Basic Spring security errors

Question

I have a Spring application and all I am trying to do is add all the default headers to it which Spring Security provides. My web.xml changes are as follows:

<!-- Loads Spring Security config file -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

My spring-security.xml is as follows:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <http auto-config="true">
        <headers />
    </http>

</beans:beans>

I am seeing the following errors on startup

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' while setting constructor argument with key [4]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0': Cannot resolve reference to bean 'org.springframework.security.authentication.ProviderManager#0' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot resolve reference to bean 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add a gobal element to your configuration (with child elements)? Alternatively you can use the authentication-manager-ref attribute on your and elements.

score 1 · Accepted Answer · answered Apr 12 '17 at 01:54

1

You need to give it something to authenticate users. Try adding

<user-service>
        <user name="user" password="password" authorities="ROLE_USER" />
</user-service>

To your security xml and see the example here.

answered Apr 12 '17 at 01:54

Chris Thompson

35,167
12
80
109

I don't need any username or password in my application. Should I still add this? – p0tta Apr 12 '17 at 01:56
Well, no haha. But you need *some* sort of `AuthenticationManager` as the security framework expects it. I've built all kinds of these that use tokens, OAuth, etc. It definitely can be done, you just have to research the specific use case. Either way, you do need an `AuthenticationManager` instance – Chris Thompson Apr 12 '17 at 01:58
See here https://stackoverflow.com/questions/31826233/custom-authentication-manager-with-spring-security-and-java-configuration – Chris Thompson Apr 12 '17 at 01:58
I just need the headers. Is there any easy way to do it? – p0tta Apr 12 '17 at 02:22
1

@p0tta If you just need the headers, I'd create your own filter and set them yourself. Spring Security is going to come with a whole host of other stuff that you don't need – Chris Thompson Apr 12 '17 at 02:24
That makes sense. Any helpful articles that you can point me to? – p0tta Apr 12 '17 at 02:30
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/141482/discussion-between-chris-thompson-and-p0tta). – Chris Thompson Apr 12 '17 at 02:30

score 1 · Answer 2 · answered Apr 12 '17 at 11:02

Try this in the SecurityConfig java class to disable Cross-Site Request Forgery (CSRF). This is enabled by default:

   @EnableWebSecurity
    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
       http.csrf().disable();
       //You can continue extending this method call . e.g. calling 
       //authorizeRequests()
       http.headers().xssProtection();

        }
    }

Basic Spring security errors

2 Answers2