Ahtesham's Tech Blog

A Guide to Migrating Spring Security from 3.x.x to 5.x.x

Ahtesham Zaidi's photo
Ahtesham Zaidi
·

3 min read

Table of contents

I couldn't find any documentation online regarding this specific topic, so I decided to create an article in the hopes that it would be valuable to you all.

Spring Security is a powerful framework for securing your Spring-based applications. Over time, the framework evolves, bringing new features, enhancements, and security improvements. Suppose you're using an older version of Spring Security, like 3.x.x.RELEASE, it's essential to keep your project up-to-date with the latest security practices. In this guide, we'll walk you through migrating your Spring Security configuration to version 5.x.x.

Prerequisites

Before you begin, make sure you have the following prerequisites in place:

  • A Spring project (not Spring Boot) that uses Spring Security 3.x.x.

  • A basic understanding of Spring Security configuration and XML.

  • Maven or Gradle for managing project dependencies.

Step 1: Update pom.xml

The first step is to update your project's pom.xml file to use the latest Spring and Spring Security versions. Replace the existing versions with the following:

<dependencies>
    <!-- ... -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>5.X.X</version> <!-- Replace with the latest Spring version -->
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>5.x.x</version> <!-- Replace with the latest Spring Security version -->
    </dependency>
    <!-- ... -->
</dependencies>

Remember to update other dependencies as needed, ensuring they are compatible with Spring Security 5.x.x.

Step 2: Update spring-security.xml

Next, update your spring-security.xml configuration file to align with Spring Security 5.x.x. Make the following changes within the <http> element:

<http realm="Protected API"
    use-expressions="true"
    create-session="stateless"
    entry-point-ref="unauthorizedEntryPoint"
    authentication-manager-ref="yourAuthenticationManager" >
    <csrf disabled="true"/> <!-- Add this line to disable CSRF protection -->
    <custom-filter ref="corsFilter" before="PRE_AUTH_FILTER"/>
    <!-- ... -->
</http>

Ensure that the <authentication-provider> configuration includes the password encoder:

<authentication-manager id="yourAuthenticationManager" erase-credentials="true">
    <authentication-provider user-service-ref="yourService">
        <password-encoder hash="bcrypt" />
    </authentication-provider>
</authentication-manager>

Step 3: Verify Dependencies

After updating your configuration, verify that your project's dependencies are correctly configured. Check the WEB-INF/lib directory in your deployed WAR file to ensure that only Spring and Spring Security version 5 and above JARs are present.

If you are facing this error:

SEVERE: StandardWrapper.Throwable
org.springframework.beans.factory.UnsatisfiedDependencyException: 
Error creating bean with name 'authenticationTokenProcessingFilter': 
Unsatisfied dependency expressed through field 'yourService'; nested 
exception is org.springframework.beans.factory.CannotLoadBeanClassException: 
Cannot find class [org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter] 
for bean with name 'org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter#0' 
defined in ServletContext resource [/WEB-INF/mvc-dispatcher-servlet.xml]; 
nested exception is java.lang.ClassNotFoundException: 
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter

Follow this step

Step 4: Update mvc-dispatcher-servlet.xml

If your project includes an mvc-dispatcher-servlet.xml file and uses the org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter class from Jackson, you'll need to make a change. Replace it with the org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter class.

Additionally, update the Jackson version in your pom.xml to use version 2.9.X.

Conclusion

By following these steps, you can successfully migrate your Spring Security configuration from version 3.x.x to version 5.x.x in a Spring project. Keeping your security framework up-to-date is crucial for ensuring the security of your application and taking advantage of the latest features and improvements.

Remember to thoroughly test your application after the migration to ensure everything works as expected. Additionally, refer to the official Spring Security documentation and release notes for any specific details or updates related to the versions you are migrating to.

Happy coding and enjoy the enhanced security features of Spring Security 5.x.x in your project!

SpringJavaspring securityxml