Spring security java config does not intercept

Question

I'm trying to put spring security into my spring mvc project using java configuration, however, I can still access all the pages without any spring security interception. Can anybody give some help? Thank you. (I'm using weblogic 12c)

part of pom.xml

    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.0.1</version>
    </dependency>
    <dependency>
        <groupId>javax.servlet.jsp</groupId>
        <artifactId>jsp-api</artifactId>
        <version>2.1</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>jstl</artifactId>
        <version>1.2</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>

WebAppInitializer.java

package com.home.config;

public class WebAppInitializer implements WebApplicationInitializer {

@Override
public void onStartup(ServletContext container) throws ServletException {
    AnnotationConfigWebApplicationContext rootCtx = new AnnotationConfigWebApplicationContext();
    rootCtx.register(HomeConfig.class);

    container.addListener(new ContextLoaderListener(rootCtx));
    container.setInitParameter("defaultHtmlEscape", "true");

    AnnotationConfigWebApplicationContext webCtx = new AnnotationConfigWebApplicationContext();
    webCtx.register(WebConfig.class);

    ServletRegistration.Dynamic servlet = container.addServlet(
            "spring-dispatcher", new DispatcherServlet(webCtx));
    servlet.setLoadOnStartup(1);
    servlet.addMapping("/");
}

}

WebConfig.java

package com.home.config;

@Configuration
@EnableWebMvc
@ComponentScan(basePackages = { "com.home.controllers", "com.home.websecurity" })
public class WebConfig extends WebMvcConfigurerAdapter {

@Bean
public ViewResolver viewResolver() {
    InternalResourceViewResolver resolver = new InternalResourceViewResolver();
    resolver.setPrefix("/WEB-INF/views/");
    resolver.setSuffix(".jsp");
    resolver.setExposeContextBeansAsAttributes(true);
    return resolver;
}

// Configure static content handling
@Override
public void configureDefaultServletHandling(
        DefaultServletHandlerConfigurer configurer) {
    configurer.enable();
}
}

SecurityConfig.java

package com.home.websecurity;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    auth.inMemoryAuthentication().withUser("user").password("abc123")
            .roles("USER");
    auth.inMemoryAuthentication().withUser("admin").password("root123")
            .roles("ADMIN");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().authenticated().and().formLogin()
            .and().httpBasic();
}
}

SecurityWebInitializer.java

package com.home.websecurity;

public class SecurityWebInitializer extends
    AbstractSecurityWebApplicationInitializer {
}

Answer 1

I spent a long time try to get Spring 4 to work with Weblogic 12c. What works for me in this case is to add the following code to your onStartup() method in WebAppInitializer class:

Dynamic registration = context.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
EnumSet<DispatcherType> dispatcherTypes = EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC);
registration.addMappingForUrlPatterns(dispatcherTypes, true, "/*");

and get rid of the SecurityWebInitializer class. I also have to explicitly import the security config to the root config class.