Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs

Closes gh-10003
This commit is contained in:
Eleftheria Stein 2022-02-08 16:12:10 +01:00
parent 84616543a3
commit 4142f06259
22 changed files with 622 additions and 444 deletions

View File

@ -6,7 +6,7 @@ This section covers how to customize the handling of logouts.
[[logout-java-configuration]] [[logout-java-configuration]]
== Logout Java/Kotlin Configuration == Logout Java/Kotlin Configuration
When using the `{security-api-url}org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html[WebSecurityConfigurerAdapter]`, logout capabilities are automatically applied. When using the `{security-api-url}org/springframework/security/config/annotation/web/builders/HttpSecurity.html[HttpSecurity]` bean, logout capabilities are automatically applied.
The default is that accessing the URL `/logout` logs the user out by: The default is that accessing the URL `/logout` logs the user out by:
- Invalidating the HTTP Session - Invalidating the HTTP Session
@ -21,7 +21,7 @@ Similar to configuring login capabilities, however, you also have various option
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) {
http http
.logout(logout -> logout // <1> .logout(logout -> logout // <1>
.logoutUrl("/my/logout") // <2> .logoutUrl("/my/logout") // <2>
@ -38,7 +38,7 @@ protected void configure(HttpSecurity http) throws Exception {
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
----- -----
override fun configure(http: HttpSecurity) { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
logout { logout {
logoutUrl = "/my/logout" // <1> logoutUrl = "/my/logout" // <1>
@ -49,12 +49,12 @@ override fun configure(http: HttpSecurity) {
deleteCookies(cookieNamesToClear) // <6> deleteCookies(cookieNamesToClear) // <6>
} }
} }
// ...
} }
----- -----
==== ====
<1> Provides logout support. <1> Provides logout support.
This is automatically applied when using `WebSecurityConfigurerAdapter`.
<2> The URL that triggers log out to occur (the default is `/logout`). <2> The URL that triggers log out to occur (the default is `/logout`).
If CSRF protection is enabled (the default), the request must also be a POST. If CSRF protection is enabled (the default), the request must also be a POST.
For more information, see {security-api-url}org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.html#logoutUrl-java.lang.String-[`logoutUrl(java.lang.String logoutUrl)`]. For more information, see {security-api-url}org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.html#logoutUrl-java.lang.String-[`logoutUrl(java.lang.String logoutUrl)`].

View File

@ -64,10 +64,12 @@ The following example shows a minimal, explicit configuration:
[source,java,role="primary"] [source,java,role="primary"]
.Java .Java
---- ----
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http http
// ... // ...
.httpBasic(withDefaults()); .httpBasic(withDefaults());
return http.build();
} }
---- ----
@ -83,11 +85,13 @@ protected void configure(HttpSecurity http) {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
.Kotlin .Kotlin
---- ----
fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
httpBasic { } httpBasic { }
} }
return http.build()
} }
---- ----
==== ====

View File

@ -1,4 +1,4 @@
[[servlet-authentication-digest]] **[[**servlet-authentication-digest]]
= Digest Authentication = Digest Authentication
This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`. This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
@ -58,11 +58,13 @@ DigestAuthenticationFilter digestAuthenticationFilter() {
result.setAuthenticationEntryPoint(entryPoint()); result.setAuthenticationEntryPoint(entryPoint());
} }
protected void configure(HttpSecurity http) throws Exception { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint())) .exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
.addFilterBefore(digestFilter()); .addFilterBefore(digestFilter());
return http.build();
} }
---- ----

View File

@ -71,10 +71,10 @@ The following example shows a minimal, explicit Java configuration:
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) {
http http
// ...
.formLogin(withDefaults()); .formLogin(withDefaults());
// ...
} }
---- ----
@ -90,11 +90,11 @@ protected void configure(HttpSecurity http) {
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
fun configure(http: HttpSecurity) { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ...
formLogin { } formLogin { }
} }
// ...
} }
---- ----
==== ====
@ -110,13 +110,13 @@ The following configuration demonstrates how to provide a custom login form.
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) {
http http
// ...
.formLogin(form -> form .formLogin(form -> form
.loginPage("/login") .loginPage("/login")
.permitAll() .permitAll()
); );
// ...
} }
---- ----
@ -133,14 +133,14 @@ protected void configure(HttpSecurity http) throws Exception {
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
fun configure(http: HttpSecurity) { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ...
formLogin { formLogin {
loginPage = "/login" loginPage = "/login"
permitAll() permitAll()
} }
} }
// ...
} }
---- ----
==== ====

View File

@ -11,12 +11,13 @@ To do so, configure the `session-management` element:
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Override @Bean
protected void configure(HttpSecurity http) throws Exception{ public SecurityFilterChain filterChain(HttpSecurity http) {
http http
.sessionManagement(session -> session .sessionManagement(session -> session
.invalidSessionUrl("/invalidSession.htm") .invalidSessionUrl("/invalidSession.htm")
); );
return http.build();
} }
---- ----
@ -38,12 +39,13 @@ You may be able to explicitly delete the `JSESSIONID` cookie on logging out -- f
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Override @Bean
protected void configure(HttpSecurity http) throws Exception{ public SecurityFilterChain filterChain(HttpSecurity http) {
http http
.logout(logout -> logout .logout(logout -> logout
.deleteCookies("JSESSIONID") .deleteCookies("JSESSIONID")
); );
return http.build();
} }
---- ----
@ -107,12 +109,13 @@ Then add the following lines to your application context:
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) {
http http
.sessionManagement(session -> session .sessionManagement(session -> session
.maximumSessions(1) .maximumSessions(1)
); );
return http.build();
} }
---- ----
@ -135,13 +138,14 @@ Often, you would prefer to prevent a second login. In that case, you can use:
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) {
http http
.sessionManagement(session -> session .sessionManagement(session -> session
.maximumSessions(1) .maximumSessions(1)
.maxSessionsPreventsLogin(true) .maxSessionsPreventsLogin(true)
); );
return http.build();
} }
---- ----

View File

@ -37,12 +37,14 @@ The following listing shows the explicit configuration:
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) throws Exception { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.authorizeRequests(authorize -> authorize .authorizeRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
); );
return http.build();
} }
---- ----
@ -58,13 +60,15 @@ protected void configure(HttpSecurity http) throws Exception {
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
} }
return http.build()
} }
---- ----
==== ====
@ -76,7 +80,8 @@ We can configure Spring Security to have different rules by adding more rules in
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) throws Exception { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.authorizeRequests(authorize -> authorize // <1> .authorizeRequests(authorize -> authorize // <1>
@ -85,6 +90,7 @@ protected void configure(HttpSecurity http) throws Exception {
.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4> .mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
.anyRequest().denyAll() // <5> .anyRequest().denyAll() // <5>
); );
return http.build();
} }
---- ----
@ -107,7 +113,8 @@ protected void configure(HttpSecurity http) throws Exception {
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { // <1> authorizeRequests { // <1>
authorize("/resources/**", permitAll) // <2> authorize("/resources/**", permitAll) // <2>
@ -119,6 +126,7 @@ fun configure(http: HttpSecurity) {
authorize(anyRequest, denyAll) // <5> authorize(anyRequest, denyAll) // <5>
} }
} }
return http.build()
} }
---- ----
<1> There are multiple authorization rules specified. <1> There are multiple authorization rules specified.

