I am developing a Spring application that starts an embedded Jetty Server. It then "deploys" a Spring MVC web app to this Jetty server.
All is working well with multiple controllers, but I fail to add Spring Security to the web app. I use programmatic and annotation-based configuration and the Jetty server is configured like this:
Server server = new Server(8080);
server.setStopAtShutdown(true);
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
context.setConfigLocation("com.mypackage.web");
context.setParent(mainContext);
ServletContextHandler contextHandler = new ServletContextHandler();
contextHandler.setErrorHandler(null);
contextHandler.setContextPath("/");
DispatcherServlet dispatcherServlet = new DispatcherServlet(context);
DefaultServlet staticServlet = new DefaultServlet();
contextHandler.addServlet(new ServletHolder(dispatcherServlet), "/");
contextHandler.addServlet(new ServletHolder("staticServlet", staticServlet), "/res");
contextHandler.addEventListener(new ContextLoaderListener(context));
contextHandler.setResourceBase("webapp");
server.setHandler(contextHandler);
I also created a class com.mypackage.web.SecurityConfig that extends WebSecurityConfigurerAdapter and overrides the configure method like so:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}
}
As far as I understand the documentation, this should be enough to "lock down" my application. When I start the application in debug mode, a breakpoint gets hit in the configure method, so Spring seems to detect the config class.
However, I can still access any page in my application without getting redirected to the default login form.
Do I need to tell the Jetty Servlet container about this config or am I missing something else?
