spring-security/docs/modules/ROOT/pages/servlet/configuration/kotlin.adoc


[[kotlin-config]]
= Kotlin Configuration

Spring Security Kotlin configuration has been available since Spring Security 5.3.
It lets users configure Spring Security by using a native Kotlin DSL.

[NOTE]
====
Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/kotlin/hello-security[a sample application] to demonstrate the use of Spring Security Kotlin Configuration.
====

[[kotlin-config-httpsecurity]]
== HttpSecurity

How does Spring Security know that we want to require all users to be authenticated?
How does Spring Security know we want to support form-based authentication?
There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
It is configured with the following default implementation:

[source,kotlin]
----
import org.springframework.security.config.annotation.web.invoke

@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeHttpRequests {
            authorize(anyRequest, authenticated)
        }
        formLogin { }
        httpBasic { }
    }
    return http.build()
}
----

[NOTE]
Make sure to import the `org.springframework.security.config.annotation.web.invoke` function to enable the Kotlin DSL in your class, as the IDE will not always auto-import the method, causing compilation issues.

The default configuration (shown in the preceding listing):

* Ensures that any request to our application requires the user to be authenticated
* Lets users authenticate with form-based login
* Lets users authenticate with HTTP Basic authentication

Note that this configuration parallels the XML namespace configuration:

[source,xml]
----
<http>
	<intercept-url pattern="/**" access="authenticated"/>
	<form-login />
	<http-basic />
</http>
----

== Multiple HttpSecurity Instances

We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
The key is to register multiple `SecurityFilterChain` ``@Bean``s.
The following example has a different configuration for URLs that start with `/api/`:

[source,kotlin]
----
import org.springframework.security.config.annotation.web.invoke

@Configuration
@EnableWebSecurity
class MultiHttpSecurityConfig {
    @Bean                                                            <1>
    public fun userDetailsService(): UserDetailsService {
        val users: User.UserBuilder = User.withDefaultPasswordEncoder()
        val manager = InMemoryUserDetailsManager()
        manager.createUser(users.username("user").password("password").roles("USER").build())
        manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())
        return manager
    }

    @Order(1)                                                        <2>
    @Bean
    open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            securityMatcher("/api/**")                               <3>
            authorizeHttpRequests {
                authorize(anyRequest, hasRole("ADMIN"))
            }
            httpBasic { }
        }
        return http.build()
    }

    @Bean                                                            <4>
    open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            authorizeHttpRequests {
                authorize(anyRequest, authenticated)
            }
            formLogin { }
        }
        return http.build()
    }
}
----

<1> Configure Authentication as usual.
<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
<3> The `http.securityMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
<4> Create another instance of `SecurityFilterChain`.
If the URL does not start with `/api/`, this configuration is used.
This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[[kotlin-config]]`
			`= Kotlin Configuration`
Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`Spring Security Kotlin configuration has been available since Spring Security 5.3.`
			`It lets users configure Spring Security by using a native Kotlin DSL.`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Further changes based on feedback Mostly restoring the formatting of admonitions. 2021-06-04 14:12:59 -05:00			`[NOTE]`
			`====`
			`Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/kotlin/hello-security[a sample application] to demonstrate the use of Spring Security Kotlin Configuration.`
			`====`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[[kotlin-config-httpsecurity]]`
			`== HttpSecurity`

			`How does Spring Security know that we want to require all users to be authenticated?`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`How does Spring Security know we want to support form-based authentication?`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
			`It is configured with the following default implementation:`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[source,kotlin]`
			`----`
Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00			`import org.springframework.security.config.annotation.web.invoke`

Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`open fun filterChain(http: HttpSecurity): SecurityFilterChain {`
Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00			`http {`
Updated the Configuration examples in docs Closes gh-14384 2023-12-29 19:40:16 +05:30			`authorizeHttpRequests {`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`authorize(anyRequest, authenticated)`
			`}`
Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00			`formLogin { }`
			`httpBasic { }`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
			`----`

Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00			`[NOTE]`
Clarify Package Import Provide more explict instructions regarding the necessary import to make the Kotlin DSL work. For some reason it took me 10 minutes to figure this out based on the existing doc. 2024-04-26 09:56:59 -05:00			Make sure to import the `org.springframework.security.config.annotation.web.invoke` function to enable the Kotlin DSL in your class, as the IDE will not always auto-import the method, causing compilation issues.
Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`The default configuration (shown in the preceding listing):`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`* Ensures that any request to our application requires the user to be authenticated`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`* Lets users authenticate with form-based login`
			`* Lets users authenticate with HTTP Basic authentication`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00			`Note that this configuration parallels the XML namespace configuration:`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
			`[source,xml]`
			`----`
			`<http>`
			`<intercept-url pattern="/**" access="authenticated"/>`
			`<form-login />`
			`<http-basic />`
			`</http>`
			`----`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`== Multiple HttpSecurity Instances`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Fix formatting in reference docs 2022-03-24 15:13:50 +01:00			We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
			The key is to register multiple `SecurityFilterChain` ``@Bean``s.
Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00			The following example has a different configuration for URLs that start with `/api/`:
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00
Accounted for feedback Incorporated suggested changes from a review. 2021-06-02 11:49:49 -05:00			`[source,kotlin]`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`----`
Clarify that Kotlin DSL needs an import Closes gh-13092 2023-04-26 15:56:47 -03:00			`import org.springframework.security.config.annotation.web.invoke`

Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00			`@Configuration`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`@EnableWebSecurity`
			`class MultiHttpSecurityConfig {`
			`@Bean <1>`
			`public fun userDetailsService(): UserDetailsService {`
			`val users: User.UserBuilder = User.withDefaultPasswordEncoder()`
			`val manager = InMemoryUserDetailsManager()`
			`manager.createUser(users.username("user").password("password").roles("USER").build())`
			`manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())`
			`return manager`
			`}`

			`@Order(1) <2>`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {`
			`http {`
			`securityMatcher("/api/**") <3>`
Updated the Configuration examples in docs Closes gh-14384 2023-12-29 19:40:16 +05:30			`authorizeHttpRequests {`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`authorize(anyRequest, hasRole("ADMIN"))`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`httpBasic { }`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`

Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean <4>`
			`open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {`
			`http {`
Updated the Configuration examples in docs Closes gh-14384 2023-12-29 19:40:16 +05:30			`authorizeHttpRequests {`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`authorize(anyRequest, authenticated)`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`formLogin { }`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Add Kotlin Configuration section to docs 2020-03-02 15:06:09 -05:00			`}`
			`}`
			`----`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`<1> Configure Authentication as usual.`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
Polish kotlin.adoc Issue gh-14384 2023-12-29 10:55:42 -06:00			<3> The `http.securityMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			<4> Create another instance of `SecurityFilterChain`.
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			If the URL does not start with `/api/`, this configuration is used.
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).