View File

@ -144,19 +144,21 @@ public class MvcWebApplicationInitializer extends
Thus far, our <<jc-hello-wsca,`WebSecurityConfig`>> contains only information about how to authenticate our users. Thus far, our <<jc-hello-wsca,`WebSecurityConfig`>> contains only information about how to authenticate our users.
How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know that we want to require all users to be authenticated?
How does Spring Security know we want to support form-based authentication? How does Spring Security know we want to support form-based authentication?
Actually, there is a configuration class (called `WebSecurityConfigurerAdapter`) that is being invoked behind the scenes. Actually, there is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
It has a method called `configure` with the following default implementation: It is configured with the following default implementation:
==== ====
[source,java] [source,java]
---- ----
protected void configure(HttpSecurity http) throws Exception { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeRequests(authorize -> authorize .authorizeRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.formLogin(withDefaults()) .formLogin(withDefaults())
.httpBasic(withDefaults()); .httpBasic(withDefaults());
return http.build();
} }
---- ----
==== ====
@ -183,7 +185,7 @@ Note that this configuration is parallels the XML Namespace configuration:
== Multiple HttpSecurity Instances == Multiple HttpSecurity Instances
We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML. We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML.
The key is to extend the `WebSecurityConfigurerAdapter` multiple times. The key is to register multiple `SecurityFilterChain` `@Bean`s.
The following example has a different configuration for URL's that start with `/api/`. The following example has a different configuration for URL's that start with `/api/`.
==== ====
@ -201,39 +203,35 @@ public class MultiHttpSecurityConfig {
return manager; return manager;
} }
@Configuration @Bean
@Order(1) <2> @Order(1) <2>
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
protected void configure(HttpSecurity http) throws Exception {
http http
.antMatcher("/api/**") <3> .antMatcher("/api/**") <3>
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().hasRole("ADMIN") .anyRequest().hasRole("ADMIN")
) )
.httpBasic(withDefaults()); .httpBasic(withDefaults());
} return http.build();
} }
@Configuration <4> @Bean <4>
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { public SecurityFilterChain formLoginFilterChain(HttpSecurity http) throws Exception {
@Override
protected void configure(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.formLogin(withDefaults()); .formLogin(withDefaults());
} return http.build();
} }
} }
---- ----
<1> Configure Authentication as usual. <1> Configure Authentication as usual.
<2> Create an instance of `WebSecurityConfigurerAdapter` that contains `@Order` to specify which `WebSecurityConfigurerAdapter` should be considered first. <2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`. <3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`.
<4> Create another instance of `WebSecurityConfigurerAdapter`. <4> Create another instance of `SecurityFilterChain`.
If the URL does not start with `/api/`, this configuration is used. If the URL does not start with `/api/`, this configuration is used.
This configuration is considered after `ApiWebSecurityConfigurationAdapter`, since it has an `@Order` value after `1` (no `@Order` defaults to last). This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
==== ====
[[jc-custom-dsls]] [[jc-custom-dsls]]
@ -287,14 +285,15 @@ You can then use the custom DSL:
[source,java] [source,java]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class Config extends WebSecurityConfigurerAdapter { public class Config {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.apply(customDsl()) .apply(customDsl())
.flag(true) .flag(true)
.and() .and()
...; ...;
return http.build();
} }
} }
---- ----
@ -306,7 +305,7 @@ The code is invoked in the following order:
* Code in the `MyCustomDsl.init` method is invoked * Code in the `MyCustomDsl.init` method is invoked
* Code in the `MyCustomDsl.configure` method is invoked * Code in the `MyCustomDsl.configure` method is invoked
If you want, you can have `WebSecurityConfigurerAdapter` add `MyCustomDsl` by default by using `SpringFactories`. If you want, you can have `HttpSecurity` add `MyCustomDsl` by default by using `SpringFactories`.
For example, you can create a resource on the classpath named `META-INF/spring.factories` with the following contents: For example, you can create a resource on the classpath named `META-INF/spring.factories` with the following contents:
.META-INF/spring.factories .META-INF/spring.factories
@ -323,12 +322,13 @@ You can also explicit disable the default:
[source,java] [source,java]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class Config extends WebSecurityConfigurerAdapter { public class Config {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.apply(customDsl()).disable() .apply(customDsl()).disable()
...; ...;
return http.build();
} }
} }
---- ----
@ -348,8 +348,8 @@ For example, to configure the `filterSecurityPublishAuthorizationSuccess` proper
==== ====
[source,java] [source,java]
---- ----
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeRequests(authorize -> authorize .authorizeRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -361,6 +361,7 @@ protected void configure(HttpSecurity http) throws Exception {
} }
}) })
); );
return http.build();
} }
---- ----
==== ====

