diff --git a/servlet/spring-boot/java/hello-security-explicit/src/main/java/example/SecurityConfiguration.java b/servlet/spring-boot/java/hello-security-explicit/src/main/java/example/SecurityConfiguration.java index d8c65b8..e5475ae 100644 --- a/servlet/spring-boot/java/hello-security-explicit/src/main/java/example/SecurityConfiguration.java +++ b/servlet/spring-boot/java/hello-security-explicit/src/main/java/example/SecurityConfiguration.java @@ -20,10 +20,10 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import static org.springframework.security.config.Customizer.withDefaults; @@ -34,19 +34,20 @@ import static org.springframework.security.config.Customizer.withDefaults; */ @Configuration @EnableWebSecurity -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { +public class SecurityConfiguration { - @Override - // @formatter:off - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .anyRequest().authenticated() - ) - .httpBasic(withDefaults()) - .formLogin(withDefaults()); + .authorizeHttpRequests((authorize) -> authorize + .anyRequest().authenticated() + ) + .httpBasic(withDefaults()) + .formLogin(withDefaults()); + // @formatter:on + return http.build(); } - // @formatter:on // @formatter:off @Bean diff --git a/servlet/spring-boot/java/jwt/login/src/main/java/example/RestConfig.java b/servlet/spring-boot/java/jwt/login/src/main/java/example/RestConfig.java index 7f7de48..478e14e 100644 --- a/servlet/spring-boot/java/jwt/login/src/main/java/example/RestConfig.java +++ b/servlet/spring-boot/java/jwt/login/src/main/java/example/RestConfig.java @@ -31,7 +31,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.User; @@ -43,6 +42,7 @@ import org.springframework.security.oauth2.jwt.NimbusJwtEncoder; import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint; import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; /** * Security configuration for the main application. @@ -50,7 +50,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager; * @author Josh Cummings */ @Configuration -public class RestConfig extends WebSecurityConfigurerAdapter { +public class RestConfig { @Value("${jwt.public.key}") RSAPublicKey key; @@ -58,22 +58,23 @@ public class RestConfig extends WebSecurityConfigurerAdapter { @Value("${jwt.private.key}") RSAPrivateKey priv; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .anyRequest().authenticated() - ) - .csrf((csrf) -> csrf.ignoringAntMatchers("/token")) - .httpBasic(Customizer.withDefaults()) - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) - .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) - .exceptionHandling((exceptions) -> exceptions - .authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint()) - .accessDeniedHandler(new BearerTokenAccessDeniedHandler()) - ); + .authorizeHttpRequests((authorize) -> authorize + .anyRequest().authenticated() + ) + .csrf((csrf) -> csrf.ignoringAntMatchers("/token")) + .httpBasic(Customizer.withDefaults()) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) + .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .exceptionHandling((exceptions) -> exceptions + .authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint()) + .accessDeniedHandler(new BearerTokenAccessDeniedHandler()) + ); // @formatter:on + return http.build(); } @Bean diff --git a/servlet/spring-boot/java/jwt/login/src/test/java/example/web/HelloControllerTests.java b/servlet/spring-boot/java/jwt/login/src/test/java/example/web/HelloControllerTests.java index 74919f1..8e3ba1d 100644 --- a/servlet/spring-boot/java/jwt/login/src/test/java/example/web/HelloControllerTests.java +++ b/servlet/spring-boot/java/jwt/login/src/test/java/example/web/HelloControllerTests.java @@ -16,10 +16,12 @@ package example.web; +import example.RestConfig; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.context.annotation.Import; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; @@ -35,6 +37,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers. * @author Josh Cummings */ @WebMvcTest({ HelloController.class, TokenController.class }) +@Import(RestConfig.class) public class HelloControllerTests { @Autowired diff --git a/servlet/spring-boot/java/oauth2/login/src/integTest/java/example/OAuth2LoginApplicationTests.java b/servlet/spring-boot/java/oauth2/login/src/integTest/java/example/OAuth2LoginApplicationTests.java index ddbfe89..5f44272 100644 --- a/servlet/spring-boot/java/oauth2/login/src/integTest/java/example/OAuth2LoginApplicationTests.java +++ b/servlet/spring-boot/java/oauth2/login/src/integTest/java/example/OAuth2LoginApplicationTests.java @@ -44,7 +44,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.http.HttpStatus; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; @@ -63,6 +62,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.oauth2.core.user.DefaultOAuth2User; import org.springframework.security.oauth2.core.user.OAuth2User; import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.util.UriComponents; import org.springframework.web.util.UriComponentsBuilder; @@ -328,21 +328,22 @@ public class OAuth2LoginApplicationTests { } @EnableWebSecurity - public static class SecurityTestConfig extends WebSecurityConfigurerAdapter { + public static class SecurityTestConfig { - // @formatter:off - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .anyRequest().authenticated() - ) - .oauth2Login((oauth2) -> oauth2 - .tokenEndpoint((token) -> token.accessTokenResponseClient(mockAccessTokenResponseClient())) - .userInfoEndpoint((userInfo) -> userInfo.userService(mockUserService())) - ); + .authorizeHttpRequests((authorize) -> authorize + .anyRequest().authenticated() + ) + .oauth2Login((oauth2) -> oauth2 + .tokenEndpoint((token) -> token.accessTokenResponseClient(mockAccessTokenResponseClient())) + .userInfoEndpoint((userInfo) -> userInfo.userService(mockUserService())) + ); + // @formatter:on + return http.build(); } - // @formatter:on private OAuth2AccessTokenResponseClient mockAccessTokenResponseClient() { OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken("access-token-1234") diff --git a/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java b/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java index 973752f..c0dc343 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java +++ b/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java @@ -20,10 +20,10 @@ import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; +import org.springframework.security.web.SecurityFilterChain; /** * OAuth resource configuration. @@ -31,22 +31,23 @@ import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; * @author Josh Cummings */ @EnableWebSecurity -public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter { +public class OAuth2ResourceServerSecurityConfiguration { @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}") String jwkSetUri; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .antMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read") - .antMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write") - .anyRequest().authenticated() - ) - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); + .authorizeHttpRequests((authorize) -> authorize + .antMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read") + .antMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write") + .anyRequest().authenticated() + ) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); // @formatter:on + return http.build(); } @Bean diff --git a/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/test/java/example/OAuth2ResourceServerControllerTests.java b/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/test/java/example/OAuth2ResourceServerControllerTests.java index be3e33e..4e0fd33 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/test/java/example/OAuth2ResourceServerControllerTests.java +++ b/servlet/spring-boot/java/oauth2/resource-server/hello-security/src/test/java/example/OAuth2ResourceServerControllerTests.java @@ -19,6 +19,7 @@ import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.context.annotation.Import; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.test.web.servlet.MockMvc; @@ -36,6 +37,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers. * */ @WebMvcTest(OAuth2ResourceServerController.class) +@Import(OAuth2ResourceServerSecurityConfiguration.class) public class OAuth2ResourceServerControllerTests { @Autowired diff --git a/servlet/spring-boot/java/oauth2/resource-server/jwe/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java b/servlet/spring-boot/java/oauth2/resource-server/jwe/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java index 5ce1aa2..effb9d3 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/jwe/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java +++ b/servlet/spring-boot/java/oauth2/resource-server/jwe/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java @@ -42,9 +42,9 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; +import org.springframework.security.web.SecurityFilterChain; import static org.springframework.security.config.Customizer.withDefaults; @@ -54,7 +54,7 @@ import static org.springframework.security.config.Customizer.withDefaults; * @author Josh Cummings */ @EnableWebSecurity -public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter { +public class OAuth2ResourceServerSecurityConfiguration { private final JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256; @@ -68,16 +68,17 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig @Value("${sample.jwe-key-value}") RSAPrivateKey key; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .antMatchers("/message/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() - ) - .oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults())); + .authorizeHttpRequests((authorize) -> authorize + .antMatchers("/message/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() + ) + .oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults())); // @formatter:on + return http.build(); } @Bean diff --git a/servlet/spring-boot/java/oauth2/resource-server/opaque/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java b/servlet/spring-boot/java/oauth2/resource-server/opaque/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java index b3cee2f..baef8ca 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/opaque/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java +++ b/servlet/spring-boot/java/oauth2/resource-server/opaque/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java @@ -16,10 +16,11 @@ package example; import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; /** * OAuth2 Security Configuration. @@ -27,7 +28,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur * @author Josh Cummings */ @EnableWebSecurity -public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter { +public class OAuth2ResourceServerSecurityConfiguration { @Value("${spring.security.oauth2.resourceserver.opaque.introspection-uri}") String introspectionUri; @@ -38,22 +39,23 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig @Value("${spring.security.oauth2.resourceserver.opaque.introspection-client-secret}") String clientSecret; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .mvcMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read") - .mvcMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write") - .anyRequest().authenticated() - ) - .oauth2ResourceServer((oauth2) -> oauth2 - .opaqueToken((opaque) -> opaque - .introspectionUri(this.introspectionUri) - .introspectionClientCredentials(this.clientId, this.clientSecret) + .authorizeHttpRequests((authorize) -> authorize + .mvcMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read") + .mvcMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write") + .anyRequest().authenticated() ) - ); + .oauth2ResourceServer((oauth2) -> oauth2 + .opaqueToken((opaque) -> opaque + .introspectionUri(this.introspectionUri) + .introspectionClientCredentials(this.clientId, this.clientSecret) + ) + ); // @formatter:on + return http.build(); } } diff --git a/servlet/spring-boot/java/oauth2/resource-server/opaque/src/test/java/example/OAuth2ResourceServerControllerTests.java b/servlet/spring-boot/java/oauth2/resource-server/opaque/src/test/java/example/OAuth2ResourceServerControllerTests.java index 037932e..f11f28f 100644 --- a/servlet/spring-boot/java/oauth2/resource-server/opaque/src/test/java/example/OAuth2ResourceServerControllerTests.java +++ b/servlet/spring-boot/java/oauth2/resource-server/opaque/src/test/java/example/OAuth2ResourceServerControllerTests.java @@ -19,6 +19,7 @@ import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.context.annotation.Import; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors; import org.springframework.test.web.servlet.MockMvc; @@ -36,6 +37,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers. * @since 5.3 */ @WebMvcTest(OAuth2ResourceServerController.class) +@Import(OAuth2ResourceServerSecurityConfiguration.class) public class OAuth2ResourceServerControllerTests { @Autowired diff --git a/servlet/spring-boot/java/oauth2/webclient/src/main/java/example/SecurityConfiguration.java b/servlet/spring-boot/java/oauth2/webclient/src/main/java/example/SecurityConfiguration.java index 238fc89..40e8145 100644 --- a/servlet/spring-boot/java/oauth2/webclient/src/main/java/example/SecurityConfiguration.java +++ b/servlet/spring-boot/java/oauth2/webclient/src/main/java/example/SecurityConfiguration.java @@ -18,11 +18,11 @@ package example; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import static org.springframework.security.config.Customizer.withDefaults; @@ -32,20 +32,21 @@ import static org.springframework.security.config.Customizer.withDefaults; * @author Joe Grandja */ @EnableWebSecurity -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { +public class SecurityConfiguration { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeHttpRequests((authorize) -> authorize - .mvcMatchers("/", "/public/**").permitAll() - .anyRequest().authenticated() - ) - .formLogin(withDefaults()) - .oauth2Login(withDefaults()) - .oauth2Client(withDefaults()); + .authorizeHttpRequests((authorize) -> authorize + .mvcMatchers("/", "/public/**").permitAll() + .anyRequest().authenticated() + ) + .formLogin(withDefaults()) + .oauth2Login(withDefaults()) + .oauth2Client(withDefaults()); // @formatter:on + return http.build(); } @Bean diff --git a/servlet/spring-boot/kotlin/hello-security/src/main/kotlin/org/springframework/security/samples/config/SecurityConfig.kt b/servlet/spring-boot/kotlin/hello-security/src/main/kotlin/org/springframework/security/samples/config/SecurityConfig.kt index 043f29e..296d19b 100644 --- a/servlet/spring-boot/kotlin/hello-security/src/main/kotlin/org/springframework/security/samples/config/SecurityConfig.kt +++ b/servlet/spring-boot/kotlin/hello-security/src/main/kotlin/org/springframework/security/samples/config/SecurityConfig.kt @@ -19,32 +19,34 @@ package org.springframework.security.samples.config import org.springframework.context.annotation.Bean import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter import org.springframework.security.config.web.servlet.invoke import org.springframework.security.core.userdetails.User import org.springframework.security.core.userdetails.UserDetailsService import org.springframework.security.provisioning.InMemoryUserDetailsManager +import org.springframework.security.web.SecurityFilterChain /** * @author Eleftheria Stein */ @EnableWebSecurity -class SecurityConfig : WebSecurityConfigurerAdapter() { +class SecurityConfig { - override fun configure(http: HttpSecurity) { - http { + @Bean + fun filterChain(http: HttpSecurity): SecurityFilterChain { + http { authorizeRequests { authorize("/css/**", permitAll) authorize("/user/**", hasAuthority("ROLE_USER")) } - formLogin { - loginPage = "/log-in" - } + formLogin { + loginPage = "/log-in" + } } + return http.build() } @Bean - public override fun userDetailsService(): UserDetailsService { + fun userDetailsService(): UserDetailsService { val userDetails = User.withDefaultPasswordEncoder() .username("user") .password("password")