1

Everything is working fine when it's defined in .xml files. Now I've started migrating .xml files to java configs. Security.xml is the first file which I've been migrating.

Security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans     http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <http pattern="/scripts/**" security="none" />
    <http pattern="/assets/**" security="none" />

    <http auto-config="true">
        <intercept-url pattern="/app/admin/**" access="ROLE_SUPER_ADMIN,ROLE_ADMIN" />
        <intercept-url pattern="/app/settings/**"
            access="ROLE_SUPER_ADMIN,ROLE_ADMIN" />
        <intercept-url pattern="/app/**"
            access="ROLE_SUPER_ADMIN,ROLE_ADMIN" />
        <form-login login-page="/login" default-target-url="/main"
            login-processing-url="/session" username-parameter="UserName"
            password-parameter="Password" always-use-default-target="true"
            authentication-success-handler-ref="authenticationSuccess"
            authentication-failure-handler-ref="authenticationFailure" />
        <logout logout-url="/app/logout" delete-cookies="JSESSIONID"
            invalidate-session="true" logout-success-url="/login" />
    </http>
    <beans:bean id="authenticationSuccess"
        class="com.comp.site.config.AuthenticationSuccess" />
    <beans:bean id="authenticationFailure"
        class="com.comp.site.config.AuthenticationFailure" />
    <beans:bean id="userDao"
        class="com.comp.site.dao.hibernate.UserDaoHibernate" />

    <beans:bean class="com.comp.security.AuthenticationProvider"
        id="authenticationProvider">
        <beans:property name="userDetailsService" ref="userDao">
        </beans:property>
    </beans:bean>

    <authentication-manager>
        <authentication-provider ref="authenticationProvider" />
    </authentication-manager>


    <global-method-security>
        <protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))"
            access="ROLE_ADMIN,ROLE_SUPER_ADMIN" />
        <protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))"
            access="ROLE_ADMIN,ROLE_SUPER_ADMIN" />
    </global-method-security>

</beans:beans>

Migrated SecurityConfig.java

package com.comp.springconfig;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import com.comp.security.AuthenticationProvider;
import com.comp.site.config.AuthenticationFailure;
import com.comp.site.config.AuthenticationSuccess;
import com.comp.site.dao.hibernate.UserDaoHibernate;

@Configuration
@EnableWebSecurity
@ComponentScan
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    AuthenticationSuccess authenticationSuccess;

    @Autowired
    AuthenticationFailure authenticationFailure;

    @Autowired
    UserDaoHibernate userDaoHibernate;

    @Autowired
    AuthenticationProvider authenticationProvider;

    @Autowired
    public void configureGlobal( AuthenticationManagerBuilder auth ) throws Exception{
        auth
        .authenticationProvider(authenticationProvider)
        .userDetailsService(userDaoHibernate);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
        .ignoring()
        .antMatchers("/scripts/**","/assets/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authenticationProvider(authenticationProvider)
        .authorizeRequests()

        .antMatchers("/app/admin/**")
        .hasAnyRole("ROLE_SUPER_ADMIN","ROLE_ADMIN")

        .antMatchers("/app/settings/**")
        .hasAnyRole("ROLE_SUPER_ADMIN","ROLE_ADMIN")

        .antMatchers("/app/**")
        .hasAnyRole("ROLE_SUPER_ADMIN","ROLE_ADMIN")

        .anyRequest().authenticated()
        .and()

        .formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/main", true)
        .loginProcessingUrl("/session")
        .usernameParameter("UserName")
        .passwordParameter("Password")
        .successHandler(authenticationSuccess)
        .failureHandler(authenticationFailure)

        .and()

        .logout()
        .logoutUrl("/app/logout")
        .deleteCookies("JSESSIONID")
        .invalidateHttpSession(true)
        .logoutSuccessUrl("/login");
    }

}

I'll configure the global-method-security later, as I need to make the current configuration work first. After running the program I get the following error.

SEVERE: Exception starting filter securityFilter
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:694)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1168)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:281)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
    at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:962)
    at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:324)
    at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:235)
    at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:199)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:279)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:260)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:105)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4603)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5210)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

Whenever there is some problem with the AuthenticationProvider provided, this error will happen. I've tried to configure AuthenticationProvided using some other steps, but none of them worked. Is there something wrong with my current configuration? I think the problem lies in AuthenticationManagerBuilder configuration.

Update

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <display-name>site</display-name>
    <distributable/>

     <!-- Context Configuration locations for Spring XML files -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:/applicationContext-resources.xml
            classpath:/applicationContext-dao.xml
            classpath:/applicationContext-service.xml
            classpath:/applicationContext.xml
        </param-value>
    </context-param>

    <context-param>
        <param-name>javax.servlet.jsp.jstl.fmt.fallbackLocale</param-name>
        <param-value>en</param-value>
    </context-param>

    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>rewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
        <!-- sets up log level (will be logged to context log)
            can be: TRACE, DEBUG, INFO (default), WARN, ERROR, FATAL, log4j, commons, sysout:{level} (ie, sysout:DEBUG)
            if you are having trouble using normal levels use sysout:DEBUG -->
        <init-param>
            <param-name>logLevel</param-name>
            <param-value>commons</param-value>
        </init-param>
        <!-- set the amount of seconds the conf file will be checked for reload
            can be a valid integer (0 denotes check every time,
            -1 denotes no reload check, default -1) -->
        <init-param>
            <param-name>confReloadCheckInterval</param-name>
            <param-value>-1</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>securityFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetBeanName</param-name>
            <param-value>springSecurityFilterChain</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>rewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>securityFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>


    <!--  CONTEXT LISTENERS -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>
    <listener>
        <listener-class>com.comp.site.listener.StartupListener</listener-class>
    </listener>


    <!--     SESSION CONFIGURATION    -->
    <session-config>
        <session-timeout>15</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <!--<secure>true</secure>-->
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>

    <!--     SPRING SERVLETS DEFININTIONS     -->
     <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/app/*</url-pattern>
    </servlet-mapping>

</web-app>

Path of security.xml is /WEB-INF/security.xml which I've deleted it from Web.xml after writing Java configuration

The Coder
  • 2,562
  • 5
  • 33
  • 62

2 Answers2

0

When you add @EnableWebSecurity to a class, spring security creates springSecurityFilterChain bean with several other security beans. As you already have this annotation on your java configuration that means springSecurityFilterChain bean will get created and placed in ApplicationContext at setup time. To avoid this error you need to make sure that your java configuration is getting scanned properly. Also add your filter in web.xml as given below.

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
Imrank
  • 1,009
  • 5
  • 15
-1

Remove everything related to "securityFilter" and let Spring Security Auto-configure them for you.

Jason Marsh
  • 380
  • 4
  • 11