Cannot use XML configuration for Spring Security #1121
Description
modifying the sample „spring-boot-sample-actuator“ by adding xml security Context file config:
@ImportResource({ "classpath:securityContext.xml" })
@Configuration
@EnableAutoConfiguration
@EnableConfigurationProperties
@ComponentScan
public class SampleActuatorApplication {
public static void main(String[] args) throws Exception {
SpringApplication.run(SampleActuatorApplication.class, args);
}
}
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!--security:http authentication-manager-ref="authenticationManager" use-expressions="true" pattern="/api/**" create-session="stateless">
<security:intercept-url pattern='/**' access="hasRole('admin')" />
<security:http-basic />
</security:http-->
<security:http authentication-manager-ref="authenticationManager" use-expressions="true" realm="Protected API" >
<security:intercept-url pattern="/html/login.html" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole('admin')" />
<security:form-login login-page="/html/login.html"/>
<security:logout logout-url="/logout" logout-success-url="/html/login.html?logout_successful=1" />
</security:http>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="admin" authorities="admin,user" />
<security:user name="root" password="root" authorities="admin,user,reports" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
throws the following exception when trying ssh -p 2000 root@localhost
java.lang.ClassCastException: org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$AuthenticationManagerAdapter cannot be cast to org.springframework.security.web.FilterInvocation
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
at org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$AuthenticationManagerAdapter.authenticate(CrshAutoConfiguration.java:303)
at org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$AuthenticationManagerAdapter.authenticate(CrshAutoConfiguration.java:271)
at org.crsh.ssh.term.SSHLifeCycle.genericAuthenticate(SSHLifeCycle.java:215)
at org.crsh.ssh.term.SSHLifeCycle.access$000(SSHLifeCycle.java:44)
at org.crsh.ssh.term.SSHLifeCycle$1.authenticate(SSHLifeCycle.java:162)
at org.apache.sshd.server.auth.UserAuthKeyboardInteractive.checkPassword(UserAuthKeyboardInteractive.java:75)
at org.apache.sshd.server.auth.UserAuthKeyboardInteractive.doAuth(UserAuthKeyboardInteractive.java:68)
at org.apache.sshd.server.auth.AbstractUserAuth.next(AbstractUserAuth.java:53)
at org.apache.sshd.server.session.ServerUserAuthService.process(ServerUserAuthService.java:160)
at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:399)
at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:295)
at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:720)
at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:277)
at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
at org.apache.sshd.common.io.nio2.Nio2Session$1.completed(Nio2Session.java:188)
at org.apache.sshd.common.io.nio2.Nio2Session$1.completed(Nio2Session.java:174)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
trying to add
<security:http authentication-manager-ref="authenticationManager" use-expressions="true" pattern="/api/**" create-session="stateless">
<security:intercept-url pattern='/**' access="hasRole('admin')" />
<security:http-basic />
</security:http>
will prevent the app from starting in the first place with
Caused by: org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type [org.springframework.security.access.AccessDecisionManager] is defined: expected single matching bean but found 2: org.springframework.security.access.vote.AffirmativeBased#0,org.springframework.security.access.vote.AffirmativeBased#1