Spring Security with AcceptHeaderLocaleResolver and i18n

Question

I am stuck, probably missed something in docs or made some small mistake.

Spring Security 3.0.5 was integrated in my Spring MVC 3.0.5 app. AcceptHeaderLocaleResolver is used for Locale detection and localisation works ok except for Security error messages.

I copied messages.properties from spring security package and renamed and added to existing "messageSource" bean (ResourceBundleMessageSource) with value list.

As said earlier all texts and messages are localised correctly, except Security seams to use hardcoded English messages.

Any ideas how to solve this?

UPDATE:
My xy-servlet.xml contains:

...
<mvc:resources mapping="/resources/**" location="/resources/" />
...
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
    <property name="basenames">
        <list>
            <value>defaultMessages</value>
            <value>securityMessages</value>
        </list>
    </property>
</bean>

and files

• defaultMessages.properties
• defaultMessages_en.properties
• defaultMessages_de.properties
• defaultMessages_sl.properties

and

• securityMessages.properties
• securityMessages_en.properties
• securityMessages_de.properties
• securityMessages_sl.properties

but defaultMessages work ok. securityMessages does not. I made small changes in all securityMessages files, but they are ignored and the hardcoded english messages are displayed.

UPDATE v2: My dispatcher-servlet.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd  
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

<context:component-scan base-package="com.example.sampleapp1" />
<context:annotation-config />

<mvc:annotation-driven/>

<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources/ directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />

<bean id="viewResolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver"
    p:prefix="/WEB-INF/views/" p:suffix=".jsp" />

<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
    <property name="basenames">
        <list>
            <value>defaultMessages</value>
            <value>securityMessages</value>
            <value>org/springframework/security/messages_de</value>
        </list>
    </property>
</bean> 

<!-- Persistence -->
<bean id="myPMF" class="org.springframework.orm.jdo.LocalPersistenceManagerFactoryBean">
    <property name="persistenceManagerFactoryName" value="transactions-optional"/>
</bean>     

<!-- Form Validator -->

</beans>

Answer 1

Finally, solution!

Bean for security messages apparently must me declared in applicationContext-security.xml and not in app context xml config... I did not find this anywhere in manual!

In my case correct solution is bean in applicationContext-security.xml:

    <b:bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
        <b:property name="basenames">
            <b:value>secMessages</b:value>
        </b:property>
    </b:bean>

Thanks to @bluefoot and @jtoberon for some ideas.

UPDATE: To work this properly web.xml must contain localizationFilter before springSecurityFilterChain, my web.xml is:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring/applicationContext-security.xml</param-value>
</context-param>

<!-- i18n -->
<filter>
    <filter-name>localizationFilter</filter-name>
    <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<!-- i18n -->
<filter-mapping>
    <filter-name>localizationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping> 
  <filter-name>springSecurityFilterChain</filter-name> 
  <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    <dispatcher>ERROR</dispatcher>
</filter-mapping> 


<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Processes application requests -->
<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

</web-app>

Check lines after i18n comments.

Answer 2

I don't know how you did it (you didn't say), but to use the messages bundle that is shipped with spring security (instead of hard coded text messages), I just have to declare a ResourceBundleMessageSource bean and set the basenames property:

<bean id="messageSource"
    class="org.springframework.context.support.ResourceBundleMessageSource">
    <property name="basenames">
        <list>
            <value>org/springframework/security/messages_pt_BR</value>
        </list>
    </property>
</bean>

That will change the messages to pt_BR, by making spring using this bean instead of the default one (no need to copy the file to somewhere else, assuming, of course, you have the jar on your classpath).

Answer 3

Here are a few ideas:

1. Is there a chance that the security messages are not on the classpath? Are your resource files all in the same directory? Are you putting them in WEB-INF/classes, and if not then how do you know they're on the classpath?
2. Do you have a namespace or key conflict? In other words, are default values for the security error messages already defined in the other resource file (the one that's working)?