2

I'm trying to configure spring-security as found here and seem to have run into a limitation of my understanding of how the XML files work.

As instructed I've added spring security to applicationContext.xml as follows:

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:p="http://www.springframework.org/schema/p"
   xmlns:aop="http://www.springframework.org/schema/aop"
   xmlns:tx="http://www.springframework.org/schema/tx"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"
   xmlns:context="http://www.springframework.org/schema/context" 
   xmlns:mvc="http://www.springframework.org/schema/mvc"
   xmlns:security="http://www.springframework.org/schema/security">

That step deployed fine.

I then went to web.xml and added:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

That still deployed fine.

I then tried adding

<http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
</http>

Which I also tried as

<security:http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
</security:http>

In both cases I saw an error when I tried to deploy the application:

Error occurred during deployment: Exception while deploying the app [OmegaRM] : org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 39; Deployment descriptor file WEB-INF/web.xml in archive [web].  cvc-complex-type.2.4.a: Invalid content was found starting with element 'security:http'. One of '{"http://xmlns.jcp.org/xml/ns/javaee":module-name, "http://xmlns.jcp.org/xml/ns/javaee":description, "http://xmlns.jcp.org/xml/ns/javaee":display-name, "http://xmlns.jcp.org/xml/ns/javaee":icon, "http://xmlns.jcp.org/xml/ns/javaee":distributable, "http://xmlns.jcp.org/xml/ns/javaee":context-param, "http://xmlns.jcp.org/xml/ns/javaee":filter, "http://xmlns.jcp.org/xml/ns/javaee":filter-mapping, "http://xmlns.jcp.org/xml/ns/javaee":listener, "http://xmlns.jcp.org/xml/ns/javaee":servlet, "http://xmlns.jcp.org/xml/ns/javaee":servlet-mapping, "http://xmlns.jcp.org/xml/ns/javaee":session-config, "http://xmlns.jcp.org/xml/ns/javaee":mime-mapping, "http://xmlns.jcp.org/xml/ns/javaee":welcome-file-list, "http://xmlns.jcp.org/xml/ns/javaee":error-page, "http://xmlns.jcp.org/xml/ns/javaee":jsp-config, "http://xmlns.jcp.org/xml/ns/javaee":security-constraint, "http://xmlns.jcp.org/xml/ns/javaee":login-config, "http://xmlns.jcp.org/xml/ns/javaee":security-role, "http://xmlns.jcp.org/xml/ns/javaee":env-entry, "http://xmlns.jcp.org/xml/ns/javaee":ejb-ref, "http://xmlns.jcp.org/xml/ns/javaee":ejb-local-ref, "http://xmlns.jcp.org/xml/ns/javaee":service-ref, "http://xmlns.jcp.org/xml/ns/javaee":resource-ref, "http://xmlns.jcp.org/xml/ns/javaee":resource-env-ref, "http://xmlns.jcp.org/xml/ns/javaee":message-destination-ref, "http://xmlns.jcp.org/xml/ns/javaee":persistence-context-ref, "http://xmlns.jcp.org/xml/ns/javaee":persistence-unit-ref, "http://xmlns.jcp.org/xml/ns/javaee":post-construct, "http://xmlns.jcp.org/xml/ns/javaee":pre-destroy, "http://xmlns.jcp.org/xml/ns/javaee":data-source, "http://xmlns.jcp.org/xml/ns/javaee":jms-connection-factory, "http://xmlns.jcp.org/xml/ns/javaee":jms-destination, "http://xmlns.jcp.org/xml/ns/javaee":mail-session, "http://xmlns.jcp.org/xml/ns/javaee":connection-factory, "http://xmlns.jcp.org/xml/ns/javaee":administered-object, "http://xmlns.jcp.org/xml/ns/javaee":message-destination, "http://xmlns.jcp.org/xml/ns/javaee":locale-encoding-mapping-list, "http://xmlns.jcp.org/xml/ns/javaee":deny-uncovered-http-methods, "http://xmlns.jcp.org/xml/ns/javaee":absolute-ordering}' is expected.. Please see server.log for more details.

I don't understand what I'm missing from the configuration to make this error appear. I've tried adding security to the tag as follows and it made no difference:

<web-app version="3.1" 
     xmlns="http://xmlns.jcp.org/xml/ns/javaee" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:security="http://www.springframework.org/schema/security"
     xsi:schemaLocation="
        http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

I did find this question with the same error:

Spring Security beginner's question. Build failed

The solution recommended there though was to use the security namespace which I've already tried.

So my question is whether anyone knows what I'm doing wrong here please?

If possible I'd also really appreciate a link to and/or a more general explanation of how to determine what configuration should go in what files in Spring and how it all glues together! So far I've got a few applications running but I don't feel like I properly understand just what I've done to make them work!

I've added the following JARs to the project Libraries:

Libraries

Community
  • 1
  • 1
Tim B
  • 40,716
  • 16
  • 83
  • 128

1 Answers1

6

Your url-intercept needs the security namespace as well. 

<security:intercept-url pattern="/**" access="ROLE_USER" />

If your security config is in it's own application config xml, you can use security as the default namespace, thus avoid having to prefix everything with security:. For example:

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd">


   <http auto-config='true'>
       <intercept-url pattern="/**" access="ROLE_USER" />
   </http>
   ...
</beans:beans>

Then from your main application config, you can import the security config. For example, let's say your security config was name security-application-config.xml, you could import it like so. 

//in your application-config.xml 
<import resource="security-application-config.xml"/>
<import resource="mongo-application-config.xml"/>
ikumen
  • 11,275
  • 4
  • 41
  • 41
  • Argh. I had a feeling it was going to be something simple. If it's that I'm going to *headdesk* a few times. I'm home now but I'll try it first thing in the morning. The security.xml idea sounds good but what do I have to do to link in that xml file once I create it? Or is it automatically picked up by the framework? – Tim B Dec 10 '13 at 18:03
  • 1
    Another important thing to note here is that the following schema location: http://www.springframework.org/schema/security/spring-security.xsd in the above example gives you the most up to date schema without requiring the version in the URL – drembert Dec 10 '13 at 18:05
  • This got me 95% of the way there, I also needed to move it from web.xml (where I thought the spring security thing had said to put it although going back and looking that was a bit ambiguous) to applicationContext.xml and now it seems to be reading the config ok. Thanks a lot :) – Tim B Dec 11 '13 at 09:21