In my webapplication I'm using Spring and configuring it by java. What I'm trying to do now is to add spring security and a custom contextloaderlistener. It works just fine if I do it the "old" way. Via web.xml that is. But I would like to use java-configuration instead.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>my.custom.ContextLoaderListener</listener-class>
</listener>
My ContextLoaderListener makes sure that my SecurityContext.xml is loaded and the SecurityContext.xml contains all the configuration for spring-security-saml. Below is just a snippet of the SecurityContext.xml
<context:annotation-config />
<context:component-scan base-package="org.springframework.security.saml" />
<security:http security="none" pattern="/css/**" />
.
.
.
I load my ContextLoaderListener by the below code:
public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected void onStartup() {
servletContext.addListener(CustomContextLoaderListener.class);
}
What I have accomplished so far is a webapplication that works in a way. I do get redirected to my Identity Provider and I get an successful authentication. The problem is that I need to disable csrf to get the saml-stuff working.
No problem I thought. I just added below class:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
super.configure(http);
}
}
Not that simple because the above class is never triggered. What am I missing here?