View File

@ -14,13 +14,14 @@ Spring Security provides https://github.com/spring-projects/spring-security-samp
How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know that we want to require all users to be authenticated?
How does Spring Security know we want to support form-based authentication? How does Spring Security know we want to support form-based authentication?
There is a configuration class (called `WebSecurityConfigurerAdapter`) that is being invoked behind the scenes. There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
It has a method called `configure` with the following default implementation: It is configured with the following default implementation:
==== ====
[source,kotlin] [source,kotlin]
---- ----
fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -28,6 +29,7 @@ fun configure(http: HttpSecurity) {
formLogin { } formLogin { }
httpBasic { } httpBasic { }
} }
return http.build()
} }
---- ----
==== ====
@ -54,7 +56,7 @@ Note that this configuration is parallels the XML namespace configuration:
== Multiple HttpSecurity Instances == Multiple HttpSecurity Instances
We can configure multiple HttpSecurity instances, just as we can have multiple `<http>` blocks. We can configure multiple HttpSecurity instances, just as we can have multiple `<http>` blocks.
The key is to extend the `WebSecurityConfigurerAdapter` multiple times. The key is to register multiple `SecurityFilterChain` `@Bean`s.
The following example has a different configuration for URL's that start with `/api/`: The following example has a different configuration for URL's that start with `/api/`:
==== ====
@ -71,10 +73,9 @@ class MultiHttpSecurityConfig {
return manager return manager
} }
@Configuration
@Order(1) <2> @Order(1) <2>
class ApiWebSecurityConfigurationAdapter: WebSecurityConfigurerAdapter() { @Bean
override fun configure(http: HttpSecurity) { open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
securityMatcher("/api/**") <3> securityMatcher("/api/**") <3>
authorizeRequests { authorizeRequests {
@ -82,27 +83,26 @@ class MultiHttpSecurityConfig {
} }
httpBasic { } httpBasic { }
} }
} return http.build()
} }
@Configuration <4> @Bean <4>
class FormLoginWebSecurityConfigurerAdapter: WebSecurityConfigurerAdapter() { open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
override fun configure(http: HttpSecurity) {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
formLogin { } formLogin { }
} }
} return http.build()
} }
} }
---- ----
<1> Configure Authentication as usual. <1> Configure Authentication as usual.
<2> Create an instance of `WebSecurityConfigurerAdapter` that contains `@Order` to specify which `WebSecurityConfigurerAdapter` should be considered first. <2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/` <3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
<4> Create another instance of `WebSecurityConfigurerAdapter`. <4> Create another instance of `SecurityFilterChain`.
If the URL does not start with `/api/`, this configuration is used. If the URL does not start with `/api/`, this configuration is used.
This configuration is considered after `ApiWebSecurityConfigurationAdapter`, since it has an `@Order` value after `1` (no `@Order` defaults to last). This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
==== ====

