I have a Spring 3.2.4 application that allows public users (without login) to search in a form. I want to add CSRF Protection to this form, so I add this declaration in my applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:http auto-config='true'>
<security:intercept-url pattern="/**" access="permitAll" />
<security:csrf/>
</security:http>
<bean id="anonymousProcessingFilter"
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
<bean id="filterInvocationInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="objectDefinitionSource">
<security:filter-invocation-definition-source>
<security:intercept-url pattern="/**" access='ROLE_ANONYMOUS,ROLE_USER'/>
</security:filter-invocation-definition-source>
</property>
</bean>
But I got this error when compiling the project, but of course I don't need any kind of authenticationManager since there is no authenticated users in the application
org.xml.sax.SAXParseException; lineNumber: 43; columnNumber: 52; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:filter-invocation-definition-source'.:org.xml.sax.SAXParseException:cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:filter-invocation-definition-source'.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<!-- Override default login and logout pages -->
<security:form-login login-page="/login.html"
login-processing-url="/loginProcess"
default-target-url="/index.jsp"
authentication-failure-url="/login.html?login_error=1" />
<security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" />
</security:http>
<security:authentication-manager>
<security:authentication-provider >
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
Related
We have been working with a single Authentication Manager (LDAP) in spring security for some time, now we require two Authentication Managers one for Login- LDAP and other for IP based security. As IP based security is used as a global filter and LDAP only for login. Hence the two Authentication Managers.
We tried the solution in similar questions, however still facing the same problem.
The error code is :
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name
'org.springframework.security.filterChainProxy': Invocation of init
method failed; nested exception is java.lang.IllegalArgumentException:
A universal match pattern ('/**') **is defined before other patterns
in the filter chain, causing them to be ignored. Please check the
ordering in your namespace or FilterChainProxy bean
configuration
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- needed for ContextLoaderListener -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/application-context.xml
/WEB-INF/spring/security-context.xml
</param-value>
</context-param>
<!-- Bootstraps the root web application context before servlet initialization -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher-servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/dispatcher-servlet.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher-servlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
Application Context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.8.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd">
<tx:annotation-driven/>
<jdbc:embedded-database id="datasource" type="H2">
<jdbc:script location="classpath:init.sql"/>
</jdbc:embedded-database>
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="datasource"/>
<property name="persistenceUnitName" value="autoservice"/>
</bean>
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory"/>
</bean>
<jpa:repositories base-package="com.oreilly.security.domain.repositories"/>
Security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<context:component-scan base-package="com.oreilly.security"/>
<bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
<security:http use-expressions="false" authentication-manager-ref="LDAPAuth">
<security:form-login login-page="/login"
login-processing-url="/login" username-parameter="custom_username"
password-parameter="custom_password" default-target-url="/appointments/"
always-use-default-target="true" authentication-failure-url="/login?error=true" />
<security:logout logout-url="/logout"
logout-success-url="/login?logout=true" />
<security:intercept-url pattern="/appointments/*"
access="ROLE_USER,ROLE_ADMIN" />
<security:intercept-url pattern="/schedule/*"
access="ROLE_ADMIN" />
</security:http>
<security:http use-expressions="false" authentication-manager-ref="IpAuth">
<security:form-login login-page="/login"
login-processing-url="/login" username-parameter="custom_username"
password-parameter="custom_password" default-target-url="/appointments/"
always-use-default-target="true" authentication-failure-url="/login?error=true" />
<security:logout logout-url="/logout"
logout-success-url="/login?logout=true" />
<security:intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</security:http>
<security:authentication-manager id ="IpAuth">
<security:authentication-provider ref="customAuthenticationProvider"/>
