I'm having some throblems when I try to deploy an application which use spring securety on Jboss, the error is:
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
This is my applicationContext-securety.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<!--<global-method-security pre-post-annotations="enabled"/>-->
<http pattern="/ext/**" security="none" />
<http pattern="/resources/**" security="none" />
<http pattern="/**" security="none" />
<http auto-config="true" use-expressions="true" disable-url-rewriting="true" entry-point-ref="tendwebEntryPoint">
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/index.jsp" access="isAuthenticated()" />
<!-- Filter -->
<custom-filter ref="mockimiAuthenticationFilter" after="FORM_LOGIN_FILTER"/>
</http>
<authentication-manager alias="authenticationManager" />
<beans:bean id="imiAuthenticationFilter" class="com.tend.imi.web.security.imiAuthenticationFilter">
<beans:property name="tendwebFilter" ref="tendWebFilter" />
<beans:property name="imiUserDetailsService" ref="imiUserDetailsService"/>
</beans:bean>
<!-- Filtro de la tendweb -->
<beans:bean id="tendWebFilter" class="Gci.utils.http.LoginFilter" />
<beans:bean id="tendwebEntryPoint" class="com.tend.imi.web.security.imiwebEntryPoint" />
<beans:bean id="imiUserDetailsService" class="com.tend.imi.web.security.imiUserDetailsService" />
And I'm using this in the web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
Can anybody help me? I searched a lot but it didn't work.
Possibly a double for this question.
The problem is that you say /** is open to any user, but then you try to use auto-config.
According to the error code, this causes conflict because spring doesn't know whether /index.jsp is supposed to be open for all users or only authenticated ones.
Thanks Sir Celius for your answer.
Finally I resolved my problem. The error was in the declaration of contextConfigLocation in the web.xml, I had this:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:META-INF/spring/applicationContext*.xml</param-value>
</context-param>
I don't know why, but the use of the special character "*" doesn't like to Jboss, I just change this and everything works.
I deployed this application in tomcat and weblogic and this never happend ... I think its an error that Jboss has to fix.
Related
I am implementing spring security in an existing spring mvc project. I had used xml to configure the spring security. I have used this tutorial for implementing spring security
http://www.mkyong.com/spring-security/spring-security-form-login-using-database/
In my project I have a db-source file(MySQL_Datasource.xml) in resources folder just under main (outside of webapp). And the way spring security is implemented in tutorial, the datasource needs to be under webapp folder. I am facing this problem of integration.
Below is the snap of my project structure and on the right side config. code of web.xml, I have commented on the line in image where i have to define my dataSource location.
This is code of spring security where dataSource will be used
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="usr"
password-parameter="pwd" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password, enabled from users where username=?"
authorities-by-username-query=
"select username, role from user_roles where username =? " />
</authentication-provider>
</authentication-manager>
</beans:beans>
I am doing this first time. I need help so that I can get this done.
UPDATE:
MYSQL_DataSource.xml code:
<bean id="dataSource" class= "org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"></property>
<property name="url" value="${jdbc.url}"></property>
<property name="username" value="${jdbc.username}"></property>
<property name="password" value="${jdbc.password}"></property>
</bean>
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>db.properties</value>
</property>
</bean>
and below is the db.properties values:
jdbc.url = jdbc:mysql://localhost/bhaiyag_prod_grocery
jdbc.username = newuser
jdbc.password = kmsg
If your project is correctly configured, src/main/resources folder will be packaged during project build under WEB-INF/classes.
So, if maven configuration or deployment-assembly section in project/properties is Ok, the path that you should use in your web.xml is like this:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/groceryapp-servlet.xml
/WEB-INF/spring-security.xml
/WEB-INF/classes/MySQL_DataSource.xml
</param-value>
</context-param>
It should work this way.
Once it works, have a look at this question and answers spring-scheduler-is-executing-twice and this one too web-application-context-root-application-context-and-transaction-manager-setup. In many of the Mkyong's tutorials the application context is loading twice, and I'm pretty sure it would happen the same with your project once it starts working.
