How to use the spring-security filters without an application context?

Question

I want to use the spring-security web-filters without a spring application-context (or spring container) straight from java code.

Is this possible? Can I call the different spring live-cycle methods directly and if so is there a sample of how to do that (which different interfaces to care of and their ordering)?

Answer 1

I want to use the spring-security web-filters without a spring application-context

You can't.

Because when you define the filter chain proxy in your web.xml :

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

The DelegatingFilterProxy actually expects to find your contextConfigLocation and valid config files in there:

<context-param>
    <param-name>contextConfigLocation</param-name>

    <!-- This must be valid otherwise your .war deployment will fail -->
    <param-value>WEB-INF/spring-contexts/spring-contexts.xml</param-value>
</context-param>

Answer 2

I think it's possible but it doesn't worth it.

Spring is a complicated framework that isolates you for the burden of configuring a Java application. Why do you want to use Spring without Spring?

Regarding your question, the formerly Spring security, Acegi, claimed that can be used without Spring.

So you can try, but your main problem is going to be to load the entire application at server startup. You'll need to duplicate the functionality that contains the ContextLoaderListener.

Try to create your own listener instead of

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

And then configure the main servlet for your application (because I presume that you don't want to use Spring MVC) and the Security Filter as Simeon said.

And good luck.

Alternatively, you can try Apache SHIRO