Announcement Announcement Module
No announcement yet.
Spring 3.1 - Deprecated warnings in XML configuration file Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring 3.1 - Deprecated warnings in XML configuration file

    Hi all,

    I am trying to migrate Spring Security in a Web application from 3.0.7 to 3.1.
    Everything is fine, however in STS 2.8.1 I receive a bunch of Warnings in the Security XML configuration file.

    These are the warnings:
    • Method 'setAuthenticationEntryPoint' is marked deprecated
    • Method 'setAuthenticationManager' is marked deprecated
    • Method 'setKey' is marked deprecated
    • Method 'setLoginFormUrl' is marked deprecated
    • Method 'setRequestCache' is marked deprecated
    • Method 'setSecurityContextRepository' is marked deprecated
    • Method 'setSessionAuthenticationStrategy' is marked deprecated
    • Method 'setUserAttribute' is marked deprecated

    Here is the file:

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="" xmlns:beans=""
    	<beans:bean class="" />
    	<global-method-security secured-annotations="enabled" />
    	<http auto-config="true" access-denied-page="/accessDenied">
    		<form-login login-page="/login" default-target-url="/log/viewLogs" authentication-failure-url="/login?login_error=1" />
    		<logout logout-success-url="/logout" />
    		<session-management invalid-session-url="/login">
    			<concurrency-control max-sessions="1" expired-url="/sessionTimeout" error-if-maximum-exceeded="true" />
    		<http-basic />
    		<anonymous enabled="true" granted-authority="ROLE_ANONYMOUS" username="Anonymous_User" />
    		<intercept-url pattern="/log/**" access="ROLE_USER,ROLE_ADMIN" />
    Any idea what I am missing the configuration or what I did wrong? The warnings were not there in Spring Security 3.0.7.

    Thanks a lot.

  • #2
    Same problem for me... anyone have an explanation ?!


    • #3
      I've come across the same issue. From looking at the Spring Security 3.1 documentation it seems like some additional configuration is necessary to get the warnings to go away.

      I was looking at section B2 in the appendix and it says:

      Before Spring Security 3.0, an AuthenticationManager was automatically registered internally. Now you must register one explicitly using the <authentication-manager> element. This creates an instance of Spring Security's ProviderManager class, which needs to be configured with a list of one or more AuthenticationProvider instances. These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the authentication-provider element.
      Unfortunately I am still a novice with Spring Security, so I still need to figure out how to do this, but I suspect this is the case for all of the warning messages. It seems to be a matter of adding in the additional configuration needed.


      • #4
        So I've been digging around the source code & documentation trying to figure out how to get the warnings to disappear. From what I've seen so far, it looks like a bug to me. The syntax in the documentation makes it seem like the XML should be correct and contradicts what the warning messages are saying. I can't get the warning messages to go away even if I follow the documentation correctly. It looks like the deprecated methods in the source code are still setting the values correctly, but say to use the constructor injection instead. The 'http' XML tag doesn't allow you to inject the values the warning messages say it is looking for.


        • #5
          Same problems as everyone else

          I've tried just about every combination of things to get rid of those warnings, and they won't go away. They are the only warnings in my entire project, so it's quite frustrating. Here's what I get. My security.xml looks like this (using security 3.1 xsd):

          <sec:http auto-config="true" use-expressions="true">
          <sec:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
          <sec:logout logout-url="/resources/j_spring_security_logout" />
          <sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
          <sec:intercept-url pattern="/join/**" access="isAuthenticated()"/>
          <sec:intercept-url pattern="/sampleflow/**" access="hasRole('ROLE_ADMIN')" />
          <sec:intercept-url pattern="/imp/**" access="hasRole('ROLE_IMPAIRMASTER')" />
          <sec:intercept-url pattern="/resources/**" access="permitAll" />
          <sec:intercept-url pattern="/**" access="permitAll" />

          <sec:ldap-server id="contextSource"

          <sec:authentication-provider user-service-ref="localUsers"/>

          <sec:user-service id="localUsers">
          <sec:user name="admin" password="passw0rd" authorities="ROLE_ADMIN, ROLE_IMPAIRMASTER"/>

          <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate" >
          <constructor-arg ref="contextSource" />

          And here are the warnings I get:

          Method 'setAuthenticationEntryPoint' is marked deprecated
          Method 'setAuthenticationManager' is marked deprecated
          Method 'setKey' is marked deprecated
          Method 'setLoginFormUrl' is marked deprecated
          Method 'setRequestCache' is marked deprecated
          Method 'setSecurityContextRepository' is marked deprecated
          Method 'setSessionAuthenticationStrategy' is marked deprecated
          Method 'setUserAttribute' is marked deprecated
          Referenced bean 'contextSource' not found
          Referenced bean ' e' not found
          Referenced bean ' e' not found


          • #6
            I just came across this as well. It sure seems like the http element is using the depreciated methods behind the scenes, is there a way around it or something that will be tidied up in the next release?



            • #7
              I logged SEC-1909 which you might consider voting on (voting helps to prioritize things)
              Last edited by Rob Winch; Feb 6th, 2012, 08:47 AM. Reason: Displayed wrong JIRA


              • #8
                I had the same with Spring Security 3.1.1, but just upgraded to spring-security 3.1.3 and the warnings are gone.


                • #9
                  I upgraded to:

                  Spring 3.1.1.RELEASE
                  Spring Security 3.1.3.RELEASE
                  Spring Security OAuth 1.0.0.RELEASE

                  and I still receive the deprecated warnings. Why could that be?


                  • #10
                    Are you certain you have spring-security-config-3.1.3.RELEASE on your classpath (i.e. check your transitive dependencies aren't brining in an older version)? What causes the deprecation messages? If it is Spring Security OAuth, then this is something that needs updated in the OAuth libraries. If none of this helps please post the code (using code tags), the message, and where the message appears.


                    • #11
                      Yes, viewing the Dependency Hierarchy of my pom.xml in STS verifies that config-3.1.3.RELEASE is on my classpath (Attachment ).

                      The following code results in two deprecation messages:
                      (1) Referenced bean ' e' not found
                      (2) Multiple annotations found at this line:
                      - Referenced bean ' e' not found
                      - Method 'setRolePrefix' is marked deprecated

                      (1)    <authentication-manager xmlns="">
                      		<ldap-authentication-provider user-search-base="cn=users" 
                      (2)							 role-prefix="none"/>
                      Attached Files


                      • #12
                        The first issue was already logged as SEC-2021. I created a JIRA for the second issue. Note that while annoying the deprecations are harmless since the Namespace support will be updated before the deprecations are removed.


                        • #13
                          Got it, thanks.