Configuration problem: You must use a 3.0 schema with Spring Security 3.0

**DaFoot** · Jul 19th, 2012, 09:18 AM

I'm trying to migrate a project from Spring 3.0 to Spring 3.1, including moving Spring-security up to newer version. I've created a pom.xml for Maven to manage the dependencies, which it appears to be doing.

When I deploy my build I get the error in the subject " Configuration problem: You must use a 3.0 schema with Spring Security 3.0" and the application cannot start. As I read that, the XML namespace is incorrect for some feature I'm using.

My current namespace for security:
http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-3.1.xsd

Is that right for the new Spring-security libraries?

After a bit of digging it turns out I'm getting some 3.0 jars being deployed with my application, which makes me wonder if that is the root cause of the error I'm seeing (assuming the xsd declaration is correct)....

Code:

-rw-r--r-- 1 tomcat tomcat   78088 Jul  3 15:46 spring-security-acl-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat   81678 Jul 13 17:36 spring-security-acl-3.1.1.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat    7354 Jul  3 15:46 spring-security-aspects-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat    6522 Jul 19 02:00 spring-security-aspects-3.1.1.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat  185716 Jul  3 15:46 spring-security-config-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat  206484 Jul 17 13:04 spring-security-config-3.1.1.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat  311038 Jul  3 15:46 spring-security-core-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat  346990 Jul 13 17:36 spring-security-core-3.1.1.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat   17466 Jul  3 15:46 spring-security-openid-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat   19895 Jul 19 02:00 spring-security-openid-3.1.1.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat   18883 Jul  3 15:46 spring-security-taglibs-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat   20739 Jul 13 17:36 spring-security-taglibs-3.1.1.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat  242833 Jul  3 15:46 spring-security-web-3.0.5.RELEASE.jar
-rw-r--r-- 1 tomcat tomcat  255466 Jul 13 17:36 spring-security-web-3.1.1.RELEASE.jar

I've checked through my pom.xml and I am only referencing Spring 3.1.x libraries in there, so I figure the others (3.0.x.jars) are being pulled in as sub dependencies. Sure enough the Eclipse Maven tool to view dependancy tree shows some Spring/spring-security jars depend on 3.0 jars, but my (limited) understanding of Maven tells me that they should be ignored in favour of those closer to the root of the pom file.

I have defined all these jars at the root of the dependency tree.

So the question is, am I barking up the wrong tree? Is it possible these 3.0 jars could cause the error I'm seeing when I try to use the 3.1 security schema?

If that could be the cause, how do I stop it happening?

I've included my security-context below for review in case I've missed something - which is quite likely as I'm pretty new to the whole Spring thing!

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:context="http://www.springframework.org/schema/context"
  xmlns:p="http://www.springframework.org/schema/p"
  xsi:schemaLocation="
  	http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
           
<!-- enable @Secured java annotation 
	<global-method-security  pre-post-annotations="enabled" />
-->
<!--
these 2 entries are here because of trying to sort different error I get when I set xsd to 3.0.3 as per this error. But I want to work with 3.1
	<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />
	<beans:bean id="expressionHandler" class="org.springframework.security.web.access.expression.WebSecurityExpressionHandler" />	
-->	
	
    
<!-- for Spring-security >= 3.1 -->
    <http pattern="/public/**" security="none"/>
    <http pattern="/login" security="none"/>
    <http pattern="/loggedOut" security="none"/>
    <http pattern="/include/css/**" security="none"/>
    <http pattern="/include/img/**" security="none"/>
	<http use-expressions="true" auto-config="true" create-session="ifRequired" access-denied-page="/accessDenied" >
    	<form-login login-page="/login" authentication-failure-url="/authfailed" default-target-url="/reports/summaries" />
    	<logout invalidate-session="true" logout-success-url="/loggedOut" />
    	<!-- 
    	<session-management invalid-session-url="/invalidSession.htm" />
    	--> 
    	<anonymous/>

<!-- Spring Security < 3.1
	<intercept-url pattern="/public/**" filters="none"/>
    	<intercept-url pattern="/login" filters="none"/>
    	<intercept-url pattern="/loggedOut" filters="none"/>
    	<intercept-url pattern="/include/css/**" filters="none"/>
    	<intercept-url pattern="/include/img/**" filters="none"/>
-->

    	<!-- isAuthenticated() hasRole('ROLE_REPORTS') -->
    	<intercept-url pattern="/reports/**" method="GET" access="hasRole('ROLE_REPORTS')" />
    	
    	<intercept-url pattern="/super/**" method="GET" access="hasRole('ROLE_SUPER')" />
    	
    	<intercept-url pattern="/user/userCP" method="GET" access="isAuthenticated()" />
    	<intercept-url pattern="/user/userCP" method="PUT" access="isAuthenticated()" />
    	
    	<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    	
    	<intercept-url pattern="/data/**" method="GET" access="isAuthenticated()" />
    	<intercept-url pattern="/data/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
    	<intercept-url pattern="/data/**" method="POST" access="hasRole('ROLE_ADMIN')" />
    	<intercept-url pattern="/data/**" method="PUT" access="hasRole('ROLE_ADMIN')" />

		<intercept-url pattern="/include/js/pages/admin/**" access="hasRole('ROLE_ADMIN')" />
		<intercept-url pattern="/include/js/pages/all.js" access="isAuthenticated()" />
		<intercept-url pattern="/include/js/pages/**" access="hasRole('ROLE_REPORTS')" />
		
    	<intercept-url pattern="/include/js/**" access="hasRole('ROLE_ANONYMOUS')" />
    	
    	<intercept-url pattern="/include/**" access="isAuthenticated()" />
  	</http>

    <beans:import resource="hibernate-context.xml" />
  	<context:component-scan base-package="uk.co.romar.guardian.services" />
	
  	<beans:bean id="userService" class="uk.co.romar.guardian.services.UserServiceImpl" />
  	<beans:bean id="pwdEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
  	<!-- <beans:bean id="saltSource" class="??"/>  -->
  	<authentication-manager alias="authenticationManager">
		<authentication-provider user-service-ref="userService">  
			<password-encoder ref="pwdEncoder" />
		</authentication-provider>
    </authentication-manager>

</beans:beans>

**Rob Winch** · Jul 19th, 2012, 10:11 AM

Originally Posted by DaFoot

I've checked through my pom.xml and I am only referencing Spring 3.1.x libraries in there, so I figure the others (3.0.x.jars) are being pulled in as sub dependencies. Sure enough the Eclipse Maven tool to view dependancy tree shows some Spring/spring-security jars depend on 3.0 jars, but my (limited) understanding of Maven tells me that they should be ignored in favour of those closer to the root of the pom file.

A single version for a specific groupid and artifactid should be used. See the maven documentation around dependency mediation for details on how versions are handled.

Originally Posted by DaFoot

So the question is, am I barking up the wrong tree? Is it possible these 3.0 jars could cause the error I'm seeing when I try to use the 3.1 security schema?

You are correct the version conflicts are likely what is causing the errors. You should only have a single version of spring-security and a single version of Spring within your war. This seems more like a maven question at this point. How are you running the war? Did you do a clean before you ran it? Can you provide the entire pom?

If that could be the cause, how do I stop it happening?

The duplicate dependencies can happen sometimes if things get out of Synch. For example you may need to do a clean. To ensure you get consistent versions you can either explicitly list out all the dependencies or use dependency management to control this behavior. This will not impact getting duplicates in the war, but it will ensure all the dependencies match up.

**DaFoot** · Jul 19th, 2012, 10:29 AM

Thanks for replying Rob, I appreciate the help.

Originally Posted by Rob Winch

A single version for a specific groupid and artifactid should be used. See the maven documentation around dependency mediation for details on how versions are handled.

I'll have a good read in a moment.

Originally Posted by Rob Winch

You are correct the version conflicts are likely what is causing the errors. You should only have a single version of spring-security and a single version of Spring within your war. This seems more like a maven question at this point. How are you running the war? Did you do a clean before you ran it? Can you provide the entire pom?

Good to know I'm not going mad.

The war is being built by setting up an Eclipse (Juno/4.2) run configuration and firing that off. That run configuration has the following goals defined: clean war:war tomcat:redeploy.

