Where do I define `springSecurityFilterChain` bean?

Question

When I place the bean definition for springSecurityFilterChain in web.xml, I get an error indicating that Tomcat 7 will not start because there is a duplicate bean definition for springSecurityFilterChain. I uploaded the entire stack trace to a file sharing site, which you can read by clicking on this link. However, when I the comment out the springSecurityFilterChain bean definition in web.xml and try to restart the server, I get a different error message indicating that there is no bean definition for springSecurityFilterChain. You can read the second stack trace at the file sharing site by clicking on this link.

So where should I put the bean definition for springSecurityFilterChain, and what should its syntax be?

I think the problem might be that the spring petclinic sample app, which I am using to test this approach, has its own way of using a clinicservice and its own xml config files to handle application startup and the management of resources. You can view the entire code for the spring petclinic app at this link.

The changes I made to the petclinic app are as follows:

I added the following to pom.xml:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-core</artifactId>
  <version>3.2.2.RELEASE</version>
</dependency>

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-web</artifactId>
  <version>3.2.2.RELEASE</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-config</artifactId>
  <version>3.2.2.RELEASE</version>
</dependency>  

I added the following to web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

I added a package named org.springframework.security.samples.knowledgemanager.config to src/main/java in Java Resources, and then I added the following two classes to it:

MessageSecurityWebApplicationInitializer.java:

@Order(2)
public class MessageSecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}  

SecurityConfig.java:

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    private UserDetailsService myCustomUserDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .jdbcAuthentication()
            .dataSource(dataSource)
            .and()
        .userDetailsService(myCustomUserDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .antMatchers("/app/**").hasRole("ADMIN")
            .and()
        .formLogin()
            .loginPage("/index.jsp")
            .defaultSuccessUrl("/app/")
            .failureUrl("/index.jsp")
            .permitAll()
            .and()
        .logout()
            .logoutSuccessUrl("/index.jsp");
    }
}

Answer 1

I get an error indicating that Tomcat 7 will not start because there is a duplicate bean definition for springSecurityFilterChain

This is because you should define the springSecurityFilterChain with either (NOT both) the web.xml or a AbstractSecurityWebApplicationInitializer. As you appear to be using Java Configuration, I would remove the web.xml entry.

However, when I the comment out the springSecurityFilterChain bean definition in web.xml and try to restart the server, I get a different error message indicating that there is no bean definition for springSecurityFilterChain.

This is because the SecurityConfig needs to be referenced somehow. Typically the easiest way to do this when using Java Configuration is to pass in the configuration to the super class constructor of MessageSecurityWebApplicationInitializer.

However, the pet clinic is using XML configuration in the web.xml so you will need to do this by combining Java and XML configuration as outlined in the reference. For this example, you could include the following within src/main/resources/business-config.xml

<bean class="thepackage.SecurityConfig"/>

Naturally, you will need to replace thepackage with the package you are using for SecurityConfig.

The reason you can include the configuration in business-config.xml is because this is specified as a contextConfiguration to load in the web.xml. You could also create your own Spring bean XML file, add the SecurityConfig bean as shown above, and ensure to update the web.xml to point to the new Spring bean XML file.