spring-security & spring-mvc configuration

Question

Hola.

i have written a small webapp using spring-security and spring-mvc with an annotation based configuration (@Secured). in order to have that work i had to split up the spring-security configuration:

app-context.xml (included in web.xml's ContextConfigLocation)

<security:http auto-config="true"/>

app-servlet.xml (spring-mvc's dispatcherservlet loads this)

<security:global-method-security secured-annotations="enabled"/>

Why did i have to split these up? when i put all the security configuration in app-context.xml the @Secured annotations seem to be ignored, so you dont need to be logged in to access the @Secured Controller methods.

When i put it all in app-servlet.xml the following Exception is raised...

org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:504)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1041)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:273)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
        at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1008)
        at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:217)
        at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:145)
        at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:179)

i don't get it :/

Answer 1

In the latter case, <security:http /> element might not be the part of the xml schema defined. So, its likely to get exception. By the way, what exception?

In the former case, it didn't work. May be because Spring looks for this element in the xml config loaded by DispatcherServlet, otherwise ignore it. I am not sure either, but it seems like it. :)

Look at this spring forum thread. They are discussing the same. To sum it up, "the *-servlet.xml beans aren't visible from the main context".

Answer 2

You should be able to have both in one XML, just make sure the schema is declared properly. I have used them in same file in both Spring 2.5 and Spring 3.

When you say it dont work when in both file, I assume you mean that no security is applied to your method calls? If that is the case, make sure that your application loads and uses these classes via spring, if not no security will be applied. E.g. if you access a class as:

MyClass instance = new MyClass();
instance.doSomething();

if doSomething() is annotated with security annotations, nothing will react on that annotation. The same goes if your using it from a servlet not being injected via spring etc.

If this is not helpful, could you clarify your problems?

Answer 3

<security:http .../> must be declared in the configContextLocation's config. It can not be declared in ...-servlet.xml, because during the request processing it should be available before the target servlet is identified.

<security:global-method-security .../> (as far as I understand) registers a bean postprocessor, which is applied to the context where it is declared (i.e. when declared in the configContextLocation's xml, it is applied to the beans declared there, but not to the beans declared in ...-servlet.xml)