</security:authentication-manager>
<security:authentication-manager id = "LDAPAuth">
<security:ldap-authentication-provider user-search-filter="(uid={0})"
group-search-base="ou=groups" group-search-filter="(uniqueMember={0})"
server-ref="ldapServer" user-context-mapper-ref="contextMapper" role-prefix="ROLE_"
group-role-attribute="cn"/>
</security:authentication-manager>
<security:ldap-server id="ldapServer" url="ldap://localhost:10389/dc=oreilly,dc=com"
manager-dn="uid=admin,ou=system" manager-password="secret"/>
</beans>
Kindly let us know how to get about solving this problem , have been stuck for days :-)
What is telling you is that you have more than one universal pattern matching http sections in your security-config:
<security:http use-expressions="false" authentication-manager-ref="LDAPAuth">
<security:form-login login-page="/login"
login-processing-url="/login" username-parameter="custom_username"
password-parameter="custom_password" default-target-url="/appointments/"
always-use-default-target="true" authentication-failure-url="/login?error=true" />
<security:logout logout-url="/logout"
logout-success-url="/login?logout=true" />
<security:intercept-url pattern="/appointments/*"
access="ROLE_USER,ROLE_ADMIN" />
<security:intercept-url pattern="/schedule/*"
access="ROLE_ADMIN" />
</security:http>
<security:http use-expressions="false" authentication-manager-ref="IpAuth">
<security:form-login login-page="/login"
login-processing-url="/login" username-parameter="custom_username"
password-parameter="custom_password" default-target-url="/appointments/"
always-use-default-target="true" authentication-failure-url="/login?error=true" />
<security:logout logout-url="/logout"
logout-success-url="/login?logout=true" />
<security:intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</security:http>
If you want to have more than one <security:http /> elements, you must apply a pattern to all of them except the last. For example:
<security:http pattern="/zone1/*" ... />
<security:http pattern="/zone2/*" ... />
...
<security:http ... /> <!-- the last one does not need to apply a pattern -->
According to your config, in your first security:http element you have two intercept-url patterns (/appointmens/**, /schedule/**). You could try to apply a regex matcher to the first security:http element (based in this answer):
<security:http request-matcher="regex" pattern="^/(appointments|schedule)(/(\S)+)+$"
use-expressions="false" authentication-manager-ref="LDAPAuth" >
...
</security:http>
<security:http use-expressions="false" authentication-manager-ref="IpAuth">
...
</security>
Please check the regex to avoid any typo or error I could made.
Looking deeper in your config, I see that the only difference from one to each other is the use of a different authentication-manager. Maybe you could try mixing the two authentication-providers in the same manager, as spring-security is capable of managing more than one authentication provider at the same time. It is able to check the login request to one provider and then to the other (or others) and then act accordingly.
It would be more or less like that:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<context:component-scan base-package="com.oreilly.security"/>
<bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
<security:http use-expressions="false" authentication-manager-ref="authenticationManager">
<security:form-login login-page="/login"
login-processing-url="/login" username-parameter="custom_username"
password-parameter="custom_password" default-target-url="/appointments/"
always-use-default-target="true" authentication-failure-url="/login?error=true" />
<security:logout logout-url="/logout"
logout-success-url="/login?logout=true" />
<security:intercept-url pattern="/appointments/*"
access="ROLE_USER,ROLE_ADMIN" />
<security:intercept-url pattern="/schedule/*"
access="ROLE_ADMIN" />
<security:intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</security:http>
<security:authentication-manager id ="authenticationManager">
<security:authentication-provider ref="customAuthenticationProvider"/>
<security:ldap-authentication-provider user-search-filter="(uid={0})"
group-search-base="ou=groups" group-search-filter="(uniqueMember={0})"
server-ref="ldapServer" user-context-mapper-ref="contextMapper" role-prefix="ROLE_"
group-role-attribute="cn"/>
</security:authentication-manager>
<security:ldap-server id="ldapServer" url="ldap://localhost:10389/dc=oreilly,dc=com"
manager-dn="uid=admin,ou=system" manager-password="secret"/>
</beans>
Note I merged your two managers in just one with both authentication providers inside it. Then, I merged too the <security:http /> elements in just one (so that it is not longer necessary to apply any regex nor any other pattern to it) and now there are three <security:intercept-url /> elements, the two from the first original <security:http> and the one from the second.