View File

@ -65,15 +65,15 @@ You can configure `CookieCsrfTokenRepository` in Java or Kotlin configuration by
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.csrf(csrf -> csrf .csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
); );
return http.build();
} }
} }
---- ----
@ -82,14 +82,16 @@ public class WebSecurityConfig extends
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
csrf { csrf {
csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse() csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse()
} }
} }
return http.build()
} }
} }
---- ----
@ -129,13 +131,13 @@ The following Java or Kotlin configuration disables CSRF protection:
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.csrf(csrf -> csrf.disable()); .csrf(csrf -> csrf.disable());
return http.build();
} }
} }
---- ----
@ -145,14 +147,16 @@ public class WebSecurityConfig extends
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
csrf { csrf {
disable() disable()
} }
} }
return http.build()
} }
} }
---- ----
@ -329,15 +333,15 @@ For example, the following Java Configuration logs out when the `/logout` URL is
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.logout(logout -> logout .logout(logout -> logout
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
); );
return http.build();
} }
} }
---- ----
@ -346,14 +350,16 @@ public class WebSecurityConfig extends
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
logout { logout {
logoutRequestMatcher = AntPathRequestMatcher("/logout") logoutRequestMatcher = AntPathRequestMatcher("/logout")
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -21,11 +21,10 @@ You can do so with the following configuration:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -33,6 +32,7 @@ public class WebSecurityConfig extends
.sameOrigin() .sameOrigin()
) )
); );
return http.build();
} }
} }
---- ----
@ -53,8 +53,9 @@ public class WebSecurityConfig extends
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -63,6 +64,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -79,11 +81,10 @@ If you use Spring Security's configuration, the following adds only xref:feature
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -91,6 +92,7 @@ WebSecurityConfigurerAdapter {
.defaultsDisabled() .defaultsDisabled()
.cacheControl(withDefaults()) .cacheControl(withDefaults())
); );
return http.build();
} }
} }
---- ----
@ -111,8 +113,9 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -122,6 +125,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -135,14 +139,14 @@ If necessary, you can disable all of the HTTP Security response headers with the
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers.disable()); .headers(headers -> headers.disable());
return http.build();
} }
} }
---- ----
@ -161,14 +165,16 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
disable() disable()
} }
} }
return http.build()
} }
} }
---- ----
@ -194,16 +200,16 @@ If necessary, you can also disable Spring Security's cache control HTTP response
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
.cacheControl(cache -> cache.disable()) .cacheControl(cache -> cache.disable())
); );
return http.build();
} }
} }
---- ----
@ -224,9 +230,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
headers { headers {
cacheControl { cacheControl {
@ -234,6 +241,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -252,16 +260,16 @@ However, you can disable it:
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
.contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable()) .contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable())
); );
return http.build();
} }
} }
---- ----
@ -282,9 +290,10 @@ public class WebSecurityConfig extends
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
headers { headers {
contentTypeOptions { contentTypeOptions {
@ -292,6 +301,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -310,11 +320,10 @@ The following example explicitly provides HSTS:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -324,6 +333,7 @@ WebSecurityConfigurerAdapter {
.maxAgeInSeconds(31536000) .maxAgeInSeconds(31536000)
) )
); );
return http.build();
} }
} }
---- ----
@ -347,9 +357,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
headers { headers {
httpStrictTransportSecurity { httpStrictTransportSecurity {
@ -359,6 +370,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -376,11 +388,10 @@ You can enable HPKP headers with the following configuration:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -390,6 +401,7 @@ WebSecurityConfigurerAdapter {
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=") .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=")
) )
); );
return http.build();
} }
} }
---- ----
@ -416,9 +428,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
headers { headers {
httpPublicKeyPinning { httpPublicKeyPinning {
@ -429,6 +442,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -447,11 +461,10 @@ For example, the following configuration specifies that Spring Security should n
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -459,6 +472,7 @@ WebSecurityConfigurerAdapter {
.sameOrigin() .sameOrigin()
) )
); );
return http.build();
} }
} }
---- ----
@ -481,9 +495,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
headers { headers {
frameOptions { frameOptions {
@ -491,6 +506,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -509,11 +525,10 @@ For example, the following configuration specifies that Spring Security should n
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -521,6 +536,7 @@ WebSecurityConfigurerAdapter {
.block(false) .block(false)
) )
); );
return http.build();
} }
} }
---- ----
@ -541,9 +557,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
// ... // ...
http { http {
headers { headers {
@ -552,6 +569,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -581,11 +599,10 @@ Given the preceding security policy, you can enable the CSP header:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -593,6 +610,7 @@ WebSecurityConfigurerAdapter {
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
) )
); );
return http.build();
} }
} }
---- ----
@ -614,9 +632,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -625,6 +644,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -638,11 +658,10 @@ To enable the CSP `report-only` header, provide the following configuration:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -651,6 +670,7 @@ public class WebSecurityConfig extends
.reportOnly() .reportOnly()
) )
); );
return http.build();
} }
} }
---- ----
@ -673,9 +693,10 @@ public class WebSecurityConfig extends
