I am studying for the Spring Core certification and I have some doubts about how correctly configure Spring Security.
Into the study material I found these informations that seems to me not so clear.
It say that:
Configuration in the Application Context:
- Spring configuration
- Using Spring Security's "Security" namespace
and it show the following example:
<beans> <security:http> <security:intercept-url pattern="/accounts/**" access="IS_AUTHENTICATED_FULLY" /> <security:form-login login-page="/login.htm"/> <security:logout logout-success-url="/index.html"/> </security:http> </beans> Then in the following slide it say:
Configuration in web.xml:
Define the single proxy filter:
- springSecurityFilterChain is a mandatory name
- Refers to an existing Spring bean with same name
and show this example:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> I can't understand if, to configure Spring Security inside a Spring project, I have to use both these configuration: the first one into the Spring configuration file (where I define my bean) and the second one into the web.xml file (that defines everything about your application that a server needs to know: servlets, filters, initializaztion paramters and so on...) or if these example are 2 different alternatives to do the same things in 2 differents way?
If it is the second case when have I to use the first one and when have I to use the second one?
