-1

Here my spring configurer:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@Slf4j
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        log.info("Web security performing");

        http
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .cors().and()
        .csrf().disable()
        .authorizeRequests().anyRequest().permitAll();

        log.info("Web security performed");
    }
}

Nevertheless, it's never reached.

Here my application class:

@ComponentScan({
    "cat.gencat.catsalut.hes.core.domain.mpi",
    "cat.gencat.catsalut.hes.core.repository"
})
@SpringBootApplication(exclude = JmxAutoConfiguration.class)
public class ProjectApplication {

As you can see, @ComponentScan is placed on main ProjectApplication class.

I've realized that when I remove @ComponentScan from my main ProjectApplication class, my WebSecurityConfiguration is detected.

When it's present, WebSecurityConfiguration is ignored.

Any ideas?

Jordi
  • 20,868
  • 39
  • 149
  • 333
  • `@EnableWebSecurity` has `@Configuration` so `@Configuration` is redundant. does Spring successfully pick it? could you test `@SpringBootApplication(scanBasePackages = "com.app.security")` also – badger Jul 19 '21 at 10:23
  • I think the problem arises on `@ComponentScan` on my `ApiApplication` class. I think it's modifing where to find classes. I'm editing post... – Jordi Jul 19 '21 at 10:25

2 Answers2

0

SpringBootApplication without specifying @ComponentScan by default scan all classes in the current and those that are located in subpackages for picking Beans and Configuration and other stuffs. if you specify

@ComponentScan({
    "cat.gencat.catsalut.hes.core.domain.mpi",
    "cat.gencat.catsalut.hes.core.repository"
})

then only cat.gencat.catsalut.hes.core.domain.mpi and cat.gencat.catsalut.hes.core.repository and their subpackages will be scanned for beans. so try to put the class which contains @SpringBootApplication in the root of your project or use @SpringBootApplication(scanBasePackages = {'package1', 'package2'}) to specify packages that have to be scanned.

badger
  • 2,908
  • 1
  • 13
  • 32
0

Try to rely on spring boot default conventions first:

Assuming you've placed ProjectApplication in the com.mycompany.myapp package You can:

  1. Remove the @ComponentScan annotation from it
  2. Place WebSecurityConfiguration class in the same package com.mycompany.myapp or any package beneath it: Example: com.mycompany.myapp.web.security.config.

When spring boot application starts by default it has a very well defined policies of what should be scanned, so it scans the package of the application itself (the package where the file annotated with @SpringBootApplication resides) and the packages beneath it.

You can alter this behavior with @ComponentScan , but then you might have issues in spring boot driven tests. So without a reason I don't think you should really go there. Of course, if you have an actual reason of altering the default component scanning policies, please share so that our colleagues/me could try to come up with a solution.

Mark Bramnik
  • 39,963
  • 4
  • 57
  • 97
  • What about if you need component from a third library? Which is the best place to locate it and scan those other classes? – Jordi Jul 19 '21 at 11:06
  • In this case these libraries implement a "bridge". This is called "starter". You put this starter as a dependency and it automatically loads the configurations provided by this starter. Technically it searches for `META-INF/spring.factories` file that contains a "pointer" on the configuration that should be loaded. These mechanism is known as "auto-configuration" in spring boot. See: https://docs.spring.io/spring-boot/docs/2.0.0.M3/reference/html/boot-features-developing-auto-configuration.html or https://www.baeldung.com/spring-boot-custom-starter – Mark Bramnik Jul 19 '21 at 11:10