My pom.xml follows:

Code:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>uk.co.romar</groupId>
  <artifactId>guardian</artifactId>
  <packaging>war</packaging>
  <version>1.1</version>
  <name>guardian Maven Webapp</name>
  <url>http://maven.apache.org</url>
	<repositories>
		<repository>
			<id>repository.jboss.org-public</id>	
			<name>JBoss repository</name>
			<url>https://repository.jboss.org/nexus/content/groups/public</url>
		</repository>
	</repositories>
	<properties>
		<spring-security.version>3.1.1.RELEASE</spring-security.version>
		<spring.version>3.1.2.RELEASE</spring.version>	
	</properties>
	
  <dependencies>
	<dependency>
		<groupId>junit</groupId>
		<artifactId>junit</artifactId>
		<version>3.8.1</version>
		<scope>test</scope>
	</dependency>
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-beans</artifactId>
		<version>${spring.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-aop</artifactId>
		<version>${spring.version}</version>
	</dependency>
	
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-core</artifactId>
		<version>${spring.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-expression</artifactId>
		<version>${spring.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-webmvc</artifactId>
		<version>${spring.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-tx</artifactId>
		<version>${spring.version}</version>
	</dependency>
	    <dependency>
    	<groupId>org.springframework</groupId>
    	<artifactId>spring-orm</artifactId>
    	<version>${spring.version}</version>
    </dependency>
    <dependency>
    	<groupId>org.springframework</groupId>
    	<artifactId>spring-context</artifactId>
    	<version>${spring.version}</version>
    </dependency>
    <dependency>
    	<groupId>org.springframework</groupId>
    	<artifactId>spring-context-support</artifactId>
    	<version>${spring.version}</version>
    </dependency>
	
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-core</artifactId>
		<version>${spring-security.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-taglibs</artifactId>
		<version>${spring-security.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-config</artifactId>
		<version>${spring-security.version}</version>
	</dependency>
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-web</artifactId>
		<version>${spring-security.version}</version>
	</dependency>
    <dependency>
    	<groupId>org.springframework.security</groupId>
    	<artifactId>spring-security-aspects</artifactId>
    	<version>${spring-security.version}</version>
    </dependency>
    <dependency>
    	<groupId>org.springframework.security</groupId>
    	<artifactId>spring-security-openid</artifactId>
    	<version>${spring-security.version}</version>
    </dependency>
	<dependency>
    	<groupId>org.springframework.security</groupId>
    	<artifactId>spring-security-acl</artifactId>
    	<version>${spring-security.version}</version>
    </dependency>
    
    <dependency>
    	<groupId>org.codehaus.jackson</groupId>
    	<artifactId>jackson-core-lgpl</artifactId>
    	<version>1.9.8</version>
    </dependency>
    <dependency>
    	<groupId>org.codehaus.jackson</groupId>
    	<artifactId>jackson-core-asl</artifactId>
    	<version>1.9.8</version>
    </dependency>
    <dependency>
    	<groupId>org.codehaus.jackson</groupId>
    	<artifactId>jackson-mapper-asl</artifactId>
    	<version>1.9.8</version>
    </dependency>


