spring-security/docs/modules/ROOT/pages/servlet/configuration/kotlin.adoc


[[kotlin-config]]
= Kotlin Configuration
Spring Security Kotlin configuration has been available since Spring Security 5.3.
It lets users configure Spring Security by using a native Kotlin DSL.

[NOTE]
====
Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/kotlin/hello-security[a sample application] to demonstrate the use of Spring Security Kotlin Configuration.
====

[[kotlin-config-httpsecurity]]
== HttpSecurity

How does Spring Security know that we want to require all users to be authenticated?
How does Spring Security know we want to support form-based authentication?
There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
It is configured with the following default implementation:

[source,kotlin]
----
import org.springframework.security.config.annotation.web.invoke

@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
   http {
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
       formLogin { }
       httpBasic { }
    }
    return http.build()
}
----

[NOTE]
Make sure that import the `invoke` function in your class, sometimes the IDE will not auto-import it causing compilation issues.

The default configuration (shown in the preceding listing):

* Ensures that any request to our application requires the user to be authenticated
* Lets users authenticate with form-based login
* Lets users authenticate with HTTP Basic authentication

Note that this configuration is parallels the XML namespace configuration:

[source,xml]
----
<http>
	<intercept-url pattern="/**" access="authenticated"/>
	<form-login />
	<http-basic />
</http>
----

== Multiple HttpSecurity Instances

We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
The key is to register multiple `SecurityFilterChain` ``@Bean``s.
The following example has a different configuration for URL's that start with `/api/`:

[source,kotlin]
----
@Configuration
import org.springframework.security.config.annotation.web.invoke

@EnableWebSecurity
class MultiHttpSecurityConfig {
    @Bean                                                            <1>
    public fun userDetailsService(): UserDetailsService {
        val users: User.UserBuilder = User.withDefaultPasswordEncoder()
        val manager = InMemoryUserDetailsManager()
        manager.createUser(users.username("user").password("password").roles("USER").build())
        manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())
        return manager
    }

    @Order(1)                                                        <2>
    @Bean
    open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            securityMatcher("/api/**")                               <3>
            authorizeRequests {
                authorize(anyRequest, hasRole("ADMIN"))
            }
            httpBasic { }
        }
        return http.build()
    }

    @Bean                                                            <4>
    open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            authorizeRequests {
                authorize(anyRequest, authenticated)
            }
            formLogin { }
        }
        return http.build()
    }
}
----

<1> Configure Authentication as usual.
<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
<4> Create another instance of `SecurityFilterChain`.
If the URL does not start with `/api/`, this configuration is used.
This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[[kotlin-config]]`
			`= Kotlin Configuration`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`Spring Security Kotlin configuration has been available since Spring Security 5.3.`
			`It lets users configure Spring Security by using a native Kotlin DSL.`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Further changes based on feedback Mostly restoring the formatting of admonitions. 2021-06-04 14:12:59 -05:00			`[NOTE]`
			`====`
			`Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/kotlin/hello-security[a sample application] to demonstrate the use of Spring Security Kotlin Configuration.`
			`====`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[[kotlin-config-httpsecurity]]`
			`== HttpSecurity`

			`How does Spring Security know that we want to require all users to be authenticated?`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`How does Spring Security know we want to support form-based authentication?`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
			`It is configured with the following default implementation:`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[source,kotlin]`
			`----`
Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00			`import org.springframework.security.config.annotation.web.invoke`

Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`open fun filterChain(http: HttpSecurity): SecurityFilterChain {`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`http {`
			`authorizeRequests {`
			`authorize(anyRequest, authenticated)`
			`}`
			`formLogin { }`
			`httpBasic { }`
			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
			`----`

Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00			`[NOTE]`
			Make sure that import the `invoke` function in your class, sometimes the IDE will not auto-import it causing compilation issues.

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`The default configuration (shown in the preceding listing):`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`* Ensures that any request to our application requires the user to be authenticated`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`* Lets users authenticate with form-based login`
			`* Lets users authenticate with HTTP Basic authentication`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`Note that this configuration is parallels the XML namespace configuration:`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[source,xml]`
			`----`
			`<http>`
			`<intercept-url pattern="/**" access="authenticated"/>`
			`<form-login />`
			`<http-basic />`
			`</http>`
			`----`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`== Multiple HttpSecurity Instances`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Fix formatting in reference docs 2022-03-24 15:13:50 +01:00			We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
			The key is to register multiple `SecurityFilterChain` ``@Bean``s.
Accounted for feedback Incorporated suggested changes from a review. 2021-06-02 11:49:49 -05:00			The following example has a different configuration for URL's that start with `/api/`:
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Accounted for feedback Incorporated suggested changes from a review. 2021-06-02 11:49:49 -05:00			`[source,kotlin]`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`----`
Remove Configuration meta-annotation from Enable* annotations Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration. While convenient, this is not consistent with the rest of the Spring projects and most notably Spring Framework's @Enable annotations. Additionally, the introduction of support for @Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow users to opt into their preferred configuration mode. Closes gh-6613 Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org> 2022-07-30 03:47:02 +02:00			`@Configuration`
Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00			`import org.springframework.security.config.annotation.web.invoke`

Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`@EnableWebSecurity`
			`class MultiHttpSecurityConfig {`
			`@Bean <1>`
			`public fun userDetailsService(): UserDetailsService {`
			`val users: User.UserBuilder = User.withDefaultPasswordEncoder()`
			`val manager = InMemoryUserDetailsManager()`
			`manager.createUser(users.username("user").password("password").roles("USER").build())`
			`manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())`
			`return manager`
			`}`

			`@Order(1) <2>`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {`
			`http {`
			`securityMatcher("/api/**") <3>`
			`authorizeRequests {`
			`authorize(anyRequest, hasRole("ADMIN"))`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`httpBasic { }`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`

Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean <4>`
			`open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {`
			`http {`
			`authorizeRequests {`
			`authorize(anyRequest, authenticated)`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`formLogin { }`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
			`}`
			`----`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`<1> Configure Authentication as usual.`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			<4> Create another instance of `SecurityFilterChain`.
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			If the URL does not start with `/api/`, this configuration is used.
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).