As your groceryapp-servlet.xml is already loaded by Spring MVC's dispatcher servlet, you could try just removing it from contextConfigLocation setting, just this way:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
/WEB-INF/classes/MySQL_DataSource.xml
</param-value>
</context-param>
Properties loading problem:
To load correctly the db.properties, try this config in DB config xml:
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:/db.properties</value>
</property>
</bean>
You can also specify context location relatively to current classpath. Make sure the resources folder is on your classpath and if it is. Then you can load the configuration file in your resources folder like,
<context-param>
<param-value>classpath:MySQL_DataSource.xml</param-value>
</context-param>
I am using Spring Security in one of my project. The web-app requires the user to login. Hence I have added few usernames and passwords in the spring-security-context.xml file as follows:
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user_1" password="password_1" authorities="ROLE_USER" />
<user name="user_2" password="password_2" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
My question is, how to move these username-password pairs to a different file (like some properties file) instead of keeping them in spring-security-context.xml? And how to read that file properties file?
You can store the usernames and passwords in a separate .properties file.
<user-service id="userDetailsService" properties="users.properties"/>
users.properties should have the following format:
jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
bob=bobspassword,ROLE_USER,enabled
If you want to store it in a database, I would recommend you to read this article: http://www.mkyong.com/spring-security/spring-security-form-login-using-database/
Reference: Spring Security In-Memory Authentication
You can use the PropertyPlaceholderConfigurer - put them in properties file and then reference them using EL:
http://static.springsource.org/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer
You can find a way to move them to a database or LDAP. Spring Security surely supports both.
I have tried the suggested ways lastly I did the following seemed to work nicely
Added these changes in your web xml
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>service</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Add these changes in your spring-security xml
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="${resource.service.authentication.name}"
authorities="${resource.service.authentication.authorities}"
password="${resource.service.authentication.password}"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
Add these changes into your application context xml or if you have property-loader xml even
better
<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="placeholderPrefix" value="${" />
<property name="placeholderSuffix" value="}" />
<property name="locations">
<list>
<value>classpath:resourceservice.properties</value>
</list>
</property>
</bean>
Then Add these changes in your property file resourceservice.properties
memberservice.authentication.name=usename
memberservice.authentication.authorities=AUTHORISED
memberservice.authentication.password=password
Add these changes in you resource that uses Jersey
#PUT
#Path("{accountId}")
#Consumes("application/xml")
#PreAuthorize("hasRole('AUTHORISED')")
public Response methodName
This works for me for Spring security authentication and authorization using Properties file:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<mvc:annotation-driven />
<bean id="webPropertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="ignoreResourceNotFound" value="true" />
<property name="ignoreUnresolvablePlaceholders" value="true" />
<property name="locations">
<list>
<value>classpath:abc.properties</value>
</list>
</property>
</bean>
<bean
class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor" />
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/stat/login" access="permitAll"/>
<security:intercept-url pattern="/stat/summary" access="hasRole('ROLE_ADMIN')" />
<security:form-login login-page="/stat/login"
default-target-url="/stat/summary" authentication-failure-url="/stat/loginError" />
</security:http>
<!-- Username and password used from xml -->
<!-- <security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="xyz" password="xyz" authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager> -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="${stat.user}" password="${stat.pwd}" authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
The abc.properties file:
stat.user=xyz
stat.pwd=xyz
The web.xml entry for spring-security implementation:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
You can simply add Bean inside your Spring Security Configuration :
#Bean
public UserDetailsService userDetailsService() {
Properties users = PropertiesLoaderUtils.loadAllProperties("users.properties");
return new InMemoryUserDetailsManager(users);
}
and users.properties looks like :
admin={noop}password,ROLE_USER,ROLE_ADMIN,enabled
bob={noop}password,ROLE_USER,enabled
123={noop}123,ROLE_USER,enabled
I am new to Spring framework and Spring security. I am developing an application using google app engine. I am trying to authenticate the user but cant able to achieve it. My problems here are
I need to restrict the all the user to type the URL in the browser and to see the pages. If they want to access such pages I need to navigate them to the warning page.