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -685,6 +706,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -702,11 +724,10 @@ You can enable the Referrer Policy header by using the configuration:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -714,6 +735,7 @@ WebSecurityConfigurerAdapter {
.policy(ReferrerPolicy.SAME_ORIGIN) .policy(ReferrerPolicy.SAME_ORIGIN)
) )
); );
return http.build();
} }
} }
---- ----
@ -734,9 +756,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -745,6 +768,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -772,16 +796,16 @@ You can enable the preceding feature policy header by using the following config
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
.featurePolicy("geolocation 'self'") .featurePolicy("geolocation 'self'")
); );
return http.build();
} }
} }
---- ----
@ -802,15 +826,17 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
featurePolicy("geolocation 'self'") featurePolicy("geolocation 'self'")
} }
} }
return http.build()
} }
} }
---- ----
@ -838,11 +864,10 @@ You can enable the preceding permissions policy header using the following confi
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -850,6 +875,7 @@ WebSecurityConfigurerAdapter {
.policy("geolocation=(self)") .policy("geolocation=(self)")
) )
); );
return http.build();
} }
} }
---- ----
@ -870,9 +896,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -881,6 +908,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -907,16 +935,16 @@ You can send the preceding header on log out with the following configuration:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.logout((logout) -> logout .logout((logout) -> logout
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES))) .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES)))
); );
return http.build();
} }
} }
---- ----
@ -925,15 +953,17 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
logout { logout {
addLogoutHandler(HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(CACHE, COOKIES))) addLogoutHandler(HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(CACHE, COOKIES)))
} }
} }
return http.build()
} }
} }
---- ----
@ -962,16 +992,16 @@ Given the preceding header, you could add the headers to the response by using t
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value")) .addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"))
); );
return http.build();
} }
} }
---- ----
@ -992,15 +1022,17 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
addHeaderWriter(StaticHeadersWriter("X-Custom-Security-Header","header-value")) addHeaderWriter(StaticHeadersWriter("X-Custom-Security-Header","header-value"))
} }
} }
return http.build()
} }
} }
---- ----
@ -1019,16 +1051,16 @@ If you wanted to explicitly configure <<servlet-headers-frame-options>>, you cou
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
); );
return http.build();
} }
} }
---- ----
@ -1055,15 +1087,17 @@ See https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsi
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
addHeaderWriter(XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) addHeaderWriter(XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
} }
} }
return http.build()
} }
} }
---- ----
@ -1084,11 +1118,10 @@ The following configuration example uses `DelegatingRequestMatcherHeaderWriter`:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
RequestMatcher matcher = new AntPathRequestMatcher("/login"); RequestMatcher matcher = new AntPathRequestMatcher("/login");
DelegatingRequestMatcherHeaderWriter headerWriter = DelegatingRequestMatcherHeaderWriter headerWriter =
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
@ -1098,6 +1131,7 @@ WebSecurityConfigurerAdapter {
.frameOptions(frameOptions -> frameOptions.disable()) .frameOptions(frameOptions -> frameOptions.disable())
.addHeaderWriter(headerWriter) .addHeaderWriter(headerWriter)
); );
return http.build();
} }
} }
---- ----
@ -1131,9 +1165,10 @@ WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
val matcher: RequestMatcher = AntPathRequestMatcher("/login") val matcher: RequestMatcher = AntPathRequestMatcher("/login")
val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter()) val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter())
http { http {
@ -1144,6 +1179,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
addHeaderWriter(headerWriter) addHeaderWriter(headerWriter)
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -19,16 +19,16 @@ For example, the following Java or Kotlin configuration redirects any HTTP reque
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.requiresChannel(channel -> channel .requiresChannel(channel -> channel
.anyRequest().requiresSecure() .anyRequest().requiresSecure()
); );
return http.build();
} }
} }
---- ----
@ -38,15 +38,17 @@ public class WebSecurityConfig extends
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
requiresChannel { requiresChannel {
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL") secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -13,14 +13,15 @@ Users can integrate the `CorsFilter` with Spring Security by providing a `CorsCo
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public class WebSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// by default uses a Bean by the name of corsConfigurationSource // by default uses a Bean by the name of corsConfigurationSource
.cors(withDefaults()) .cors(withDefaults())
... ...
return http.build();
} }
@Bean @Bean
@ -39,13 +40,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
open class WebSecurityConfig : WebSecurityConfigurerAdapter() { open class WebSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// by default uses a Bean by the name of corsConfigurationSource // by default uses a Bean by the name of corsConfigurationSource
cors { } cors { }
// ... // ...
} }
return http.build()
} }
@Bean @Bean
@ -83,15 +86,16 @@ If you use Spring MVC's CORS support, you can omit specifying the `CorsConfigura
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public class WebSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// if Spring MVC is on classpath and no CorsConfigurationSource is provided, // if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC // Spring Security will use CORS configuration provided to Spring MVC
.cors(withDefaults()) .cors(withDefaults())
... ...
return http.build();
} }
} }
---- ----
@ -100,14 +104,16 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
open class WebSecurityConfig : WebSecurityConfigurerAdapter() { open class WebSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// if Spring MVC is on classpath and no CorsConfigurationSource is provided, // if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC // Spring Security will use CORS configuration provided to Spring MVC
cors { } cors { }
// ... // ...
} }
return http.build()
} }
} }
---- ----

