Spring Java configuration with spring-security

Question

For some reason (I really cant rembember why :) ) I decided to only use Java for configuration of a Spring application. Also I would try to avoid web.xml

I started with the follinging two java configuration files. ApplicationBootstrap.java

public class ApplicationBootstrap implements WebApplicationInitializer {
    //public class Initializer 
    public void onStartup(ServletContext servletContext) throws ServletException {
        AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
        rootContext.register(ApplicationConfig.class);
        rootContext.refresh();

    // Manage the lifecycle of the root appcontext
    servletContext.addListener(new ContextLoaderListener(rootContext));
    servletContext.setInitParameter("defaultHtmlEscape", "true");
    servletContext.setInitParameter("spring.profiles.active", "Production");


     // now the config for the Dispatcher servlet
    AnnotationConfigWebApplicationContext mvcContext = new AnnotationConfigWebApplicationContext();
        mvcContext.register(ApplicationConfig.class);
        mvcContext.getEnvironment().setActiveProfiles("Production");
        mvcContext.getEnvironment().setDefaultProfiles("Production");

    ServletRegistration.Dynamic dispatcher = servletContext.addServlet("dispatcher", new DispatcherServlet(mvcContext));
        dispatcher.setLoadOnStartup(1);
        dispatcher.addMapping("/api/*");


}

and ApplicationConfig.java

@Configuration()
@Profile({"Production", "ControllerUnitTest"})
@EnableWebMvc
@ComponentScan( basePackages = "com.consius.activework.server"  ) 
@EnableAspectJAutoProxy
public class ApplicationConfig extends WebMvcConfigurerAdapter {


}

This worked as espected. No my problem started. My idea was to use spring-security and I looked for a way to configure spring-security using Java. After a while I gave up,, I found no way to configure spring-security using Java. I decided to go back to XML for the security configuration.

I created a web.xml containing this:

   <filter>
        <filter-name>filterChainProxy</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>filterChainProxy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

To the ApplicationConfig.java I added:

 @ImportResource( { "classpath:/spring-security.xml" } )

And created a new xml file named spring-security.xml

<security:http auto-config='true' create-session="never" realm="Restricted Service" use-expressions="true">
    <security:intercept-url pattern="/rest/**" access="permitAll()" />               
</security:http>

According documentation this is minimal configuration.

Trying to run this gives the following error (and I cant understand why)

SEVERE: Exception starting filter filterChainProxy
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'filterChainProxy' is defined
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:549)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1096)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:278)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:198)
    at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1121)
    at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:326)
    at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:236)
    at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:194)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)

Can anyone help me? I guess I have done something obvious wrong,, but I cant see it.

//lg

Answer 1

How about sticking with the Java config?

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    // ...
}

public class WebSecurityInitializer 
        extends AbstractSecurityWebApplicationInitializer {
}

Conveniently, the WebSecurityInitializer will register the Spring Security Servlet filter for you! Here's a nice explanation with plenty of detail:

http://docs.spring.io/spring-security/site/docs/3.2.x/guides/helloworld.html

btw ... Without the above, it's also possible to do the registration manually:

public class DispatcherServletInitializer 
        extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    public void onStartup(ServletContext servletContext) 
            throws ServletException {
        servletContext
            .addFilter("securityFilter", 
                       new DelegatingFilterProxy("springSecurityFilterChain"))
            .addMappingForUrlPatterns(null, false, "/*");

        super.onStartup(servletContext);
    }

    // Various other required methods...

}

This way, you can forget about that annoying web.xml. :)