I was upgrading my application from Spring 2.5.6 + Spring Security 2.0.x to the latest 3.0 RC releases. After modifying my Maven pom.xml files to accomodate for the new artifact naming conventions, I still couldn’t get my application context to load due to a SAX exception:
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 37 in XML document from class path resource [security-config.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:authentication-provider'.
I found myself spending almost an hour trying to figure out what’s wrong with my configuration file. Was I missing a JAR file? no, everything seems to be in its right place (you WILL want to make sure that you’re including spring-security-config.jar, though!), Eclipse didn’t detect anything wrong with the config file. In my despair, I turned to Security Namespace Configuration chapter of the Spring Security 3 reference manual. There I noticed the following paragraph:
<authentication-manager> <authentication-provider> <user-service> <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="bob" password="bobspassword" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
Turning to my own configuration file, I saw this:
<security:authentication-provider user-service-ref="userService"> <security:password-encoder ref="passwordEncoder"> <security:salt-source user-property="username"/> </security:password-encoder> </security:authentication-provider> <security:authentication-manager alias="authenticationManager"/>
Apparently, while in Spring Security 2.x the authentication-provider tag used to be a root-level citizen, now it must live inside the authentication-manager definition.
I hope this will save some other folks some time when migrating to the 3.x Spring stack.