Can I inject the WebApplicationContext of my Spring MVC servlet into a DelegatingFilterProxy? - spring

I am creating an OAuth authorization server that uses Spring Security as my security layer around parts of my servlet. An essential part of this is using the DelegatingFilterProxy to map to the springSecurityFilterChain bean, which requires a WebApplicationContext instance.
The standard solution is to include a ContextLoaderListener with associated contextConfigLocation configuration. But that entails creating a separate configuration for the root WebApplicationContext, needlessly complicating matters in my opinion.
According to the Spring MVC documentation, every DispatcherServlet has it's own WebApplicationContext instance. What's more, from perusing the code of DelegatingFilterProxy, it should be possible to inject a WebApplicationContext instance at construction time.
So my question is: Can I set the DispatcherServlet WebApplicationContext as the instance for DelegatingFilterProxy?
Here is the relevant configuration I have currently:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<!-- Enable Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>oauth</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/servlet.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>oauth</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
servlet.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<mvc:annotation-driven/>
<!-- ... Spring MVC config ... -->
<!-- Spring Security OAuth Config -->
<security:global-method-security pre-post-annotations="enabled" />
<oauth:authorization-server client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
token-endpoint-url="/api/token">
<oauth:refresh-token/>
<oauth:client-credentials/>
</oauth:authorization-server>
<!-- ... loads more OAuth config ... -->
</beans>


DispatcherServlet (as any subclass of FrameworkServlet) will publish its WebApplicationContext in the ServletContext using the attribure name: org.springframework.web.servlet.FrameworkServlet.CONTEXT.<servlet-name>.
At the same time DelegatingFilterProxy can be told not to use the root WebApplicationContext but another one stored in the ServletContext by setting its contextAttribute parameter.
In your case the required config would be:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.oauth </param-value>
</init-param>
</filter>
See more about how DelegatingFilterProxy looks up the WebApplicationContext in the javadoc of findWebApplicationContext().

Related

Exception sending context initialized event to listener instance of class [org.springframework.boot.legacy.context.web.SpringBootContextLoaderListener

I am stuck with this issue where my context is initialized but not able to send that event to listener instance of class [org.springframework.boot.legacy.context.web.SpringBootContextLoaderListener]
Error from localhost.log of Catalina
org.springframework.context.ApplicationContextException: Failed to load custom context class [classpath:META-INF/spring/mvc-root.xml]; nested exception is java.lang.ClassNotFoundException: classpath:META-INF/spring/mvc-root.xml
at org.springframework.boot.legacy.context.web.SpringBootContextLoaderListener.createSpringApplicationBuilder(SpringBootContextLoaderListener.java:174)
mvc-root.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<context:component-scan base-package="com.bnpparibas.wmi.tat"/>
</beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>tatv3</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:META-INF/spring/mvc-root.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.boot.legacy.context.web.SpringBootContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>com.bnpparibas.wmi.tat.config.MyContextListener</listener-class>
</listener>
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.context.WebApplicationContext.ROOT</param-value>
</init-param>
<init-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>5</session-timeout>
</session-config>
</web-app>
Note :: This same configuration was working fine with Spring Boot 1.3 but it is failing after upgrading to Spring Boot 2.7
Any help would be much appreciated!!!

Spring MVC can't do JSPs? 404

I am just trying to go to a JSP. That's it. It gives a 404, or, if I get it working, no HTML works. Nothing I do works without breaking something else. We have a mixture of JSPs, html, css, etc all under a resources directory we reference as /r/ in our spring dispatcher servlet. Please help me compile spring JSPs. I am about to abandon Spring all together.
Here's my Spring dispatch servlet.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:lang="http://www.springframework.org/schema/lang" xmlns:p="http://www.springframework.org/schema/p"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<mvc:view-controller path="/" view-name="/r/views/welcome.html"/>
<!-- Enable #Controller annotation support -->
<mvc:annotation-driven />
<!-- Allow static resources to be served from the /resources folder -->
<mvc:resources mapping="/r/**" location="/resources/" />
<!-- Scan classpath for annotations (eg: #Service, #Repository etc) -->
<context:component-scan base-package="com.cs" />
<context:property-placeholder location="file:/TcatServer6/Mytime/properties/mytime-agentdesktop/agentdesktop.properties" />
</beans>
Here's my web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>agent-desktop</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>httpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>httpMethodFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>agent-desktop</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>agent-desktop</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>

You have to tell Spring how to know how to resolve the view that you're returning from your controller. For example:
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
<property name="prefix" value="/WEB-INF/jsp/"/>
<property name="suffix" value=".jsp"/>
</bean>
See the official documentation on view resolvers for more info.

Spring's load-time weaving of spring managed beans, is there a conflict?

