Summary
Does it have any plan to add the way to configure OAuth2Login with XML namespace? I think there are some projects still using XML configuration for security settings. If we can define the beans related OAuth2Login just by setting about ClientRegistration with XML, it's very useful.
Related #5184
Comment From: jgrandja
@tiwatsuka We haven't decided whether to add XML namespace support. It definitely won't make it into 5.0 GA. We may consider it in a subsequent release.
Comment From: tiwatsuka
@jgrandja I see. I'll expect that it is finally added. Thank you for your consideration.
Comment From: jgrandja
@tiwatsuka Just to confirm, we will be adding XML namespace support. We'll do our best to get this in 5.1.
Comment From: pthorson
So 5.2 then or not at all? I have a large existing Spring MVC project with XML configuration that I need to add OAuth to today. Can I mix the namespace and Java config?
Comment From: jgrandja
@pthorson This won't get into 5.2. Unless you'd be interested in submitting a PR? There are other higher priority items at the moment and there hasn't been much demand to add this support as of yet.
That being said, you should be able to mix namespace and Java config - see Importing XML Configuration
Comment From: pthorson
Understood. Not sure of appetite here for a PR. That being said, is OAuth 2.0 and Open ID Connect possible now without Spring Boot being used? Based on the matrix it looks like Spring Boot 1.5x was previously required.
Comment From: rwinch
@pthorson The new support does not require Spring Boot (however, it is certainly easier to use with it)
Comment From: bendem
Hi, I'd like to request once again that feature. I just had to migrate our xml config for security to java config because there was no equivalent to org.springframework.security.config.annotation.web.builders.HttpSecurity#oauth2Login in xml. The Java config is less clear and more error prone. It's really annoying that there is no parity between the capabilities of org.springframework.security.config.annotation.web.builders.HttpSecurity and the spring-security xml namespace.
Comment From: jgrandja
@bendem Unfortunately, this support won't be added in the upcoming 5.2 release. There are other higher priority items that we're targeting for 5.2. As an FYI, we prioritize tasks based on user demand and given that there are only 2 upvotes on this issue there isn't much demand for it. This doesn't mean we won't add the support though, it just means it's on the lower priority list.
Comment From: veskop86
Here is one more request :)
Comment From: rwinch
Please just use :+1: on the first comment (issue description) to indicate votes. It makes it much easier for us to add that up than counting comments. Thanks :)
Comment From: Rahman14354
One more request.
Comment From: ghost
So here's the dilemma. I use XML configuration in a non-Spring boot application. I converted it to Java Configuration and then ran into a Spring Session bug Unable to obtain SessionCookieConfig using Java based config #22319.
Mixing XML with Java Configuration is doable, but not great and since both pieces here relate to the html configuration, I suspect it will break big time.
So, please provide XML configuration or make sure the Java configuration is 100% compatible.
Comment From: jgrandja
@JimRichards22 Looks like there is demand for this feature so I've scheduled it for the 5.3 release. There is no date for it yet but likely about 9-12 months from now.
Comment From: rwinch
If anyone wants to contribute the support for this, we'd be happy to add it sooner. Just ping the issue asking if you can have the issue and we will confirm. If you have questions on how to do it, let us know.
Comment From: rh-id
can I have this issue ? I'm a first timer in open source though, could you guide me on how to do it?
so far I had explore the codes and i came up with the following checklist on what should be modified: 1. update Elements class to add "oauth2-login" 2. Create new parser "OAuth2LoginBeanDefinitionParser" that extends AbstractSingleBeanDefinitionParser in org.springframework.security.config.oauth2 package 3. add new entry at SecurityFilters for OAuth2LoginAuthenticationFilter 4. update AuthenticationConfigBuilder to create OAuth2LoginAuthenticationFilter filter and update the getFilter to return it 5. add unit test "OAuth2LoginBeanDefinitionParserTest" and the XML test files to test XML parser
if the above checklist more or less ok I will try to submit PR
Comment From: jgrandja
Thanks for the offer @rh-id. We typically label status: first-timers-only for first time issues. This one is a bit more involved. However, if you're keen on working on this than I would propose we both work on it that way I can guide you through the process and help with the implementation. Alternatively, I can find another issue for you to work on. Let me know your preference.
Comment From: rh-id
hi @jgrandja . i'm fine with either options if there are more priority issues that you think more suitable then I could help on that
Comment From: jgrandja
@rh-id This is an important feature and needs to get into 5.3.0. So let's work on this together. I think the best approach would be for me to put together the initial "Draft PR" and we can work from there. I'll think of an approach that will make it easy for you to implement the necessary artifacts. I'll submit the Draft PR end of week or early next week and we can go from there. Sound good?
Comment From: rh-id
@jgrandja sounds good 👍
Comment From: jgrandja
@rh-id If you haven't already, please get familiar with the contributing guidelines.
Comment From: jgrandja
For anyone who would like to try out the XML config in the snapshot build, you can find sample test configurations for the <oauth2-login> and <client-registrations> elements here:
<oauth2-login>- all files with this patternOAuth2LoginBeanDefinitionParserTests-*.xmlunder this directory<client-registrations>- all files in this directory
Feedback would be greatly appreciated!