Error using 3.1.0.CI-SNAPSHOT

[mgiacomi]

My app works fine using 3.0.3, but there are some features in 3.1 (SEC-1171) that I would like to take advantage of. The first thing I did was to upgrade my libs to 3.1, and when I did I got the following error:

Code:

2010-08-16 15:04:40,377 [main] INFO  method.GlobalMethodSecurityBeanDefinitionParser  - Expressions were enabled for method security but no SecurityExpressionHandler was configured. All hasPermision() expressions will evaluate to false.
2010-08-16 15:04:46,791 [main] ERROR [localhost].[/idea500]  - Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:521)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1068)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:274)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:266)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
	at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1079)
	at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:217)
	at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:145)
	at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:179)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:275)
	at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3827)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4477)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:515)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:708)
	at org.apache.catalina.startup.Tomcat.start(Tomcat.java:286)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoCachedMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:229)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:52)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:40)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:121)

Here are my config details.

web.xml:

Code:

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

resource.xml

Code:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security pre-post-annotations="enabled" />

    <security:http auto-config="false" use-expressions="true">
        <security:intercept-url pattern="/login*" filters="none"/>
        <security:intercept-url pattern="/logout*" filters="none"/>
        <security:intercept-url pattern="/css/**" filters="none"/>
        <security:intercept-url pattern="/js/**" filters="none"/>
        <security:intercept-url pattern="/images/**" filters="none"/>
        <security:intercept-url pattern="/**" access="isAuthenticated()" />

        <security:access-denied-handler error-page="/xxx/accessdenied"/>

        <security:form-login login-page="/login"
                             authentication-failure-url="/login?error=1"
                             default-target-url="/xxx/xxx/index"/>

        <security:logout logout-success-url="/logout"/>
    </security:http>

    <security:ldap-server url="ldap://xxx:389"
                          root="DC=xxx,DC=xxx"
                          manager-dn="CN=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx"
                          manager-password="xxx"/>

    <security:authentication-manager>
        <security:authentication-provider>
			<security:jdbc-user-service data-source-ref="dataSource"/>
		</security:authentication-provider>

        <security:ldap-authentication-provider user-search-filter="(sAMAccountName={0})"
                                               user-search-base="DC=xxx,DC=xxx"
                                               group-role-attribute="CN"
                                               group-search-filter="(&amp;(objectClass=group)(member={0}))"
                                               group-search-base="OU=xxx,OU=xxx,DC=xxx,DC=xxx" />
    </security:authentication-manager>

    <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>

    <bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
</beans>

My guess is that something about my security:http sections is in conflict with some change in 3.1, hence it is not creating a springSecurityFilterChain bean for me.

In case you had not already guessed I'm using Grails 1.3.3

[Luke Taylor]

The "filters='none'" syntax had to be dropped in 3.1 to accomodate the ability to use multiple <http> blocks. The problem is that it applies to the single FilterChainProxy which is created, whereas each <http> block now corresponds to a filter chain within the FilterChainProxy (you will probably be aware of this, since it is specifically the issue you mention), so it doesn't make sense to allow this within an <http> element anymore.

Omitting a pattern from the filter chain is the same as adding an empty filter list for that pattern to the FilterChainProxy, so the new syntax is

Code:

<http pattern="/blah/*" security="none" />

<http>
    <!-- normal configuration -->
</http>

Omitting the pattern on the <http> element matches all requests.

The docs for 3.1 should already contain updates on this, so you'll find more in there and in the samples. You should also be using the 3.1 schema.

[mgiacomi]

(you will probably be aware of this, since it is specifically the issue you mention)

Oh god. I do remember reading that. It was one of the first things that I read when looking over (SEC-1171). I made a mental note of it and then I went through all the svn changes, look through a bunch of source code, and forgot my mental note.

I just made the change and everything is working.

Luke, I would also like to say thanks in general for your work on Spring Security. The library has come a long way, has a great feature set, good docs, and a responsive support forum.

Thanks,
~Matt

[Luke Taylor]

Thanks Matt . It's good to see people like yourself trying out 3.1 already - the more the merrier. Hopefully I'll be able to release milestone 1 this week, which should encourage others to give it a try.

[pmularien]

Thanks Matt . It's good to see people like yourself trying out 3.1 already - the more the merrier. Hopefully I'll be able to release milestone 1 this week, which should encourage others to give it a try.

I will definitely give it a try

Have been trying to keep up with changes in git, but haven't had time to put code together.