I'm trying to cope with Spring Security and I think I got it work so far but can somebody explain to me a few things here? In particular I would like to know why I need to use this beans: prefix in this configuration file:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<beans:import resource="applicationContext-jooq.xml"/>
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
<http auto-config="true" >
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
</http>
<authentication-manager >
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<!-- BEGIN Services -->
<beans:bean id="loginService" class="com.mz.server.web.service.LoginService">
<beans:constructor-arg>
<beans:ref bean="dsl" />
</beans:constructor-arg>
</beans:bean>
<!-- END Services -->
</beans:beans>
Another thing I'd like to understand is the difference between
<intercept-url pattern="/" .. />
<intercept-url pattern="/*" .. />
<intercept-url pattern="/**" .. />
You mixxed up your xml-header where spring-security is your root-header now.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd"
........> </beans>
Second Question:
The difference between * and ** is that the * only describes the same folder, while ** is recursive. I am not sure about a / without regex, but i think it won't protect.
I am using Spring 3.1 and Spring Security 3.1 and JBoss EAP 6.
I have been trying to use the Spring security #Secured annotation, but it doesn't work. I think i have done things right, but clearly something is wrong.
I have tried #Secured on classes, methods, but really where I want it, is to be on the interface, which is what it states in Spring doc's.
spring-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/test/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/test/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
<security:intercept-url pattern="/test/admin**" access="ROLE_ADMIN" />
<!-- Override default login and logout pages -->
<security:form-login login-page="/test/login"
login-processing-url="/j_spring_security_check"
default-target-url="/test/testHome"
authentication-failure-url="/test/loginfailed" />
<security:logout invalidate-session="true" logout-success-url="/test/logout" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="test_user" password="test" authorities="ROLE_ADMIN" />
<security:user name="test_admin" password="admin" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
spring.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/jdbc
http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config/>
<context:component-scan base-package="com.test.service"/>
</beans>
mvc-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
<context:component-scan base-package="com.test.service"/>
<mvc:annotation-driven/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/"/>
<property name="suffix" value=".jsp"/>
</bean>
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>mymessages</value>
</list>
</property>
</bean>
</beans>
client-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/oxm
http://www.springframework.org/schema/oxm/spring-oxm-3.0.xsd">
<oxm:jaxb2-marshaller id="marshaller" contextPath="com.test.service.ws" />
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:/environment.properties</value>
</property>
</bean>
<bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
<property name="marshaller" ref="marshaller" />
<property name="unmarshaller" ref="marshaller" />
<property name="defaultUri" value="${test.webServiceTemplate.defaultUri}" />
</bean>
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:/activedirectory.properties</value>
</property>
</bean>
<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="${test.activeDirectory.domain}" />
<constructor-arg value="${test.activeDirectory.activeDirectoryServer}" />
<property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper" />
<property name="useAuthenticationRequestCredentials" value="true" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
<bean id="tdrUserDetailsContextMapper" class="com.test.service.web.user.impl.UserDetailsContextMapperImpl" />
</beans>
One of my interfaces
import org.springframework.security.access.annotation.Secured;
public interface TestService {
#Secured ({"ROLE_XXX"})
TestResponse getCustomer(TestRequest request);
}
I am a newbie to spring beans. I'm referring books and blogs. In some the context configuration is given as <beans:bean> and in some just <beans>. What is the difference? Should we give the XML namespace in the context file? Will it refer the acutal site at the time of application deployment?
