16

I need to add Spring Security with customized login page and connection to database to my Spring MVC project. I am receiving following error message, based on answers of other questions, I tried to change the code, for example I changed my Spring Security Schema version to 4.0 but the code returns following error:

Changed schema to 4.0

http://www.springframework.org/schema/security/spring-security-4.0.xsd

Error

Cannot initialize context because there is already a root application context 
present - check whether you have multiple ContextLoader* definitions in your 
web.xml!

My code

my-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
    xmlns:beans='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
    xsi:schemaLocation='http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd'>

    <beans:import resource="security-db.xml" />

    <http auto-config="true" access-denied-page="/notFound.jsp"
        use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
    </http>
</beans:beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <listener>
        <listener-class>org.apache.tiles.extras.complete.CompleteAutoloadTilesListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>my</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>my</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/config/my-security.xml
        </param-value>
    </context-param>

</web-app>

security-db.xml

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

    <bean id="dataSource"
        class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <property name="url" value="jdbc:mysql://localhost/dbproj" />
        <property name="username" value="jack" />
        <property name="password" value="jack" />
    </bean>
</beans>
Jack
  • 6,430
  • 27
  • 80
  • 151
  • 1
    For starters don't load the same configuration twice. You are loading the `my-servlet.xml` twice once by the `DispatcherServlet` and once by the `ContextLoaderListener`. It is also recommended to use the version less schemas so `spring-security.xsd` instead of `spring-security-4.0.xsd`. – M. Deinum Jun 01 '15 at 12:33
  • @M.Deinum thanks, where else am I loading my-servlet.xml? I thought I am just loading it as contextConfigLocation param. – Jack Jun 01 '15 at 22:10
  • And the `DispatcherServlet` by default, loads a file from `WEB-INF` called `-servlet.xml`. In your case it loads, again, the `my-servlet.xml`. – M. Deinum Jun 02 '15 at 05:19
  • @M.Deinum I removed that but did not solve the issue. – Jack Jun 02 '15 at 11:08
  • Could you post your security-db.xml ? – sven.kwiotek Jun 10 '15 at 08:05
  • @s.kwiotek question is updated. – Jack Jun 10 '15 at 10:19
  • add your full stack trace.. – Ali Dehghani Jun 11 '15 at 15:49
  • I see lots of missing stuff in your question! where is `DelegatingFilterProxy` filter definition in your web.xml? where is your `authentication-manager` element in your my-security.xml? – Ali Dehghani Jun 11 '15 at 16:03

2 Answers2

5

I think you need have only one xml configuration file (my-servlet.xml as your servlet name is "my" so filename must be "my-servlet.xml") in web-xml and then refer others in that file. Refer to xmls below.

<xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <listener>
        <listener-class>org.apache.tiles.extras.complete.CompleteAutoloadTilesListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
        <servlet>
            <servlet-name>my</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>/WEB-INF/my-servlet.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
    </servlet>

</web-app>

In my-servlet.xml file you can use import to compose your other XML configurations.

<beans>
  <bean id="bean1" class="..."/>
  <bean id="bean2" class="..."/>

  <import resource="security-db.xml"/>
  <import resource="foo-db.xml"/>
</beans>
Sheetal Mohan Sharma
  • 2,908
  • 1
  • 23
  • 24
  • I dont see any difference between our codes would you please clarify that. – Jack Jun 10 '15 at 12:25
  • In your web.xml you are loading two servlets. One is my "my-servlet.xml" ( correct one) and then additional "my-security.xml" or "security-db.xml" in context param tag. My suggestion is to move loading of security-db.xml in "my-servlet.xml" as import. What is correct name "security-db.xml" or "my-security.xml"? The Spring MVC with Dispatcher Servlet works well if you have only one xml and load other xml as resource – Sheetal Mohan Sharma Jun 10 '15 at 13:50
  • I think the important thing is to set the contextConfigLocation Parameter in init-param of DispatcherServlet and there you have to put your my-security.xml. – sven.kwiotek Jun 10 '15 at 14:58
  • 1
    @SheetalMohanSharma as mentioned in the question my-security.xml is the correct one . What do you mean there are two? I just have the following line. /WEB-INF/config/my-security.xml I do not get you sorry. – Jack Jun 10 '15 at 22:04
  • @s.kwiotek would you give me an example. I am puzzled. – Jack Jun 10 '15 at 22:04
  • Spring MVC XML name is by default is servletname-servlet.XML and in your case it's my-servlet.XML which it expects in param tag and not my-security.XML. That's what I posted in code. If you need additional XML files load them in my-servlet.XML as resource. – Sheetal Mohan Sharma Jun 10 '15 at 22:08
  • 1
    If I take section out it shows following error message /WEB-INF/applicationContext.xml]; nested exception is java.io.FileNotFoundException, – Jack Jun 11 '15 at 10:17
  • Jack - my-servlet.xml where is that? If you want my then spring expect you to have my-servlet.xml as name of your applicationContext file to be. So create my-servlet.xml and import other def in there. Read section 17.2 in http://docs.spring.io/spring/docs/current/spring-framework-reference/html/mvc.html. Read this question too - http://stackoverflow.com/questions/8769145/springmvc-servlet-mapping and try to relate to what I have posted. – Sheetal Mohan Sharma Jun 11 '15 at 12:57
  • Alright, will have a look again. I have my-servlet.xml at the specified location though. – Jack Jun 11 '15 at 22:32
4

Add DelegatingFilterProxy to your web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
         http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>my</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>my</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:config/security-config.xml</param-value>
    </context-param>
</web-app>

add my-servlet.xml as your web application context configuration to /webapp/WEB-INF/. add authentication-manager element to my-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">
       <beans:import resource="spring-db.xml" />

       <http auto-config="true" use-expressions="true">
              <intercept-url pattern="/" access="permitAll" />
       </http>

       <authentication-manager>
              <authentication-provider>
                     <user-service>
                            <user name="username" authorities="ROLE_ADMIN" password="password" />
                     </user-service>
              </authentication-provider>
       </authentication-manager>
</beans:beans>

get rid of access-denied-page and use access-denied-handler as Mkyong did it here

Ali Dehghani
  • 46,221
  • 15
  • 164
  • 151