i have written a small webapp using spring-security and spring-mvc with an annotation based configuration (@Secured). in order to have that work i had to split up the spring-security configuration:
app-context.xml (included in web.xml's ContextConfigLocation)
<security:http auto-config="true"/>app-servlet.xml (spring-mvc's dispatcherservlet loads this)
<security:global-method-security secured-annotations="enabled"/>Why did i have to split these up? when i put all the security configuration in app-context.xml the @Secured annotations seem to be ignored, so you dont need to be logged in to access the @Secured Controller methods.
When i put it all in app-servlet.xml the following Exception is raised...
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:504) at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1041) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:273) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1008) at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:217) at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:145) at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:179)i don't get it :/
In the latter case, <security:http /> element might not be the part of the xml schema defined. So, its likely to get exception. By the way, what exception?
In the former case, it didn't work. May be because Spring looks for this element in the xml config loaded by DispatcherServlet, otherwise ignore it. I am not sure either, but it seems like it. :)
Look at this spring forum thread . They are discussing the same. To sum it up, "the *-servlet.xml beans aren't visible from the main context" .