An user can access the application only if he is authenticated with the application. If not authenticated the login page should be navigated.
I need to write a custom login authenticated page where in the page i should authenticate them if given credentials are perfect then we can navigate them to the main page.
In the custom login authentication page we should write the database logic to get the credentials from the db and authenticate. And if the user is not registered with the application then we should navigate them to the registration page with a default message.
Please any one can give me the default application with this requirements.
Thanks and Regards,
Sree
I am using spring 3.x to complete the configuration
in web.xml, add these lines
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
comes to security xml page add these. And i am using DAOAuthenticationProvider. And password encoding i am using BCryptPasswordEncoder.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true">
<form-login login-page="/login" always-use-default-target="true" default-target-url="/sessionInit" authentication-failure-url="/login"/>
<logout logout-url="/logout" logout-success-url="/logout"/>
</http>
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" ></beans:property>
</beans:bean>
<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider ref="authProvider"></authentication-provider>
</authentication-manager>
<beans:bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="passwordEncoder" ref="encoder" />
</beans:bean>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans:beans>
before all these configuration you need add this security.xml file in the web.xml.
I am trying to use spring security based on hippo cms plugin. I have created inside hippo 3 subsites which are having each login. How should I config the spring-security-context.xml in order to support multiple subsites? All subsites will use the same authenticationprovider. Till now I have configured one of the subsites.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:lang="http://www.springframework.org/schema/lang"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/beans/spring-lang-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP Security Configuration -->
<!-- HTTP Security Configuration -->
<http auto-config="true">
<intercept-url pattern="/css/**" />
<intercept-url pattern="/images/**" />
<intercept-url pattern="/binaries/**" />
<intercept-url pattern="/vop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" />
<form-login login-page="/vop"
default-target-url="/vop/vop-mysurvey-page"
always-use-default-target="true" />
<logout logout-url="/logout.jsp" logout-success-url="/vop"/>
</http>
<!--
Authentication Manager configuration with Hippo Repository based Authentication Provider configuration ('hippoAuthenticationProvider').
However, you can use any other authentication provider(s) if you don't need to authenticate users against Hippo Repository.
-->
<authentication-manager>
<authentication-provider ref="hippoAuthenticationProvider"/>
</authentication-manager>
<!--
Hippo Repository based Authentication Provider. This Authentication Provider provide authentication against Hippo Repository Security Store.
If you don't need to authenticate users against Hippo Repository, you don't have to include the following bean.
-->
<beans:bean id="hippoAuthenticationProvider"
class="org.onehippo.forge.security.support.springsecurity.authentication.HippoAuthenticationProvider">
</beans:bean>
For example I want to have also <http auto-config="true">
<intercept-url pattern="/css/**" />
<intercept-url pattern="/images/**" />
<intercept-url pattern="/binaries/**" />
<intercept-url pattern="/erop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" />
<form-login login-page="/erop"
default-target-url="/erop/mypage"
always-use-default-target="true" />
<logout logout-url="/logout.jsp" logout-success-url="/erop"/>
</http>
Any Ideas?
As far as I know, spring security framework is based on servlet filter and its configuration seems to be tied to a web application context. Because of that, I don't think you can host multiple spring security contexts in single web application context currently.
Spring security supports securing multiple subsites. The configuration depends a bit on your subsites, whether they use separate host names or not.
When your subsites run under the same host name, you can configure it like this:
<http pattern="/vop/**" ... >
...
</http>
<http pattern="/erop/**" ... >
...
