Spring 3.1 - Deprecated warnings in XML configuration file

[paulkuhn]

Hi all,

I am trying to migrate Spring Security in a Web application from 3.0.7 to 3.1.
Everything is fine, however in STS 2.8.1 I receive a bunch of Warnings in the Security XML configuration file.

These are the warnings:

• Method 'setAuthenticationEntryPoint' is marked deprecated
• Method 'setAuthenticationManager' is marked deprecated
• Method 'setKey' is marked deprecated
• Method 'setLoginFormUrl' is marked deprecated
• Method 'setRequestCache' is marked deprecated
• Method 'setSecurityContextRepository' is marked deprecated
• Method 'setSessionAuthenticationStrategy' is marked deprecated
• Method 'setUserAttribute' is marked deprecated

Here is the file:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
		http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security-3.1.xsd">


	<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />

	<global-method-security secured-annotations="enabled" />

	<http auto-config="true" access-denied-page="/accessDenied">

		<form-login login-page="/login" default-target-url="/log/viewLogs" authentication-failure-url="/login?login_error=1" />

		<logout logout-success-url="/logout" />

		<session-management invalid-session-url="/login">
			<concurrency-control max-sessions="1" expired-url="/sessionTimeout" error-if-maximum-exceeded="true" />
		</session-management>

		<http-basic />

		<anonymous enabled="true" granted-authority="ROLE_ANONYMOUS" username="Anonymous_User" />

		<intercept-url pattern="/log/**" access="ROLE_USER,ROLE_ADMIN" />
	</http>
	
</beans:beans>

Any idea what I am missing the configuration or what I did wrong? The warnings were not there in Spring Security 3.0.7.

Thanks a lot.
Paul

[jimbetto]

Same problem for me... anyone have an explanation ?!

[jnova]

I've come across the same issue. From looking at the Spring Security 3.1 documentation it seems like some additional configuration is necessary to get the warnings to go away.

I was looking at section B2 in the appendix and it says:

Before Spring Security 3.0, an AuthenticationManager was automatically registered internally. Now you must register one explicitly using the <authentication-manager> element. This creates an instance of Spring Security's ProviderManager class, which needs to be configured with a list of one or more AuthenticationProvider instances. These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the authentication-provider element.

Unfortunately I am still a novice with Spring Security, so I still need to figure out how to do this, but I suspect this is the case for all of the warning messages. It seems to be a matter of adding in the additional configuration needed.

[jnova]

So I've been digging around the source code & documentation trying to figure out how to get the warnings to disappear. From what I've seen so far, it looks like a bug to me. The syntax in the documentation makes it seem like the XML should be correct and contradicts what the warning messages are saying. I can't get the warning messages to go away even if I follow the documentation correctly. It looks like the deprecated methods in the source code are still setting the values correctly, but say to use the constructor injection instead. The 'http' XML tag doesn't allow you to inject the values the warning messages say it is looking for.

[gkaplan]

I've tried just about every combination of things to get rid of those warnings, and they won't go away. They are the only warnings in my entire project, so it's quite frustrating. Here's what I get. My security.xml looks like this (using security 3.1 xsd):

<sec:http auto-config="true" use-expressions="true">
<sec:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<sec:logout logout-url="/resources/j_spring_security_logout" />
<sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/join/**" access="isAuthenticated()"/>
<sec:intercept-url pattern="/sampleflow/**" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/imp/**" access="hasRole('ROLE_IMPAIRMASTER')" />
<sec:intercept-url pattern="/resources/**" access="permitAll" />
<sec:intercept-url pattern="/**" access="permitAll" />
</sec:http>

<sec:ldap-server id="contextSource"
url="${ldap.url}"
manager-dn="${ldap.userDn}"
manager-password="${ldap.password}"/>

<sec:authentication-manager>
<sec:ldap-authentication-provider
user-dn-pattern="uid={0},ou=people"
group-search-filter="uniqueMember={0}"
group-search-base="ou=groups"/>
<sec:authentication-provider user-service-ref="localUsers"/>
</sec:authentication-manager>

<sec:user-service id="localUsers">
<sec:user name="admin" password="passw0rd" authorities="ROLE_ADMIN, ROLE_IMPAIRMASTER"/>
</sec:user-service>

<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate" >
<constructor-arg ref="contextSource" />
</bean>

And here are the warnings I get:

Method 'setAuthenticationEntryPoint' is marked deprecated
Method 'setAuthenticationManager' is marked deprecated
Method 'setKey' is marked deprecated
Method 'setLoginFormUrl' is marked deprecated
Method 'setRequestCache' is marked deprecated
Method 'setSecurityContextRepository' is marked deprecated
Method 'setSessionAuthenticationStrategy' is marked deprecated
Method 'setUserAttribute' is marked deprecated
Referenced bean 'contextSource' not found
Referenced bean 'org.springframework.security.securityContextSourc e' not found
Referenced bean 'org.springframework.security.securityContextSourc e' not found

[David Kerwick]

Hi,
I just came across this as well. It sure seems like the http element is using the depreciated methods behind the scenes, is there a way around it or something that will be tidied up in the next release?

Thanks

[Rob Winch]

I logged SEC-1909 which you might consider voting on (voting helps to prioritize things)

[mchamati]

I had the same with Spring Security 3.1.1, but just upgraded to spring-security 3.1.3 and the warnings are gone.

[jrod]

I upgraded to:

Spring 3.1.1.RELEASE
Spring Security 3.1.3.RELEASE
Spring Security OAuth 1.0.0.RELEASE

and I still receive the deprecated warnings. Why could that be?

[Rob Winch]

Are you certain you have spring-security-config-3.1.3.RELEASE on your classpath (i.e. check your transitive dependencies aren't brining in an older version)? What causes the deprecation messages? If it is Spring Security OAuth, then this is something that needs updated in the OAuth libraries. If none of this helps please post the code (using code tags), the message, and where the message appears.