i have written a small webapp using spring-security and spring-mvc with an annotation based configuration (@Secured). in order to have that work i had to split up the spring-security configuration:
app-context.xml (included in web.xml's ContextConfigLocation)
<security:http auto-config="true"/>
app-servlet.xml (spring-mvc's dispatcherservlet loads this)
<security:global-method-security secured-annotations="enabled"/>
Why did i have to split these up? when i put all the security configuration in app-context.xml the @Secured annotations seem to be ignored, so you dont need to be logged in to access the @Secured Controller methods.
When i put it all in app-servlet.xml the following Exception is raised...
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:504)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1041)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:273)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1008)
at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:217)
at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:145)
at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:179)
i don't get it :/