TL;DR
Is there a way to mix Spring Web Security configuration with both annotations and xml?
Full Story
For our legacy spring web application we are looking into using annotation driven configuration for part of our web security.
Currently all our web security (<security:http>) is driven by xml based configuration. But we are adding a new login mechanism (SAML 2.0) that seems like it would be much easier to configure via annotations than xml.
We have been attempting to mix the use of annotations and xml, but it seems as though only one or the other works. Meaning that when any xml based web security is referenced, either via an xml (<import resource="classpath:web-security.xml"/> or via the @ImportResource annotation, the annotation based web security is ignored.
If we remove references to the xml based configuration our annotation configuration gets called.
Any friendly suggestions or advice is appreciated.
Mixing the Spring Web Security XML and annotation configurations would mean that that the same bean instance, viz., security:http is being configured via XML as well as JavaConfig. It would be configured with some intercept URL patterns using XML and some other Ant matchers using JavaConfig. But please note that intercept URL patterns are always evaluated in the order they are defined and also the matchers are considered in order. So, Spring Security only considers the XML configurations and ignores the JavaConfig ones as, if it considers both, it won't have any sense of order of URL definitions. I couldn't find any documentation that directly supports this theory. If you share the Spring Boot log statements that are produced when the application boots up, we may get a better view of what Spring Boot is doing.
So, I don't think that you can mix Spring Annotations with XML Configuration when configuring Spring Web Security and will advise to migrate legacy XML configurations to JavaConfig.