Update Spring MVC Docs

Closes gh-14220
spring-projects · Dec 1, 2023 · c336ca4 · c336ca4
1 parent c623303
commit c336ca4
Showing 1 changed file with 31 additions and 3 deletions.
diff --git a/docs/modules/ROOT/pages/servlet/configuration/java.adoc b/docs/modules/ROOT/pages/servlet/configuration/java.adoc
@@ -112,7 +112,7 @@ public class SecurityWebApplicationInitializer
 
 This would simply only register the springSecurityFilterChain Filter for every URL in your application.
 After that we would ensure that `WebSecurityConfig` was loaded in our existing ApplicationInitializer.
-For example, if we were using Spring MVC it would be added in the `getRootConfigClasses()`
+For example, if we were using Spring MVC it would be added in the `getServletConfigClasses()`
 
 [[message-web-application-inititializer-java]]
 [source,java]
@@ -121,14 +121,42 @@ public class MvcWebApplicationInitializer extends
 		AbstractAnnotationConfigDispatcherServletInitializer {
 
 	@Override
-	protected Class<?>[] getRootConfigClasses() {
-		return new Class[] { WebSecurityConfig.class };
+	protected Class<?>[] getServletConfigClasses() {
+		return new Class[] { WebSecurityConfig.class, WebMvcConfig.class };
 	}
 
 	// ... other overrides ...
 }
 ----
 
+The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#_request_matchers[underlying request matchers], so they need to be in the same application context.
+Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`.
+
+==== Configuring for Multiple Spring MVC Dispatchers
+
+If desired, any Spring Security configuration that is unrelated to Spring MVC may be placed in a different configuration class like so:
+
+[source,java]
+----
+public class MvcWebApplicationInitializer extends
+		AbstractAnnotationConfigDispatcherServletInitializer {
+
+	@Override
+    protected Class<?>[] getRootConfigClasses() {
+		return new Class[] { NonWebSecurityConfig.class };
+    }
+
+	@Override
+	protected Class<?>[] getServletConfigClasses() {
+		return new Class[] { WebSecurityConfig.class, WebMvcConfig.class };
+	}
+
+	// ... other overrides ...
+}
+----
+
+This can be helpful if you have multiple instances of `AbstractAnnotationConfigDispatcherServletInitializer` and don't want to duplicate the general security configuration across both of them.
+
 [[jc-httpsecurity]]
 == HttpSecurity