[FIXED] Spring: How to add static final object to bean constructor as argument in XML config

Issue

I'm adding csrf security to a Spring-MVC project I'm working on. I'm using Spring security 5.2.15 and am following this answer here to disable csrf for a particular URL. href="https://stackoverflow.com/questions/56713604/spring-security-bypass-csrf-verification-for-specific-urls">Answered Question here

But when I apply this, i get the error "No matching constructor found in class 'AndRequestMatcher"

<b:bean id="csrfMatcher"
    class="org.springframework.security.web.util.matcher.AndRequestMatcher">
    <b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
    <b:constructor-arg>
      <b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
        <b:constructor-arg>
          <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
            c:pattern="/login.html"/>
        </b:constructor-arg>
      </b:bean>
    </b:constructor-arg>
  </b:bean>

So I modified it to look like this:

<b:bean id="csrfMatcher" class="org.springframework.security.web.util.matcher.AndRequestMatcher">
    <b:constructor-arg name="requestMatchers">
    <b:list>
      <b:value value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
      <b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
        <b:constructor-arg>
          <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
            c:pattern="/login.html"/>
        </b:constructor-arg>
      </b:bean>
    </b:list>
    </b:constructor-arg>
  </b:bean>

But now I'm getting the error: "cvc-complex-type.3.2.2: Attribute 'value' is not allowed to appear in element 'b:value' "

I'm referencing the static final RequestMatcher here.

how do I Add this to as an argument into my csrfMatcher bean in my XML config file?

Solution

I solved this by applying the bean tag and utilizing the class the static object uses with $ to reference it.

<b:bean id="csrfMatcher" class="org.springframework.security.web.util.matcher.AndRequestMatcher">
    <b:constructor-arg name="requestMatchers">
    <b:list>
      <b:bean class="org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher" />
      <b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
        <b:constructor-arg>
          <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
            c:pattern="login.html"/>
        </b:constructor-arg>
      </b:bean>
    </b:list>
    </b:constructor-arg>
  </b:bean>

Answered By - Myy
Answer Checked By - David Marino (JavaFixing Volunteer)