</http>
However, if your subsites run on different host names, it could be that the url patterns overlap. In this case you need to filter by host name, something like:
<bean id="vopMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
<constructor-arg value="hasHeader('host','vop.com')"/>
</bean>
<bean id="eropMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
<constructor-arg value="hasHeader('host','erop.com')"/>
</bean>
<http request-matcher-ref ="vopMatcher" ... >
...
</http>
<http request-matcher-ref ="eropMatcher" ... >
...
</http>
I am running NTLM using Spring Security, I am getting the following error
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
How can I resolve this error?
I have the following defined in web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Update 1
I resolved that error, now I am getting
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'filterSecurityInterceptor' is defined
and I have the following
<bean id="springSecurityFilterChain" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter, exceptionTranslationFilter, ntlmFilter, filterSecurityInterceptor
</value>
</property>
</bean>`
I changed my applicationContext.xml as follows because like #Sean Patrick Floyd mentioned some elements were old and dead and buried. However I have other errors now which needs to be fixed :-)
Thanks
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
<!--<authentication-manager alias="_authenticationManager"></authentication-manager>-->
<security:authentication-provider>
<security:user-service>
<security:user name="testuser" password="PASSWORD" authorities="ROLE_USER, ROLE_ADMIN"/>
<security:user name="administrator" password="PASSWORD" authorities="ROLE_USER,ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
<bean id="userDetailsAuthenticationProvider"
class="com.icesoft.icefaces.security.UserDetailsAuthenticationProvider">
<security:custom-authentication-provider/>
</bean>
<bean id="ntlmEntryPoint"
class="org.springframework.security.ui.ntlm.NtlmProcessingFilterEntryPoint">
<property name="authenticationFailureUrl" value="/accessDenied.jspx"/>
</bean>
<bean id="ntlmFilter" class="org.springframework.security.ui.ntlm.NtlmProcessingFilter">
<security:custom-filter position="NTLM_FILTER"/>
<property name="stripDomain" value="true"/>
<property name="defaultDomain" value="domain"/>
<property name="netbiosWINS" value="domain"/>
<property name="authenticationManager" ref="_authenticationManager"/>
</bean>
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="ntlmEntryPoint"/>
</bean>
<security:http access-decision-manager-ref="accessDecisionManager"
entry-point-ref="ntlmEntryPoint">
<security:intercept-url pattern="/accessDenied.jspx" filters="none"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<bean id="accessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter"/>
</list>
</property>
</bean>
</beans>
From the DelegatingFilterProxy docs:
Notice that the filter is actually a
DelegatingFilterProxy, and not the
class that will actually implement the
logic of the filter. What
DelegatingFilterProxy does is delegate
the Filter's methods through to a bean
which is obtained from the Spring
application context. This enables the
bean to benefit from the Spring web
application context lifecycle support
and configuration flexibility. The
bean must implement
javax.servlet.Filter and it must have
the same name as that in the
filter-name element. Read the Javadoc
for DelegatingFilterProxy for more
information
You need to define a bean named springSecurityFilterChain that implements javax.servlet.Filter in your application context.
From Getting Started with Security Namespace Configuration:
If you are familiar with pre-namespace
versions of the framework, you can
probably already guess roughly what's
going on here. The <http> element is
responsible for creating a
FilterChainProxy and the filter beans
which it uses. Common problems like
incorrect filter ordering are no
longer an issue as the filter
positions are predefined.
So you need at least A Minimal <http> Configuration
Sean Patrick Floyd is absolutely right but I think it is worth mention one solution, which took to much time for me.
You simply add #ImportResource annotation.
#Configuration
#EnableWebMvc
#ComponentScan(basePackages = {"org.company"})
#ImportResource({"classpath:security.xml"})
public class CompanyWebMvcConfiguration extends WebMvcConfigurerAdapter {
}
security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true">
<access-denied-handler error-page="/error"/>
</http>
In Java configuration, you can use the following annotations:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
}
That will import the org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration configuration class which defines the springSecurityFilterChain bean.
Please provide spring security file with minimal configuration
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
</http>