Upgrading to Spring 3.0.0.M3 and Spring Security 3.0.0.M1

A short two months back I posted an article describing how to upgrade to Spring 3.0 M2. Spring folks are releasing at breakneck speed and so I got busy again upgrading spincloud.com to Spring 3.0 M3 released at the beginning of May. Just yesterday (June 3rd) the team released Spring Security 3.0 M1 and I decided to roll this in Spincloud as well.

Upgrading Spring Security from 2.0.4 to 3.0.0 M1
For Spring Security 3.0.0 M1 I’m doing a “soft” upgrade since I had done my homework when I migrated from Acegi. I won’t use any of the new 3.0 features, just getting ready to use them.

To digress a bit, Spring Security a technology that is harder to swallow due to its breadth. To simplify the picture, Spring Security (former Acegi) provides three major security concerns to enterprise applications:
– Authorization of method execution (either through standard JSR-250 JEE security annotations or via specific annotation-based method security).
– HTTP Request authorization (mapping URLs to accessible roles using Ant style or regexp’ed paths, dubbed channel security).
– Website authentication (integrating Single Sign On (SSO) services by supporting major SSO providers, HTTP BASIC authentication, OpenId authentication and other types).
For Spincloud I’m using OpenId for authentication and Channel Security to secure website pages.

To perform the upgrade you have to first grab the new jars. Here’s the Maven config:

	<repository>
		<id>Springframework milestone</id>
		<url>http://maven.springframework.org/milestone</url>
	</repository>
	<properties>
		<spring.version>3.0.0.M3</spring.version>
		<spring-security.version>3.0.0.M1</spring-security.version>
	</properties>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-core</artifactId>
			<version>${spring-security.version}</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${spring-security.version}</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-openid</artifactId>
			<version>${spring-security.version}</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-taglibs</artifactId>
			<version>${spring-security.version}</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${spring-security.version}</version>
			<scope>compile</scope>
		</dependency>

Make sure your build process refers only to these jars.
in 3.0.0 M1, the package structure was changed. Here’s what I had to do to upgrade the packages:
Before

import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.context.SecurityContextImpl;
import org.springframework.security.providers.openid.OpenIDAuthenticationStatus;
import org.springframework.security.providers.openid.OpenIDAuthenticationToken;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;

After:

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.openid.OpenIDAuthenticationStatus;
import org.springframework.security.openid.OpenIDAuthenticationToken;

The security namespace has changed too so I updated my security XML file namespace and I had only to change the packages for standard Spring Security beans defined to match the new package structure.

Upgrading Spring from 3.0.0 M2 to M3
This should be easy. First, grab the new jars through Maven by using the same Maven config I described at the beginning of this post and change the spring.version to 3.0.0.M3. I’m planning to move more XML configuration to annotations and M3 enables more of that (@Lazy for instance). I’m still waiting for the scheduling namespace due to appear in this milestone but pushed to RC1 apparently. I’m craving for some annotation-based timer configuration too…

Build and deployment
At first, the build failed on me with the follwing error:

java.lang.NoClassDefFoundError: org/springframework/asm/ClassVisitor
	at org.springframework.context.support.AbstractRefreshableApplicationContext.customizeBeanFactory(AbstractRefreshableApplicationContext.java:205)
	at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:125)
	at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:419)

This is because M3 (finally) repackages asm. So I deleted the asm libraries I used to fix the M2 issues and added the repackaged Spring asm library:

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>org.springframework.asm</artifactId>
			<version>${spring.version}</version>
		</dependency>

If you’re getting this error on container start-up:

SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/classes/applicationContext-security.xml]

means you have forgotten to add security-config jar (see the Maven config in the Security section).

That’s all. Done in 3 hours with no problems at all.

  • Kannan

    Hi,

    I am Using SpringBlazeDS integration with Spring 3.0.0.M3 and today i tried to upgrade the security from 2.0.4 to 3.0.0 M1, I was able to identify the difference in packages and made those changes, but when i start the error I still get an error

    SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
    org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/config/web-application-config.xml]; nested exception is java.lang.NoClassDefFoundError: org/springframework/security/ConfigAttributeDefinition

    Please help

  • Viraf Karai

    Thank you for this blog article. I was stuck with a sample Maven project that was unable to find the Maven repository. I added the Maven repository that you mentioned above and bam – everything worked like it should have. I’m hoping that Spring 3.0 moves to production soon and am very anxious to use it. At work, we’re building two new products on this platform.

  • Rainer Podlas

    Many thanks for the hint on the missing ‘spring-security-config’ dependency. I overlooked this in the reference manual (to be used if using ‘Spring Security XML namespaces’.
    Kind regards,
    Rainer

  • http://intivism.com/blog Omri

    An updated dependency file for spring 3.0 release version:

    jboss
    http://repository.jboss.com/maven2/

    org.springframework
    spring-core
    ${org.springframework.version}

    org.springframework
    spring-expression
    ${org.springframework.version}

    org.springframework
    spring-beans
    ${org.springframework.version}

    org.springframework
    spring-aop
    ${org.springframework.version}

    org.springframework
    spring-context
    ${org.springframework.version}

    org.springframework
    spring-tx
    ${org.springframework.version}

    org.springframework
    spring-jdbc
    ${org.springframework.version}

    org.springframework
    spring-orm
    ${org.springframework.version}

    org.springframework
    spring-oxm
    ${org.springframework.version}

    org.springframework
    spring-context-support
    ${org.springframework.version}

    org.springframework
    spring-web
    ${org.springframework.version}

    org.springframework
    spring-webmvc
    ${org.springframework.version}

    org.springframework
    spring-webmvc-portlet
    ${org.springframework.version}

    org.springframework
    spring-test
    ${org.springframework.version}
    test

    javax.validation
    validation-api
    1.0.0.GA

    junit
    junit
    4.7

    org.hibernate
    hibernate-validator
    4.0.2.GA

    org.slf4j
    slf4j-api
    1.5.6

    org.slf4j
    slf4j-log4j12
    1.5.6

    log4j
    log4j
    1.2.15

    3.0.0.RELEASE

  • http://intivism.com/blog Omri

    Sorry that came out bad, here’s a link

  • http://javasight.wordpress.com Franklin

    Worked like a charm. Was struggling with Spring Security 3. I really dont understand why such as structural change in packaging was necessary.

    Thanks a lot.

  • http://www.dobox.com/ Bruce

    Hi,

    I am Using SpringBlazeDS integration with Spring 3.0.0.M3 and today i tried to upgrade the security from 2.0.4 to 3.0.0 M1, I was able to identify the difference in packages and made those changes, but when i start the error I still get an error

    SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
    org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/config/web-application-config.xml]; nested exception is java.lang.NoClassDefFoundError: org/springframework/security/ConfigAttributeDefinition

    Please help

  • http://newsplore.com Florin

    Try to use Spring Framework 3.0.2 along with Security 3.0.2, both have been released recently.

  • Ayhan Tek

    Bruce,
    ConfigAttributeDefinition has been removed. Instead use a collection like List

  • http://luxurymaster.blogspot.com LuxuryMaster

    I have been having Unable to locate Spring NamespaceHandler for XML schema namespace issue with spring 3 security and your post saved me a lot of time! Thank you very much – very nice blog!

  • Adrian Pirvulescu

    Great post! thanks!