XML configuration of Spring Security in Spring Boot

Question

I'd like to use XML based configuration to Spring Security. The first idea was to use SHA-256 or any other hashing function for user passwords. I could not find a nice way to solve this with plain java., so I started to configure things in xml. That was the point, when it started to get interesting.

My configuration:

• spring-boot 1.1.8.RELEASE
• spring-boot-starter-* at 1.1.8
• tomcat-embed-jasper:8.0.8

spring-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:jdbc="http://www.springframework.org/schema/jdbc"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd>

    <http pattern="/css/**" security="none"/>
    <http pattern="/login.html*" security="none"/>

    <http>
        <intercept-url pattern="/**" access="ROLE_USER" />
        <form-login login-page='/login.html'/>
    </http>

    <authentication-manager>

        <authentication-provider>
            <user-service>
                <user name="admin" password="admin"
                      authorities="ROLE_USER, ROLE_ADMIN"/>
                <user name="bob" password="bob"
                      authorities="ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

I load the xml file in the class, where the public static void main can be found:

@Configuration
@ComponentScan
@EnableAutoConfiguration
@Order(HIGHEST_PRECEDENCE)
@ImportResource({
        "/spring-security.xml"
})
public class PhrobeBootApplication extends SpringBootServletInitializer {
...
}

But I get the following exception on any pageload:

[ERROR] org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext 
...

So it seems like the configuration from resources/WEB-INF/web.xml doesn't load, if I have a good understanding from the documentation, I should use it when using just plain spring, without the boot. (the filters should be configured). Am I right?

Why is this error happens? Is there a better way to use xml based configuration for spring-security in spring-boot? Does web.xml even load by tomcat?

Answer 1

I was getting the same issue then I changed the path of XML file and kept it as in src/main/resources/spring. It's working fine.

@SpringBootApplication

@ImportResource("classpath:/spring/spring-security.xml")