9

When I place the bean definition for springSecurityFilterChain in web.xml, I get an error indicating that Tomcat 7 will not start because there is a duplicate bean definition for springSecurityFilterChain. I uploaded the entire stack trace to a file sharing site, which you can read by clicking on this link. However, when I the comment out the springSecurityFilterChain bean definition in web.xml and try to restart the server, I get a different error message indicating that there is no bean definition for springSecurityFilterChain. You can read the second stack trace at the file sharing site by clicking on this link.

So where should I put the bean definition for springSecurityFilterChain, and what should its syntax be?

I think the problem might be that the spring petclinic sample app, which I am using to test this approach, has its own way of using a clinicservice and its own xml config files to handle application startup and the management of resources. You can view the entire code for the spring petclinic app at this link.

The changes I made to the petclinic app are as follows:

I added the following to pom.xml: 

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-core</artifactId>
  <version>3.2.2.RELEASE</version>
</dependency>

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-web</artifactId>
  <version>3.2.2.RELEASE</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-config</artifactId>
  <version>3.2.2.RELEASE</version>
</dependency>

I added the following to web.xml: 

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

I added a package named org.springframework.security.samples.knowledgemanager.config to src/main/java in Java Resources, and then I added the following two classes to it:

MessageSecurityWebApplicationInitializer.java: 

@Order(2)
public class MessageSecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}

SecurityConfig.java: 

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    private UserDetailsService myCustomUserDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .jdbcAuthentication()
            .dataSource(dataSource)
            .and()
        .userDetailsService(myCustomUserDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .antMatchers("/app/**").hasRole("ADMIN")
            .and()
        .formLogin()
            .loginPage("/index.jsp")
            .defaultSuccessUrl("/app/")
            .failureUrl("/index.jsp")
            .permitAll()
            .and()
        .logout()
            .logoutSuccessUrl("/index.jsp");
    }
}
peterh
  • 11,875
  • 18
  • 85
  • 108
CodeMed
  • 9,527
  • 70
  • 212
  • 364

1 Answers1

11

I get an error indicating that Tomcat 7 will not start because there is a duplicate bean definition for springSecurityFilterChain

This is because you should define the springSecurityFilterChain with either (NOT both) the web.xml or a AbstractSecurityWebApplicationInitializer. As you appear to be using Java Configuration, I would remove the web.xml entry.

However, when I the comment out the springSecurityFilterChain bean definition in web.xml and try to restart the server, I get a different error message indicating that there is no bean definition for springSecurityFilterChain.

This is because the SecurityConfig needs to be referenced somehow. Typically the easiest way to do this when using Java Configuration is to pass in the configuration to the super class constructor of MessageSecurityWebApplicationInitializer.

However, the pet clinic is using XML configuration in the web.xml so you will need to do this by combining Java and XML configuration as outlined in the reference. For this example, you could include the following within src/main/resources/business-config.xml

<bean class="thepackage.SecurityConfig"/>

Naturally, you will need to replace thepackage with the package you are using for SecurityConfig.

The reason you can include the configuration in business-config.xml is because this is specified as a contextConfiguration to load in the web.xml. You could also create your own Spring bean XML file, add the SecurityConfig bean as shown above, and ensure to update the web.xml to point to the new Spring bean XML file.

Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • +1 and thank you. I am sorry it took me this long to mark yours as the answer. – CodeMed Mar 30 '14 at 16:04
  • I have a similar question about how to define the bean for a custom UserDetailsService being built into the petclinic sample. Are you willing to help me with it also? Here is the link: http://stackoverflow.com/questions/22750241/defining-bean-for-custom-userdetailsservice – CodeMed Mar 30 '14 at 21:43