No bean named 'org.springframework.security.filterChainProxy' is defined

[tony_k]

oddly, i am having what seems to be a timing issue where if i have my spring-security-oauth related beans configuration in a separate xml file from my spring-security related beans, like so:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
	xsi:schemaLocation="
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">

	<bean class="org.springframework.security.oauth2.provider.verification.DefaultClientAuthenticationCache" />
        
        <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices" />

	<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices">
		<oauth:verification-code user-approval-page="/oauth/accessConfirmationForm" />
	</oauth:provider>

	<oauth:client-details-service id="clientDetails">
		<oauth:client clientId="acme-widget-client" secret="acme-widget-client-secret" authorizedGrantTypes="authorization_code" />
	</oauth:client-details-service>

</beans>

i get this:

Code:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.filterChainProxy' is defined
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:527)
	at org.springframework.security.oauth2.config.OAuth2ProviderBeanDefinitionParser.parse(OAuth2ProviderBeanDefinitionParser.java:57)
	at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73)
	at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1335)
	at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1325)
	at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
	at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
	at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
	at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
	... 21 more

but some experimentation showed that if i place the oauth related config in the same file as the spring-security config (at the end), that issue goes away:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xsi:schemaLocation="
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
		">

	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="marissa" password="koala" authorities="ROLE_USER" />
				<user name="paul" password="emu" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

	<http auto-config="false" use-expressions="true">
		<intercept-url pattern="/resources/**" filters="none" />
		<intercept-url pattern="/oauth/accessConfirmationForm" access="permitAll" />
		<intercept-url pattern="/home" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
		<intercept-url pattern="/login" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
		<intercept-url pattern="/accounts/registration/**" access="hasRole('ROLE_ANONYMOUS')" />
		<intercept-url pattern="/accounts/*/activation" access="hasRole('ROLE_ANONYMOUS')" />
		<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

		<form-login login-page="/login" default-target-url="/home" />
		<logout logout-url="/logout" logout-success-url="/login" />
	</http>

	<beans:bean factory-method="getContextHolderStrategy" class="org.springframework.security.core.context.SecurityContextHolder" />


	<!-- oauth2 stuff below here -->

	<beans:bean class="org.springframework.security.oauth2.provider.verification.DefaultClientAuthenticationCache" />

	<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices" />

	<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices">
		<oauth:verification-code user-approval-page="/oauth/accessConfirmationForm" />
	</oauth:provider>

	<oauth:client-details-service id="clientDetails">
		<oauth:client clientId="acme-widget-client" secret="acme-widget-client-secret" authorizedGrantTypes="authorization_code" />
	</oauth:client-details-service>

</beans:beans>

[Dave Syer]

I guess I can believe that. It's not timing though, if I'm guessing right: it's the order in which the bean definitions are hitting the parser. You can change that by making sure your externalized file is last in the list of imports, or file paths. This problem will go away when we change the whole thing so that the filters are configured explicitly (SECOAUTH-97).

[tony_k]

thanks dave,

yes, "order" is more fitting than "timing" in this case.

not sure if my follow up question is better posted on a grails forum, but i'll try my luck here first:

i'm experiencing the same issue attempting to integrate the client side of spring-security-oauth with the grails spring-security plugin.

i'm a grails noob myself, but for those unfamiliar, grails allows for a file called "resources.xml" to contain "plain old" spring xml configuration.

i placed requisite client side config there and i'm experiencing the filterChainProxy not found condition:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:p="http://www.springframework.org/schema/p" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xsi:schemaLocation="
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
		">

	<oauth:client token-services-ref="oAuth2ClientTokenServices" />

	<bean id="oAuth2ClientTokenServices" class="org.springframework.security.oauth2.consumer.token.InMemoryOAuth2ClientTokenServices" />

	<oauth:resource id="widgetResource" type="authorization_code" clientId="acme-widget-client"
		clientSecret="acme-widget-client-secret" accessTokenUri="${widget.oauth.provider.uri.root}/oauth/authorize"
		userAuthorizationUri="${widget.oauth.provider.uri.root}/oauth/user/authorize" />

	<bean id="widgetRestTemplate" class="org.springframework.security.oauth2.consumer.OAuth2RestTemplate">
		<constructor-arg ref="widgetResource" />
	</bean>

</beans>

in this case, i don't have the liberty of manipulating bean definition order because the spring-security configuration is embedded in the spring-security grails plugin,
any suggestions for work arounds welcome!

i'll probably also cross post to the appropriate grails forum...

[Dave Syer]

You might have to give up using the <oauth:/> namespace until SECOAUTH-97 is addressed. The comments in that issue show you how to configure the OAuth2 filters as a bean definition, and then you can use the Grails security plugin clientRegisterFilter feature.

[tony_k]

being less grails savvy i decided to try configuring spring-security along side of spring-security-oauth via "resources.xml".

this allowed me to control the order of evaluation and skirt the 'filterChainProxy' not found issue.

(of course) i ran into another issue where this grails component, GrailsExceptionResolver, seems to be eating (or i should say re-packaging),
exceptions thrown from the controller layer (including OAuth2AccessTokenRequiredException) such that they never reach the filter chain.

i'm currently attempting to find a way to allow exceptions to "tunnel" through this mechanism,
otherwise it could be a show stopper for client side spring-security-oauth in a grails environment.

[Dave Syer]

That does sound like a question for the Grails mailing list. I assume it's a common problem since Spring Security in general relies on propagating exceptions up to the filter layer.