It doesn't matter as far as Spring is concerned - the XML must be valid so that Spring can understand it, that's it. It is up to you which format you choose. Normally you use default namespace to avoid typing too much (all examples based on Appendix C. XML Schema-based configuration):
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<bean id="..."/>
</beans>
xmlns="..." attribute defines default namespace (the one used if you don't specify any namespace at all, like <beans/>. This is fine as long as you use only single beans namespace and occasionally few declarations from other namespaces:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
<bean id="..." class="...">
<property name="isolation">
<util:constant static-field="java.sql.Connection.TRANSACTION_SERIALIZABLE"/>
</property>
</bean>
</beans>
But sometimes you'll notice you are using way more nodes from different namespaces compared to default beans namespace. A good example is Spring Security configuration file:
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<security:http auto-config='true'>
<security:intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:form-login login-page='/login.jsp'/>
<security:session-management>
<security:concurrency-control max-sessions="1" />
</security:session-management>
<security:openid-login>
<security:attribute-exchange>
<security:openid-attribute name="email" type="http://axschema.org/contact/email" required="true" />
<security:openid-attribute name="name" type="http://axschema.org/namePerson" />
</security:attribute-exchange>
</security:openid-login>
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref='myUserDetailsService'/>
</security:authentication-manager>
<bean id="myUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>
</beans>
You see how clumsy it is because beans default namespace is used so rarely but the whole file must be cluttered with security: prefix? What about this (notice how xmlns namespace declarations have changed):
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config='true'>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<openid-login>
<attribute-exchange>
<openid-attribute name="email" type="http://axschema.org/contact/email" required="true" />
<openid-attribute name="name" type="http://axschema.org/namePerson" />
</attribute-exchange>
</openid-login>
</http>
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'/>
</authentication-manager>
<beans:bean id="myUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
</beans:beans>
These two configuration files are semantically equivalent (it is just a different way to encode the same information). But the latter is much more readable. Just use default namespace whichever namespace is used the most.
It depends on XML namespace configuration and is not Spring feature, makes no difference for the code, make some difference to coder, and in fact but effect of defining xmlns attribute on root xml element. Read more about <beans:bean> in this chapter of Spring Security (which isn't in fact the same as Spring Framework, but is very common and uses its own namespace in XML files). You can write:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class=
"org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="myPermissionEvaluator"/>
</beans:bean>
</beans:beans>
which is equivalent to:
<beans xmlns="http://www.springframework.org/schema/beans" <!-- see the difference here? -->
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="expressionHandler" class=
"org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="myPermissionEvaluator"/>
</bean>
</beans>
Personally I always use beans as main namespace, but it's matter of habit.
Here's my application-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Sample namespace-based configuration
-
- $Id: applicationContext-security.xml 3019 2008-05-01 17:51:48Z luke_t $
-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security secured-annotations="enabled">
</global-method-security>
<!-- Don't set any role restrictions on login.jsp -->
<intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- Restrict access to ALL other pages -->
<intercept-url pattern="/**" access="ROLE_USER" />
<intercept-url pattern="/admin/*.html" access="ROLE_ADMIN" />
<intercept-url pattern="/manager/*.html" access="ROLE_MANAGER" />
<intercept-url pattern="/**.html" access="ROLE_USER,ROLE_ADMIN, ROLE_MANAGER" />
<!-- Set the login page and what to do if login fails -->
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/user/userdashboard/dashboard.html" />
<logout logout-success-url="/login.jsp"/>
</http>
<!--
Usernames/Passwords are
rod/koala
dianne/emu
scott/wombat
peter/opal
-->
**<security:authentication-provider>
<jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>**
</beans:beans>
Everything works fine but I get this weird error of "The prefix "security" for element "security:authentication-provider" is not bound." even though I have supplied the closing tag. Anyone having any clue about how to go about this problem?
Either use "security" for all elements, by using the proper namespace:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
...
</beans>
And then use "security:" everywhere, for instance:
<security:global-method-security secured-annotations="enabled">
</security:global-method-security>
Or completly get rid of it:
...
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
...
because you configured the default namespace xmlns="http://www.springframework.org/schema/security"