My project already had some aspects working using <aop:aspectj-autoproxy/> and using the aspectj style #Aspect annotations. But because we needed to advise some classes outside our control we wanted to introduce the Spring-style load time weaving for Tomcat as described in http://docs.spring.io/spring/docs/3....tml#aop-aj-ltw
My LTW configuration seems to be correct insofar as I have turned on the verbose and debug weaver options and I am seeing lines like this in my catalina.out
2013-11-28 13:17:57,167+0000 [INFO ] org.springframework.context.weaving.DefaultContext LoadTimeWeaver [main] - Using a reflective load-time weaver for class loader: org.springframework.instrument.classloading.tomcat .TomcatInstrumentableClassLoader
[TomcatInstrumentableClassLoader#53ea0105] info register aspect com.anon.profiling.aspect.MyAspect
...
[TomcatInstrumentableClassLoader#273d1402] debug not weaving 'org.quartz.SimpleTrigger'
[TomcatInstrumentableClassLoader#273d1402] debug not weaving 'org.apache.http.conn.scheme.SocketFactory'
...
The class I want to instrument is in a package with several others and I can see other classes in that package being debugged in the same way as not being woven. But about half of the classes (including the one I'm interested in...) aren't mentioned at all - either as being not woven or ignored or otherwise. Digging into it a little I think I spot a pattern that the classes being ignored are managed by Spring: either by being declared in an applicationContext.xml or being injected into another class with an #Inject.
Is it the case that a spring managed bean will not be loaded by the TomcatInstrumentableClassLoader for weaving? Is there something I need to add to my config to enable it?
-- Rachel
Edit: In response to #gadget
aop.xml
<aspectj>
<!-- "includes" required in order to use both Spring AOP as well as AspectJ Load Time Weaving where Proxied classes are not possible eg. MarkLogicClient -->
<weaver options="-verbose -showWeaveInfo -Xset:weaveJavaxPackages=true">
<!-- only weave classes in the following packages -->
<include within="mycompany..*"/>
<include within="javax.*"/>
</weaver>
</aspectj>
applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<context:component-scan base-package="mycompany.appname"/>
<context:annotation-config/>
<aop:aspectj-autoproxy proxy-target-class="true"/>
<context:load-time-weaver/>
<!-- bean declarations normally here, removed for brevity -->
</beans>
web.xml (apologies, it's a bit long but i didnt want to remove anything in case it was significant)
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>appname</display-name>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>classpath:log4j.properties</param-value>
</context-param>
<servlet>
<servlet-name>servicestatus</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>4</load-on-startup>
</servlet>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/*.xml</param-value>
</context-param>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>mycompany.appname.security.ResourceFilterFactory</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.WadlGeneratorConfig</param-name>
<param-value>mycompany.appname.jersey.Isite2WadlGeneratorConfig</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>servicestatus</servlet-name>
<url-pattern>/servicestatus</url-pattern>
</servlet-mapping>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>logging</param-value>
</context-param>
<context-param>
<param-name>propertiesConfigLocation</param-name>
<param-value>classpath:spring/propertiesConfigContext.xml</param-value>
</context-param>
<filter>
<filter-name>utf8ValidatingFilter</filter-name>
<filter-class>mycompany.appname.filter.Utf8ValidatingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>utf8ValidatingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>timingFilter</filter-name>
<filter-class>mycompany.appname.filter.TimingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>timingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>mycompany.appname.log.EnvironmentalPropertiesLog4jContextListener</listener-class>
</listener>
</web-app>

When ever i add spring security configuration in web.xml i get the error "No WebApplicationContext found: no ContextLoaderListener registered?"

When i add the following into web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I am getting the following error
java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:251)
Could someone help me here?

I see that you didn't attached your entire web.xml.
From the exception you got I assume you did not configure Spring IoC container which is an integral part of Spring.
You have several ways to do so, here is one way (goes in your web.xml):
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
You can start with an empty applicationContext.xml, here is an example:
<?xml version="1.0" encoding="utf-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:flex="http://www.springframework.org/schema/flex" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/flex
http://www.springframework.org/schema/flex/spring-flex-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
">
</beans>
You can read more about Spring configuration in here
Spring IoC container

Adding spring security to my current springmvc

Sorry I'm rather new to Spring Security. I've got the following applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
<!-- Activates various annotations to be detected in bean classes -->
<context:annotation-config />
<!-- Scans the classpath for annotated components that will be auto-registered as Spring beans.
For example #Controller and #Service. Make sure to set the correct base-package-->
<context:component-scan base-package="org.assessme.com" />
<!-- Configures the annotation-driven Spring MVC Controller programming model.
Note that, with Spring 3.0, this tag works in Servlet MVC only! -->
<mvc:annotation-driven />
</beans>
I'm following the tutorial on...
http://static.springsource.org/spring-security/site/tutorial.html
my question is, should I add to my existing applicationContext.xml or make a seperate XML file?
My web.xml is as follows...
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
I'm a little bit confused as in the tutorial, it specifies the context-param of the xml but I already have one declared, can I have more that one context-param? If someone could give me an idea of the best way to use springmvc and spring security together that would be great as at the moment I'm finding it hard to "merge" the xml files.
Thanks,

You can have your security configuration in a separate file or combine with your existing application Context. If you want to use existing application context. You keep the default namespace as beans like this:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
...
</beans>
and you have to prefix all security elements with security.
But if you define in separate files. The advantage is you can have security as the default namespace and omit the security prefix like this:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
...
</beans:beans>
The common way is to define file names like this:
1)applicationContext.xml
2)applicationContext-security.xml
and in your web.xml like this:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext*.xml</param-value>
</context-param>
or as a comma or space separated list also like below:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml /WEB-INF/applicationContext-security.xml</param-value>
</context-param>
Documentation: ContextLoader
Documentation: namespace config

In the tutorial that you're following, it also uses:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext-business.xml
/WEB-INF/security-app-context.xml
</param-value>
</context-param>
in which applicationContext-business.xml is like your root-context.xml. So, you need to add the path to your Spring security configuration file. And, remember to also include the security filter mentioned in your web.xml.

Resources