Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.1.x' 

Closes gh-13727
This commit is contained in:
Josh Cummings 2023-08-20 23:34:32 -06:00
parent fe5a55fc13 bcfa4adc44
commit 40929a53ea
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File

@ -52,6 +52,7 @@ In many cases, your authorization rules will be more sophisticated than that, so
* I have an app that uses `authorizeRequests` and I want to <<migrate-authorize-requests,migrate it to `authorizeHttpRequests`>> * I have an app that uses `authorizeRequests` and I want to <<migrate-authorize-requests,migrate it to `authorizeHttpRequests`>>
* I want to <<request-authorization-architecture,understand how the `AuthorizationFilter` components work>> * I want to <<request-authorization-architecture,understand how the `AuthorizationFilter` components work>>
* I want to <<match-requests, match requests>> based on a pattern; specifically <<match-by-regex,regex>> * I want to <<match-requests, match requests>> based on a pattern; specifically <<match-by-regex,regex>>
* I want to match request, and I map Spring MVC to <<mvc-not-default-servlet, something other than the default servlet>>
* I want to <<authorize-requests, authorize requests>> * I want to <<authorize-requests, authorize requests>>
* I want to <<match-by-custom, match a request programmatically>> * I want to <<match-by-custom, match a request programmatically>>
* I want to <<authorize-requests, authorize a request programmatically>> * I want to <<authorize-requests, authorize a request programmatically>>
@ -570,6 +571,71 @@ http {
---- ----
==== ====
[[match-by-mvc]]
=== Using an MvcRequestMatcher
Generally speaking, you can use `requestMatchers(String)` as demonstrated above.
However, if you map Spring MVC to a different servlet path, then you need to account for that in your security configuration.
For example, if Spring MVC is mapped to `/spring-mvc` instead of `/` (the default), then you may have an endpoint like `/spring-mvc/my/controller` that you want to authorize.
You need to use `MvcRequestMatcher` to split the servlet path and the controller path in your configuration like so:
.Match by MvcRequestMatcher
====
.Java
[source,java,role="primary"]
----
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
return new MvcRequestMatcher.Builder(introspector).servletPath("/spring-mvc");
}
@Bean
SecurityFilterChain appEndpoints(HttpSecurity http, MvcRequestMatcher.Builder mvc) {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(mvc.pattern("/my/controller/**")).hasAuthority("controller")
.anyRequest().authenticated()
);
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun mvc(introspector: HandlerMappingIntrospector): MvcRequestMatcher.Builder =
MvcRequestMatcher.Builder(introspector).servletPath("/spring-mvc");
@Bean
fun appEndpoints(http: HttpSecurity, mvc: MvcRequestMatcher.Builder): SecurityFilterChain =
http {
authorizeHttpRequests {
authorize(mvc.pattern("/my/controller/**"), hasAuthority("controller"))
authorize(anyRequest, authenticated)
}
}
----
.Xml
[source,xml,role="secondary"]
----
<http>
<intercept-url servlet-path="/spring-mvc" pattern="/my/controller/**" access="hasAuthority('controller')"/>
<intercept-url pattern="/**" access="authenticated"/>
</http>
----
====
This need can arise in at least two different ways:
* If you use the `spring.mvc.servlet.path` Boot property to change the default path (`/`) to something else
* If you register more than one Spring MVC `DispatcherServlet` (thus requiring that one of them not be the default path)
[[match-by-custom]] [[match-by-custom]]
=== Using a Custom Matcher === Using a Custom Matcher