Spring exception exclusive security pointer

I am trying to map users in my database to Spring Security users, but without much luck. My UserServiceImpl looks like this (auto-installation usually works fine when I call it through a servlet, but throws a null pointer when used in Spring security ...

@Service("userService") @Transactional public class UserServiceImpl implements UserService, UserDetailsService { protected static Logger logger = Logger.getLogger("service"); @Autowired private UserDAO userDao; public UserServiceImpl() { } @Transactional public User getById(Long id) { return userDao.getById(id); } @Transactional public User getByUsername(String username) { return userDao.getByUsername(username); } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserDetails user = null; try { System.out.println(username); User dbUser = getByUsername(username); user = new org.springframework.security.core.userdetails.User( dbUser.getUsername(), dbUser.getPassword(), true, true, true, true, getAuthorities(dbUser.getAccess())); } catch (Exception e) { e.printStackTrace(); logger.log(Level.FINE, "Error in retrieving user"); throw new UsernameNotFoundException("Error in retrieving user"); } // Return user to Spring for processing. // Take note we're not the one evaluating whether this user is // authenticated or valid // We just merely retrieve a user that matches the specified username return user; } public Collection<GrantedAuthority> getAuthorities(Integer access) { // Create a list of grants for this user List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2); // All users are granted with ROLE_USER access // Therefore this user gets a ROLE_USER by default logger.log(Level.INFO, "User role selected"); authList.add(new GrantedAuthorityImpl("ROLE_USER")); // Check if this user has admin access // We interpret Integer(1) as an admin user if (access.compareTo(1) == 0) { // User has admin access logger.log(Level.INFO, "Admin role selected"); authList.add(new GrantedAuthorityImpl("ROLE_ADMIN")); } // Return list of granted authorities return authList; } } 

I get the following exception (first line is System.out)

 dusername java.lang.NullPointerException at org.assessme.com.service.UserServiceImpl.getByUsername(UserServiceImpl.java:40) at org.assessme.com.service.UserServiceImpl.loadUserByUsername(UserServiceImpl.java:50) at org.springframework.security.authentication.dao.DaoAuthenticationProvider.retrieveUser(DaoAuthenticationProvider.java:81) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:132) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:722) 

So it looks like my userDao does not work automatically, but it works fine when I call the service level from a servlet, apparently not when using Spring-Security.

Line 40 refers to the return of userDao.getByUsername (username);

Does anyone have any ideas how I can get userDao to populate via @autowired? As I said, it works great when I invoke it through the servlet, just not trying to use Spring-security.

Is there an easier way to map users and passwords in Spring-security?

My application security context is as follows:

 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"> <context:annotation-config /> <context:component-scan base-package="org.assessme.com." /> <http pattern="/static/**" security="none" /> <http use-expressions="true"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/*" access="isAuthenticated()" /> <!-- <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" /> --> <!-- <intercept-url pattern="/listAccounts.html" access="isAuthenticated()" /> --> <!-- <intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" /> --> <!-- <intercept-url pattern="/*" access="denyAll" /> --> <form-login /> <logout invalidate-session="true" logout-success-url="/" logout-url="/logout" /> </http> <authentication-manager> <authentication-provider user-service-ref="UserDetailsService"> <password-encoder ref="passwordEncoder"/> </authentication-provider> </authentication-manager> <context:component-scan base-package="org.assessme.com" /><context:annotation-config /> <beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/> <beans:bean class="org.assessme.com.service.UserServiceImpl" id="UserDetailsService" autowire="byType"/> </beans:beans> 

I think my question is why my userDao @Autowired does not work with Spring-security, but it works fine when used in a servlet to return a user object? For example, the following servlet works fine ...

Why does my autoinstall (as it throws NPE) not work when it passes through Spring-security, but works fine when called from a servlet?

EDIT: - added

But now I get

 ERROR: org.springframework.web.context.ContextLoader - Context initialization failed org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 9 in XML document from ServletContext resource [/WEB-INF/spring/security-app-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 9; columnNumber: 30; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'context:annotation-config'.