Upgrading to Spring 3.0.0.M3 and Spring Security 3.0.0.M1

Florin — Fri, 05 Jun 2009 02:50:31 +0000

A short two months back I posted an article describing how to upgrade to Spring 3.0 M2. Spring folks are releasing at breakneck speed and so I got busy again upgrading spincloud.com to Spring 3.0 M3 released at the beginning of May. Just yesterday (June 3rd) the team released Spring Security 3.0 M1 and I decided to roll this in Spincloud as well.

Upgrading Spring Security from 2.0.4 to 3.0.0 M1
For Spring Security 3.0.0 M1 I’m doing a “soft” upgrade since I had done my homework when I migrated from Acegi. I won’t use any of the new 3.0 features, just getting ready to use them.

To digress a bit, Spring Security a technology that is harder to swallow due to its breadth. To simplify the picture, Spring Security (former Acegi) provides three major security concerns to enterprise applications:
- Authorization of method execution (either through standard JSR-250 JEE security annotations or via specific annotation-based method security).
- HTTP Request authorization (mapping URLs to accessible roles using Ant style or regexp’ed paths, dubbed channel security).
- Website authentication (integrating Single Sign On (SSO) services by supporting major SSO providers, HTTP BASIC authentication, OpenId authentication and other types).
For Spincloud I’m using OpenId for authentication and Channel Security to secure website pages.

To perform the upgrade you have to first grab the new jars. Here’s the Maven config:

	
		Springframework milestone
		http://maven.springframework.org/milestone
	
	
		3.0.0.M3
		3.0.0.M1
	
		
			org.springframework.security
			spring-security-core
			${spring-security.version}
			compile
		
		
			org.springframework.security
			spring-security-config
			${spring-security.version}
			compile
		
		
			org.springframework.security
			spring-security-openid
			${spring-security.version}
			compile
		
		
			org.springframework.security
			spring-security-taglibs
			${spring-security.version}
			compile
		
		
			org.springframework.security
			spring-security-web
			${spring-security.version}
			compile

Make sure your build process refers only to these jars.
in 3.0.0 M1, the package structure was changed. Here’s what I had to do to upgrade the packages:
Before

import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.context.SecurityContextImpl;
import org.springframework.security.providers.openid.OpenIDAuthenticationStatus;
import org.springframework.security.providers.openid.OpenIDAuthenticationToken;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;

After:

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.openid.OpenIDAuthenticationStatus;
import org.springframework.security.openid.OpenIDAuthenticationToken;

The security namespace has changed too so I updated my security XML file namespace and I had only to change the packages for standard Spring Security beans defined to match the new package structure.

Upgrading Spring from 3.0.0 M2 to M3
This should be easy. First, grab the new jars through Maven by using the same Maven config I described at the beginning of this post and change the spring.version to 3.0.0.M3. I’m planning to move more XML configuration to annotations and M3 enables more of that (@Lazy for instance). I’m still waiting for the scheduling namespace due to appear in this milestone but pushed to RC1 apparently. I’m craving for some annotation-based timer configuration too…

Build and deployment
At first, the build failed on me with the follwing error:

java.lang.NoClassDefFoundError: org/springframework/asm/ClassVisitor
	at org.springframework.context.support.AbstractRefreshableApplicationContext.customizeBeanFactory(AbstractRefreshableApplicationContext.java:205)
	at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:125)
	at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:419)

This is because M3 (finally) repackages asm. So I deleted the asm libraries I used to fix the M2 issues and added the repackaged Spring asm library:

		
			org.springframework
			org.springframework.asm
			${spring.version}

If you’re getting this error on container start-up:

SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/classes/applicationContext-security.xml]

means you have forgotten to add security-config jar (see the Maven config in the Security section).

That’s all. Done in 3 hours with no problems at all.

Tales From The Cloud » Spring Security

Upgrading to Spring 3.0.0.M3 and Spring Security 3.0.0.M1