    <dependency>
    	<groupId>javax.servlet</groupId>
    	<artifactId>javax.servlet-api</artifactId>
    	<version>3.0.1</version>
    </dependency>
    <dependency>
    	<groupId>org.hibernate</groupId>
    	<artifactId>hibernate-core</artifactId>
    	<version>3.6.5.Final</version>
    </dependency>
    <dependency>
    	<groupId>org.hibernate</groupId>
    	<artifactId>hibernate-commons-annotations</artifactId>
    	<version>3.2.0.Final</version>
    </dependency>
    <dependency>
    	<groupId>org.apache.directory.studio</groupId>
    	<artifactId>org.apache.commons.lang</artifactId>
    	<version>2.6</version>
    </dependency>
    <dependency>
    	<groupId>org.codehaus.jackson</groupId>
    	<artifactId>jackson-asl</artifactId>
    	<version>0.9.5</version>
    </dependency>
    <dependency>
    	<groupId>org.hibernate</groupId>
    	<artifactId>hibernate-c3p0</artifactId>
    	<version>4.1.4.Final</version>
    </dependency>
    <dependency>
    	<groupId>org.firebirdsql.jdbc</groupId>
    	<artifactId>jaybird-jdk17</artifactId>
    	<version>2.2.0</version>
    </dependency>
    <dependency>
    	<groupId>org.slf4j</groupId>
    	<artifactId>slf4j-api</artifactId>
    	<version>1.6.6</version>
    </dependency>
    <dependency>
    	<groupId>aopalliance</groupId>
    	<artifactId>aopalliance</artifactId>
    	<version>1.0</version>
    </dependency>
    <dependency>
    	<groupId>commons-beanutils</groupId>
    	<artifactId>commons-beanutils</artifactId>
    	<version>1.8.3</version>
    </dependency>
    <dependency>
    	<groupId>commons-beanutils</groupId>
    	<artifactId>commons-beanutils-bean-collections</artifactId>
    	<version>1.8.3</version>
    </dependency>
    <dependency>
    	<groupId>commons-beanutils</groupId>
    	<artifactId>commons-beanutils-core</artifactId>
    	<version>1.8.3</version>
    </dependency>
    <dependency>
    	<groupId>commons-collections</groupId>
    	<artifactId>commons-collections</artifactId>
    	<version>20040616</version>
    </dependency>
    <dependency>
    	<groupId>javax.servlet</groupId>
    	<artifactId>jstl</artifactId>
    	<version>1.2</version>
    </dependency>
    

  </dependencies>
  <build>
    <finalName>guardian</finalName>
    <plugins>
		<plugin>
			<groupId>org.codehaus.mojo</groupId>
			<artifactId>tomcat-maven-plugin</artifactId>
			<configuration>
				<url>http://localhost:8080/manager/html</url>
				<server>localtomcat</server><!-- see ~/.m2/settings.xml -->
				<path>/guardian</path>
			</configuration>
		</plugin>
		<plugin>
			<artifactId>maven-compiler-plugin</artifactId>
			<configuration>
				<source>1.7</source>
				<target>1.7</target>
			</configuration>
		</plugin>
	</plugins>
	<sourceDirectory>src/main/java</sourceDirectory>
	<defaultGoal>war:war</defaultGoal>
  </build>
</project>

Originally Posted by Rob Winch

The duplicate dependencies can happen sometimes if things get out of Synch. For example you may need to do a clean. To ensure you get consistent versions you can either explicitly list out all the dependencies or use dependency management to control this behavior. This will not impact getting duplicates in the war, but it will ensure all the dependencies match up.

I have a 'clean' in my Eclipse run configuration, but quite possible it should be something like maven:clean or project:clean etc that I don't know about.

**Rob Winch** · Jul 19th, 2012, 10:51 AM

Originally Posted by DaFoot

I have a 'clean' in my Eclipse run configuration, but quite possible it should be something like maven:clean or project:clean etc that I don't know about.

My solution when Eclipse WTP gets out of synch is a bit lengthy, but it seems to do the trick. As you get more experienced you will learn when you only need to do some of the tips on here, but this is the full suite.

Ensure you do not have errors in your worksapce

If you have errors in your pom.xml or anywhere else it can sometimes cause Eclipse to stop updating things. It really depends on where the error is. So ensure you have fixed all the errors

Update the project configuration:

Right Click the Project
Select Maven ... -> Update Project
Ensure your project is clicked a select OK

For good measure I typically clean the project too

Select the Project
Select Project -> Clean ..
Ensure the project is selected to be cleaned and select OK

Clean your Server

Rick Click Your Server in the Servers View
Select Clean Tomcat working directory (assuming you are using Tomcat)
Select Clean ...
Select OK

Verify everything is cleaned

Navigate to the deployed folder (i.e. <WORKSPACE>/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/) and verify your project was removed
Verify your server says Republished (it should not say Synchronized)

Start your server and look in the deployed folder and ensure your application is synchronized.

**DaFoot** · Jul 19th, 2012, 11:18 AM

Everything cleaned and Maven updated.

