SEC-1253: Decouple spring-security-config module from spring-security-web #1503

Closed
spring-issuemaster opened this Issue Sep 29, 2009 · 7 comments

1 participant

@spring-issuemaster

Mike Youngstrom (Migrated from SEC-1253) said:

It would be nice to be able to use spring-security-config NamespaceHandlers without having to include the spring-security-web module in the project.

I shouldn't need to include the bloat of -web and it's transitive dependencies if my project is headless and I want to use -config.

One way this could potentially done by checking to see if a dependent spring-security-web class is in the classpath and only load the Parser if it is. In my cursory search the only problematic parsers appear to be:

FilterInvocationSecurityMetadataSourceBeanDefinitionParser
HttpSecurityBeanDefinitionParser
FilterChainMapBeanDefinitionDecorator

But there may be more.

@spring-issuemaster

Mike Youngstrom said:

Perhaps with this change spring-security-web can also be made "optional" in the -config pom.

@spring-issuemaster

Mike Youngstrom said:

Here is a patch to fix this problem. This patch takes the approach of only loading the parsers that have direct dependence on web classes if UrlMatcher is in the classpath since the only reason these parsers won't load without the -web module is because of the UrlMatcher classes. I converted the other class dependencies to string classname BeanDefinitions.

The other way to fix this is to move the UrlMatcher suite of classes into -core since those are the only problem classes left now.

PLEASE fix this for 3.0. It is really ugly to have to include the -web module and its dependencies into my headless projects just so that I can use the NamespaceHandler.

Thanks,
Mike

@spring-issuemaster

Luke Taylor said:

I've added a check for a web module class before attempting to load the web bean parsers. That seems to be working without any additional modifications (I've added namespace use to the dms sample, which doesn't have a web part, and that is now running OK). Can you try it out please?

@spring-issuemaster

Mike Youngstrom said:

Looks good. However, do you think we can make spring-web optional in spring-security-config also?

Thanks,
Mike

@spring-issuemaster

Mike Youngstrom said:

You did spring-security-web and that's good. I was wondering about spring-web.

Mike

@spring-issuemaster

Luke Taylor said:

Doh. Yes. That makes sense. I made the change (committed under another issue by mistake).

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment