Results 1 to 10 of 13

Thread: Spring 3.1 - Deprecated warnings in XML configuration file

Hybrid View

  1. Dec 18th, 2011, 09:38 AM #1
    paulkuhn
    paulkuhn is offline Member
    Join Date
    May 2009
    Posts
    33

    Default Spring 3.1 - Deprecated warnings in XML configuration file

    Hi all,

    I am trying to migrate Spring Security in a Web application from 3.0.7 to 3.1.
    Everything is fine, however in STS 2.8.1 I receive a bunch of Warnings in the Security XML configuration file.

    These are the warnings:

    • Method 'setAuthenticationEntryPoint' is marked deprecated
    • Method 'setAuthenticationManager' is marked deprecated
    • Method 'setKey' is marked deprecated
    • Method 'setLoginFormUrl' is marked deprecated
    • Method 'setRequestCache' is marked deprecated
    • Method 'setSecurityContextRepository' is marked deprecated
    • Method 'setSessionAuthenticationStrategy' is marked deprecated
    • Method 'setUserAttribute' is marked deprecated



    Here is the file:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
		http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security-3.1.xsd">


	<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />

	<global-method-security secured-annotations="enabled" />

	<http auto-config="true" access-denied-page="/accessDenied">

		<form-login login-page="/login" default-target-url="/log/viewLogs" authentication-failure-url="/login?login_error=1" />

		<logout logout-success-url="/logout" />

		<session-management invalid-session-url="/login">
			<concurrency-control max-sessions="1" expired-url="/sessionTimeout" error-if-maximum-exceeded="true" />
		</session-management>

		<http-basic />

		<anonymous enabled="true" granted-authority="ROLE_ANONYMOUS" username="Anonymous_User" />

		<intercept-url pattern="/log/**" access="ROLE_USER,ROLE_ADMIN" />
	</http>
	
</beans:beans>
    Any idea what I am missing the configuration or what I did wrong? The warnings were not there in Spring Security 3.0.7.

    Thanks a lot.
    Paul
    Reply With Quote Reply With Quote
  2. Dec 20th, 2011, 11:19 AM #2
    jimbetto
    jimbetto is offline Junior Member
    Join Date
    Dec 2011
    Posts
    1

    Default

    Same problem for me... anyone have an explanation ?!
    Reply With Quote Reply With Quote
  3. Dec 27th, 2011, 03:38 PM #3
    jnova
    jnova is offline Junior Member
    Join Date
    Dec 2011
    Posts
    5

    Default

    I've come across the same issue. From looking at the Spring Security 3.1 documentation it seems like some additional configuration is necessary to get the warnings to go away.

    I was looking at section B2 in the appendix and it says:

    Before Spring Security 3.0, an AuthenticationManager was automatically registered internally. Now you must register one explicitly using the <authentication-manager> element. This creates an instance of Spring Security's ProviderManager class, which needs to be configured with a list of one or more AuthenticationProvider instances. These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the authentication-provider element.
    Unfortunately I am still a novice with Spring Security, so I still need to figure out how to do this, but I suspect this is the case for all of the warning messages. It seems to be a matter of adding in the additional configuration needed.
    Reply With Quote Reply With Quote
  4. Dec 27th, 2011, 04:51 PM #4
    jnova
    jnova is offline Junior Member
    Join Date
    Dec 2011
    Posts
    5

    Default

    So I've been digging around the source code & documentation trying to figure out how to get the warnings to disappear. From what I've seen so far, it looks like a bug to me. The syntax in the documentation makes it seem like the XML should be correct and contradicts what the warning messages are saying. I can't get the warning messages to go away even if I follow the documentation correctly. It looks like the deprecated methods in the source code are still setting the values correctly, but say to use the constructor injection instead. The 'http' XML tag doesn't allow you to inject the values the warning messages say it is looking for.
    Reply With Quote Reply With Quote
  5. Jan 1st, 2012, 08:36 PM #5
    gkaplan
    gkaplan is offline Junior Member
    Join Date
    Jun 2007
    Posts
    16

    Default Same problems as everyone else

    I've tried just about every combination of things to get rid of those warnings, and they won't go away. They are the only warnings in my entire project, so it's quite frustrating. Here's what I get. My security.xml looks like this (using security 3.1 xsd):

    <sec:http auto-config="true" use-expressions="true">
    <sec:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
    <sec:logout logout-url="/resources/j_spring_security_logout" />
    <sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <sec:intercept-url pattern="/join/**" access="isAuthenticated()"/>
    <sec:intercept-url pattern="/sampleflow/**" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/imp/**" access="hasRole('ROLE_IMPAIRMASTER')" />
    <sec:intercept-url pattern="/resources/**" access="permitAll" />
    <sec:intercept-url pattern="/**" access="permitAll" />
    </sec:http>

    <sec:ldap-server id="contextSource"
    url="${ldap.url}"
    manager-dn="${ldap.userDn}"
    manager-password="${ldap.password}"/>

    <sec:authentication-manager>
    <sec:ldap-authentication-provider
    user-dn-pattern="uid={0},ou=people"
    group-search-filter="uniqueMember={0}"
    group-search-base="ou=groups"/>
    <sec:authentication-provider user-service-ref="localUsers"/>
    </sec:authentication-manager>

    <sec:user-service id="localUsers">
    <sec:user name="admin" password="passw0rd" authorities="ROLE_ADMIN, ROLE_IMPAIRMASTER"/>
    </sec:user-service>

    <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate" >
    <constructor-arg ref="contextSource" />
    </bean>

    And here are the warnings I get:

    Method 'setAuthenticationEntryPoint' is marked deprecated
    Method 'setAuthenticationManager' is marked deprecated
    Method 'setKey' is marked deprecated
    Method 'setLoginFormUrl' is marked deprecated
    Method 'setRequestCache' is marked deprecated
    Method 'setSecurityContextRepository' is marked deprecated
    Method 'setSessionAuthenticationStrategy' is marked deprecated
    Method 'setUserAttribute' is marked deprecated
    Referenced bean 'contextSource' not found
    Referenced bean 'org.springframework.security.securityContextSourc e' not found
    Referenced bean 'org.springframework.security.securityContextSourc e' not found
    Reply With Quote Reply With Quote
  6. Feb 6th, 2012, 06:27 AM #6
    David Kerwick
    David Kerwick is offline Junior Member
    Join Date
    Jan 2011
    Posts
    24

    Default

    Hi,
    I just came across this as well. It sure seems like the http element is using the depreciated methods behind the scenes, is there a way around it or something that will be tidied up in the next release?

    Thanks
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules