Getting exceptions after upgrade from Spring security 3 to Spring security 4?

Question

I used Spring security 3 with no problems. After upgrading to 4 problems.

So far I changed version numbers from build.gradle, all xml config files and deleted gradle's cache and downloaded everything again.

According to this doc Changed security http element from this:

<security:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint"
        access-denied-page="/#/not-authorized">

To this:

<security:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:access-denied-handler error-page="/#/not-authorized"/>

</security:http>

Now if I run my spring web app I get this exception:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#1': 
Cannot create inner bean '(inner bean)#40a99380' of type [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter] 
while setting constructor argument with key [7]; nested exception is org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name '(inner bean)#40a99380': Cannot resolve reference to bean 'authenticationEntryPoint' while setting bean property 'authenticationEntryPoint'; 
nested exception is org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'authenticationEntryPoint' defined in class path resource [META-INF/spring/rest-security.xml]: Instantiation of bean failed; 
nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint]: 
No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.<init>()
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:129)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:382)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:157)
    at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:634)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1143)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1046)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:305)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:301)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:196)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)

Why am I getting this exception and how to solve it?

----------- edit 1 ------------

applicationContext.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">

    <context:property-placeholder location="classpath:*.properties" ignore-unresolvable="true" order="0"/>

    <context:annotation-config />

    <import resource="rest-common.xml" />
    <import resource="rest-security.xml" />
    <import resource="rest-servlet.xml" />
    <import resource="rest-mongodb.xml" />

</beans>

rest-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
                                                                                        <!-- spring-security 3.2 -> 4.0  -->
    <security:http pattern="/rest/**" auto-config="false" use-expressions="true" entry-point-ref="response403EntryPoint"/>

    <security:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:access-denied-handler error-page="/#/not-authorized"/>
        <security:logout logout-url="/logout" invalidate-session="true" logout-success-url="/" />
        <security:custom-filter ref="jsonAuthenticationProcessingFilter" position="FORM_LOGIN_FILTER" />
    </security:http>

    <bean id="customAuthenticationManager" class="com.myal.security.CustomAuthenticationManager" p:username="admin"
        p:password="admin" />

    <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
        p:defaultFailureUrl="/rest/security/login-failed" />

    <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
        p:defaultTargetUrl="/rest/security/check" />

    <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/#/login" />

    <bean id="response403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

    <bean id="jsonAuthenticationProcessingFilter" class="com.myal.security.JsonAuthenticationProcessingFilter"
        p:authenticationManager-ref="customAuthenticationManager" p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
        p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />

    <security:authentication-manager />
</beans>

rest-servlet.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
                                                                                        <!-- spring-security 3.2 -> 4.0  -->
    <!-- Has to be defined in same context where beans are scanned -->
    <security:global-method-security secured-annotations="enabled"
        authentication-manager-ref="customAuthenticationManager" />

    <context:property-placeholder location="classpath:*.properties" ignore-unresolvable="true"
        order="1" />

    <mvc:annotation-driven />

    <mvc:resources mapping="/scripts/**" location="/scripts/" cache-period="300" />
    <mvc:resources mapping="/styles/**" location="/styles/" cache-period="300" />
    <mvc:resources mapping="/partials/**" location="/partials/" cache-period="300" />
    <mvc:resources mapping="/images/**" location="/images/" cache-period="300" />
    <mvc:resources mapping="/assets/**" location="/assets/" cache-period="300" />

    <bean id="jacksonMessageConverter" class="org.springframework.web.servlet.view.json.MappingJackson2JsonView"></bean>
    <bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />

    <!-- init -->
    <context:component-scan base-package="com.myal.repository" />
    <context:component-scan base-package="com.myal.rest" />

</beans>

Answer 1

Have a look at Migrating from Spring Security 3.x to 4.x (XML Configuration) chapter 4.7.5. LoginUrlAuthenticationEntryPoint

The LoginUrlAuthenticationEntryPoint default constructor and the setLoginFormUrl method was removed in favor of constructor injection. For example:

LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(); entryPoint.setLoginFormUrl("/login");

should be replaced with

LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(loginFormUrl);

According to this replace

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    p:loginFormUrl="/#/login" />

with

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <constructor-arg value="/#/login" />
</bean>

BTW: I strongly recommend that you read the complete Migrating from Spring Security 3.x to 4.x (XML Configuration) guide