I've not attached Tomcat to Eclipse to sync applications as yet... on the list of things to do, so manually removed the unpacked app under webapps/ along with the .war.

Removed any directories in the Tomcat work area.

Manually deleted all jars under <project>/target/lib/.

Build and deploy = same issue/same error message.

**Rob Winch** · Jul 19th, 2012, 11:26 AM

Did your dependencies change?

**DaFoot** · Jul 19th, 2012, 11:34 AM

The spring-security-3.1.1 dependencies still show dependencies on 3.0.x jars in the hierarchy tree. They are marked as "omitted for conflict" but still find their way into the build from somewhere.

I don't think anything has changed.

**Rob Winch** · Jul 19th, 2012, 12:13 PM

I would suggest breaking it down into pieces. Using your exact pom and a dummy project I get the correct results when building the war (see below). You should check the same. Then troubleshoot it deploying to tomcat.

Code:

$ mvn clean war:war
...
$ ls -1 target/guardian/WEB-INF/lib/$ ls -1 target/guardian/WEB-INF/lib/
antlr-2.7.6.jar
antlr-runtime-3.4.jar
aopalliance-1.0.jar
c3p0-0.9.1.jar
commons-beanutils-1.8.3.jar
commons-beanutils-bean-collections-1.8.3.jar
commons-beanutils-core-1.8.3.jar
commons-codec-1.4.jar
commons-collections-20040616.jar
commons-lang-2.6.jar
commons-logging-1.1.1.jar
connector-api-1.5.jar
dom4j-1.6.1.jar
guice-2.0.jar
hibernate-c3p0-4.1.4.Final.jar
hibernate-commons-annotations-3.2.0.Final.jar
hibernate-core-3.6.5.Final.jar
hibernate-jpa-2.0-api-1.0.0.Final.jar
httpclient-4.1.1.jar
httpcore-4.1.jar
jackson-asl-0.9.5.jar
jackson-core-asl-1.9.8.jar
jackson-core-lgpl-1.9.8.jar
jackson-mapper-asl-1.9.8.jar
javax.servlet-api-3.0.1.jar
jaybird-jdk17-2.2.0.jar
jboss-logging-3.1.0.GA.jar
jcip-annotations-1.0.jar
jstl-1.2.jar
jta-1.1.jar
openid4java-nodeps-0.9.6.jar
org.apache.commons.lang-2.6.jar
slf4j-api-1.6.6.jar
spring-aop-3.1.2.RELEASE.jar
spring-asm-3.1.2.RELEASE.jar
spring-beans-3.1.2.RELEASE.jar
spring-context-3.1.2.RELEASE.jar
spring-context-support-3.1.2.RELEASE.jar
spring-core-3.1.2.RELEASE.jar
spring-expression-3.1.2.RELEASE.jar
spring-jdbc-3.1.2.RELEASE.jar
spring-orm-3.1.2.RELEASE.jar
spring-security-acl-3.1.1.RELEASE.jar
spring-security-aspects-3.1.1.RELEASE.jar
spring-security-config-3.1.1.RELEASE.jar
spring-security-core-3.1.1.RELEASE.jar
spring-security-openid-3.1.1.RELEASE.jar
spring-security-taglibs-3.1.1.RELEASE.jar
spring-security-web-3.1.1.RELEASE.jar
spring-tx-3.1.2.RELEASE.jar
spring-web-3.1.2.RELEASE.jar
spring-webmvc-3.1.2.RELEASE.jar
stringtemplate-3.2.1.jar

**DaFoot** · Jul 19th, 2012, 12:48 PM

Given the result you've got there I figured it was worth a try and created a new Eclipse project, manually copied in Java source, JSPs etc and config files.

What do you know - it hasn't produced any of those extra jars. So I actually have no idea what was causing the issue, but it does seem to have gone away with the new project (to be replaced with a different issue - but that I'll investigate separately).

Many thanks for taking the time to help out Rob.

Thread: Configuration problem: You must use a 3.0 schema with Spring Security 3.0

Thread Tools

Display

Configuration problem: You must use a 3.0 schema with Spring Security 3.0

Tags for this Thread

Posting Permissions