2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								[[kotlin-config]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								= Kotlin Configuration
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Spring Security Kotlin configuration has been available since Spring Security 5.3.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								It lets users configure Spring Security by using a native Kotlin DSL.
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-06-04 14:12:59 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/kotlin/hello-security[a sample application] to demonstrate the use of Spring Security Kotlin Configuration.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								[[kotlin-config-httpsecurity]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== HttpSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								How does Spring Security know that we want to require all users to be authenticated?
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								How does Spring Security know we want to support form-based authentication?
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								It is configured with the following default implementation:
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,kotlin]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								open fun filterChain(http: HttpSecurity): SecurityFilterChain {
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								   http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        authorizeRequests {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            authorize(anyRequest, authenticated)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								       formLogin { }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								       httpBasic { }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    return http.build()
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								The default configuration (shown in the preceding listing):
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Ensures that any request to our application requires the user to be authenticated
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Lets users authenticate with form-based login
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Lets users authenticate with HTTP Basic authentication
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Note that this configuration is parallels the XML namespace configuration:
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,xml]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								<http>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									<intercept-url pattern="/**" access="authenticated"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									<form-login />
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									<http-basic />
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								</http>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								== Multiple HttpSecurity Instances
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2022-03-24 15:13:50 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								The key is to register multiple `SecurityFilterChain` ``@Bean``s.
							 
						 
					
						
							
								
									
										
										
										
											2021-06-02 11:49:49 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								The following example has a different configuration for URL's that start with `/api/`:
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2021-06-02 11:49:49 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,kotlin]
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@EnableWebSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								class MultiHttpSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean                                                            <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    public fun userDetailsService(): UserDetailsService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        val users: User.UserBuilder = User.withDefaultPasswordEncoder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        val manager = InMemoryUserDetailsManager()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        manager.createUser(users.username("user").password("password").roles("USER").build())
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return manager
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Order(1)                                                        <2>
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            securityMatcher("/api/**")                               <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            authorizeRequests {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                authorize(anyRequest, hasRole("ADMIN"))
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								            }
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								            httpBasic { }
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        return http.build()
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    @Bean                                                            <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            authorizeRequests {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                authorize(anyRequest, authenticated)
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								            }
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								            formLogin { }
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        return http.build()
							 
						 
					
						
							
								
									
										
										
										
											2020-03-02 15:06:09 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								<1> Configure Authentication as usual.
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								<4> Create another instance of `SecurityFilterChain`.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								If the URL does not start with `/api/`, this configuration is used.
							 
						 
					
						
							
								
									
										
										
										
											2022-02-08 16:12:10 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
							 
						 
					
						
							
								
									
										
										
										
											2021-04-21 16:01:26 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====