Here is the problem.
I have spring 3.0.5, using its new DATA JPA repository module (interfaces extending
CrudRepository<T, ID extends Serializable>).
I have Apache Shiro 1.1.0 as a security solution for my app. Apache shiro is configured
in the spring bean defintion xml file as follows:
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
<!-- the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<!-- Define the realm you want to use to connect to your back-end security datasource: -->
<bean id="securityDAORealm" class="com.bilto.archiweb.security.SecurityDAORealm" />
<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager">
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="realm" ref="securityDAORealm"/>
</bean>
<!-- For simplest integration, so that all SecurityUtils.* methods work in all cases, -->
<!-- make the securityManager bean a static singleton. DO NOT do this in web -->
<!-- applications - see the 'Web Applications' section below instead. -->
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
Please note that my app is a standalone application and this Apachoe Shiro configuration reflects it.
Configuration for spring jpa repositories as well as standard spring configurations (annotations scanning) is configured in others files, they do not seem to be relevant for this problem, so i will skip printing them.
My SecurityDAORealm class is autowiring CredentialsRepository as its jpa repository controller interface (CredentialsRepository extends CrudRepository<T, ID extends Serializable>) that serves for accessing the database where credentials are stored.
@Component
public class SecurityDAORealm extends AuthorizingRealm {
@Autowired
CredentialRepository credentialRepository;
...
}
Now for the problem.
When Apache Shiro annotation scanning is configured, the autowired bean of type CredentialsRepository is not found and thus not wired. When annotation scanning is turned off CredentialsRepository variable is autowired and all works properly.
The part that anables Apache Shiro annotation processing is this
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
<!-- the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
By commenting out its central peace
<!-- <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> -->
Annotations are turned off, uncommenting it will switch them on again.
As a test I tried to auto-wire a simple pojo instead of my CredentialsRepository, this works well in both cases (annotations on/off).
I do not see much into spring internals. What might be happening here is that the CredentialsRepository variable is not getting auto-wired as Spring does not get a chance to create its appropriate implementation (SimpleJpaRepository) on its backend.
The workaround exist here simply by auto-wiring some “full class” JPA controller instead of a spring managed interface implementation.
However I am curious whether this is a bug that need to be fixed or whether some additional spring magic exist here that could make it work also with spring data interfaces.
I came accross the same issue.
My workaround is to make the securityManager depend on the Repository which needs to be injected. Thus, in your case: