoverflow.com/questions/8849162/code-based-spring-security-configuration) – Grzegorz Rożniecki Sep 06 '12 at 16:38

1 Answers1

12

EDIT: In December 2013 Spring Security 3.2 was released and Java Configuration was implemented, so above XML is roughly equivalent to:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(final AuthenticationManagerBuilder auth)
      throws Exception {
    auth.authenticationProvider(authenticator());
    super.configure(auth);
  }

  @Bean
  public AuthenticationProvider authenticator() {
    return new TestingAuthenticationProvider();
  }

}

Old answer from 2012:

Unfortunately, there isn't any. Check this answer (posted half year ago by Spring Security lead dev):

There currently is no easy way to do Spring Security configuration with Java configuration. You must know what the namespace does behind the scenes making it difficult and error prone. For this reason, I would recommend sticking with the Spring Security namespace configuration.

One option is to contribute to an unofficial project - Scalasec - which provides Scala-based configuration and was described in this post on SpringSource blog. Again, this is not recommended for production since project seems to be abandoned. I want to experiment with this project some day but have no spare time currently :(

Community
  • 1
  • 1
Grzegorz Rożniecki
  • 27,415
  • 11
  • 90
  • 112
  • It's not completely abandoned. I've been tinkering with it recently and still prefer using it to the namespace. There's nothing in there which supports creating proxies for method security, though, but that isn't really a big issue since you can easily mix in a minimal XML file to a Java configuration and the there is only really one element involved. – Shaun the Sheep Sep 07 '12 at 11:25
  • @LukeTaylor Could you update the repository on Github? I'll definitely want to check the current version. – Grzegorz Rożniecki Sep 07 '12 at 11:28
  • I haven't been making many changes to the code itself, other than updating the sbt build. I'll push those changes soon. – Shaun the Sheep Sep 07 '12 at 12:11
  • As of today, is it possible? Thank you. – Charles Morin Apr 04 '14 at 15:18
  • Yes, today is possible, take a look at: [Java Configuration](http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#jc) and [Class AuthenticationManagerBuilder](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.html) – Denis C de Azevedo Sep 06 '14 at 04:07