SEC-2496: Provide documentation explaining how to migrate from XML configuration to JavaConfig configuration

[spring-projects-issues]

Gerrit Hübbers (Migrated from SEC-2496) said:

I am in the process of migrating my application' usage of Spring Security's XML configuration to JavaConfig configuration.

From my experience, this migration is not trivial, and therefore the Spring Security documentation could have an additional section explaining how to migrate. Questions at StackOverflow seem to support my hypothesis that there is missing documentation.

In my particular case, issues I ran into during migration include:

• with XML configuration, <remember-me .../> creates a RememberMeServices bean automatically. JavaConfig configuration requires explicit RememberMeServices and PersistentTokenRepository beans creation besides additional configuration inside configure(HttpSecurity http) with http.userDetailsService( userDetailsService() ).rememberMe().rememberMeServices( rememberMeServices() ).
• XML configuration automatically creates a RequestCache bean. JavaConfig configuration requires explicit RequestCache bean creation besides additional configuration inside configure(HttpSecurity http).
• Out-of-the-box, the XML configuration did not require to consider CSRF-related aspects. Out-of-the-box, JavaConfig configuration does require to consider CSRF-related aspects - e.g., when migrating, in order to have my application to work as before, in WebSecurityConfigurerAdapter.configure(HttpSecurity http), I had to explicitly disable CSRF with http.csrf().disable().
• The springSecurityFilterChain bean seems to be created in both XML configuration and JavaConfig configuration.

For a documentation migration section, my idea is to provide a full-fledged XML configuration example, then show a 1:1 corresponding JavaConfig configuration.

Additionally, the documentation could contain subsection for each available Spring Security XML namespace element, and then show the corresponding required JavaConfig-based configuration.

[spring-projects-issues]

Rob Winch said:

Thanks for the feedback abdull. I agree we need better documentation See SEC-2363 A few things that may help your points:

• Remember Me Java Configuration does not require the RememberMeServices bean to be defined. Please see the Remember Me Java Configuration sample application that demonstrates this. These samples are documented in the Java Configuration section of the reference. One difference is that the RememberMeServices is not exposed as a Bean (it is private scope)
• There is no need to create RequestCache explicitly, this is done for you automatically. However, RequestCache is not exposed as a Bean
• The differences in CSRF are documented in the Configure CSRF Protection section of the reference

There are currently tests that document the mapping of the XML namespace to the Java Configuration equivalent. They start with Namespace and end in Tests. For example see https://github.com/spring-projects/spring-security/blob/3.2.1.RELEASE/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.groovy These mappings should be in the documentation, but in the mean time it should help to know that they exist