Spring Security 3.2.0.RC1 - element and deprecated method

Question

After upgrading to Spring Security 3.2.0.RC1 I'm getting the warning "Method 'setFilterProcessesUrl' is marked deprecated" for <http auto-config="true"> in my xml config. I get this warning even for a very simple configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <http auto-config="true">
        <intercept-url pattern="/myurl*" access="ROLE_USER" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user1" password="12345" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

According to Spring Security 3.2 API documentation setFilterProcessesUrl is deprecated and setRequiresAuthenticationRequestMatcher(RequestMatcher) should be used instead. How can I change this basic XML configuration, so it doesn't use deprecated methods? I'm using Eclipse Kepler with Spring Tool Suite plugin.

UPDATE:

If I remove <http auto-config="true"> and add <form-login /> to the http element

<http>
    <intercept-url pattern="/myurl*" access="ROLE_USER" />
    <form-login />
</http>

I also get the "Method 'setFilterProcessesUrl' is marked deprecated" warning and if I add <logout /> I get the same warning the second time. On the other hand, if I replace <form-login /> and <logout /> with <http-basic /> the warnings go away.

The same issue with Spring Security 3.2.0.RC2. I really don't get it, why would they deprecate a method which is still used by their own namespace? The only solution for now seems to be rolling back to 3.2.0.M2. — John29, Nov 05 '13 at 13:25

score 3 · Answer 1 · answered Sep 03 '13 at 12:26

3

If you are using the namespace then an IDE error like this doesn't really matter, since you can guarantee that Spring Security will support the feature. You aren't actually using the method yourself.

auto-config is a bad idea generally. Someone looking at that configuration won't easily know what it actually does. Do you really want basic authentication, for example? You are best to remove auto-config and explicitly add the features you want.

answered Sep 03 '13 at 12:26

Shaun the Sheep

22,353
1
72
100

1

Thanks Luke, you're right about `auto-config` being a bad idea, I just used it in my example to make it less verbose. I replaced it with `` and `` but warnings are still there. I understand that a warning is just a warning, but if there's a way to fix it, I'd prefer to do it, especially since it's the only warning in my project and I didn't get it with Spring Security 3.2.0.M2. – John29 Sep 03 '13 at 21:41

score 2 · Accepted Answer · answered Feb 20 '14 at 10:09

2

Fixed in Spring Security 3.2.1. The warnings were caused by XML namespace using a deprecated method. https://jira.springsource.org/browse/SEC-2455

answered Feb 20 '14 at 10:09

John29

3,340
3
32
50

Thanks for this answer. Looking for a solution on how to fix this. – Saminda Peramuna Dec 31 '17 at 00:42

Spring Security 3.2.0.RC1 - element and deprecated method

2 Answers2

Linked