My Spring SecurityConfig is not being picked up

Question

I have created a small webapplication based on this tutorial . The original version works as expected. Then I made some changes and it stopped working, that is I can access the /hello page without logging in. I am learning this magical autoconfiguration world and I would like to understand where is the key difference between my code and the original one.

So I have the initializer, as I don't need the main thing, I want only a webapp:

public class Initializer extends AbstractAnnotationConfigDispatcherServletInitializer  {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return null;
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class<?>[] { WebConfig.class, SecurityConfig.class };
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }

}

Then I have this:

//@EnableWebMvc
// I tried with and without this annotation, no difference
// I guess as I extend WebMvcConfigurerAdapter I don't need this
@ComponentScan
@Configuration
@EnableAutoConfiguration
public class WebConfig {

}

@Configuration
public class WebMvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login");
    }

}

And finally here is the security part:

@Configuration @EnableWebMvcSecurity

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated();
        http.formLogin().loginPage("/login").permitAll().and().logout()
                .permitAll();
    }

    @Configuration
    protected static class AuthenticationConfiguration extends
            GlobalAuthenticationConfigurerAdapter {

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");
        }

    }
}

These classes are all in the same package. I would be glad if someone explained me what is the reason for this not working.

Answer 1

The SecurityConfig.class needs to be in the root application context, not in the servlet application context; thus write the following

@Override
protected Class<?>[] getRootConfigClasses() {
    return new Class<?>[] { SecurityConfig.class };
}

@Override
protected Class<?>[] getServletConfigClasses() {
    return new Class<?>[] { WebConfig.class };
}

in your Initializer class.

You may want to look at this blog post: https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security .