View File

@ -148,23 +148,27 @@ To restrict access to this controller method to admin users, you can provide aut
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected configure(HttpSecurity http) throws Exception { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.antMatchers("/admin").hasRole("ADMIN") .antMatchers("/admin").hasRole("ADMIN")
); );
return http.build();
} }
---- ----
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(AntPathRequestMatcher("/admin"), hasRole("ADMIN")) authorize(AntPathRequestMatcher("/admin"), hasRole("ADMIN"))
} }
} }
return http.build()
} }
---- ----
==== ====
@ -194,23 +198,27 @@ The following configuration protects the same URLs that Spring MVC matches on by
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected configure(HttpSecurity http) throws Exception { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/admin").hasRole("ADMIN") .mvcMatchers("/admin").hasRole("ADMIN")
); );
// ...
} }
---- ----
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/admin", hasRole("ADMIN")) authorize("/admin", hasRole("ADMIN"))
} }
} }
// ...
} }
---- ----
==== ====

View File

@ -379,11 +379,10 @@ Similarly, you can customize frame options to use the same origin within Java Co
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends public class WebSecurityConfig {
WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
// ... // ...
.headers(headers -> headers .headers(headers -> headers
@ -391,6 +390,7 @@ public class WebSecurityConfig extends
.sameOrigin() .sameOrigin()
) )
); );
return http.build();
} }
} }
---- ----
@ -399,8 +399,9 @@ public class WebSecurityConfig extends
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
open class WebSecurityConfig : WebSecurityConfigurerAdapter() { open class WebSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
// ... // ...
headers { headers {
@ -409,6 +410,7 @@ open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -437,11 +439,10 @@ For example, if our stomp endpoint is `/chat`, we can disable CSRF protection on
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig public class WebSecurityConfig {
extends WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.csrf(csrf -> csrf .csrf(csrf -> csrf
// ignore our stomp endpoints since they are protected using Stomp headers // ignore our stomp endpoints since they are protected using Stomp headers
@ -466,8 +467,9 @@ public class WebSecurityConfig
---- ----
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
open class WebSecurityConfig : WebSecurityConfigurerAdapter() { open class WebSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
csrf { csrf {
ignoringAntMatchers("/chat/**") ignoringAntMatchers("/chat/**")

View File

@ -130,13 +130,13 @@ The following example shows how to configure the `DefaultOAuth2AuthorizationRequ
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Autowired @Autowired
private ClientRegistrationRepository clientRegistrationRepository; private ClientRegistrationRepository clientRegistrationRepository;
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -148,6 +148,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
) )
) )
); );
return http.build();
} }
private OAuth2AuthorizationRequestResolver authorizationRequestResolver( private OAuth2AuthorizationRequestResolver authorizationRequestResolver(
@ -173,12 +174,13 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() { class SecurityConfig {
@Autowired @Autowired
private lateinit var customClientRegistrationRepository: ClientRegistrationRepository private lateinit var customClientRegistrationRepository: ClientRegistrationRepository
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -189,6 +191,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
private fun authorizationRequestResolver( private fun authorizationRequestResolver(
@ -283,10 +286,10 @@ If you have a custom implementation of `AuthorizationRequestRepository`, you can
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2ClientSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Client(oauth2 -> oauth2 .oauth2Client(oauth2 -> oauth2
.authorizationCodeGrant(codeGrant -> codeGrant .authorizationCodeGrant(codeGrant -> codeGrant
@ -294,6 +297,7 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
} }
---- ----
@ -302,9 +306,10 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2ClientSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Client { oauth2Client {
authorizationCodeGrant { authorizationCodeGrant {
@ -312,6 +317,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -403,10 +409,10 @@ Whether you customize `DefaultAuthorizationCodeTokenResponseClient` or provide y
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2ClientSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Client(oauth2 -> oauth2 .oauth2Client(oauth2 -> oauth2
.authorizationCodeGrant(codeGrant -> codeGrant .authorizationCodeGrant(codeGrant -> codeGrant
@ -414,6 +420,7 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
} }
---- ----
@ -422,9 +429,10 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2ClientSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Client { oauth2Client {
authorizationCodeGrant { authorizationCodeGrant {
@ -432,6 +440,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -30,10 +30,10 @@ The following code shows the complete configuration options provided by the `Htt
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2ClientSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Client(oauth2 -> oauth2 .oauth2Client(oauth2 -> oauth2
.clientRegistrationRepository(this.clientRegistrationRepository()) .clientRegistrationRepository(this.clientRegistrationRepository())
@ -45,6 +45,7 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
.accessTokenResponseClient(this.accessTokenResponseClient()) .accessTokenResponseClient(this.accessTokenResponseClient())
) )
); );
return http.build();
} }
} }
---- ----
@ -53,9 +54,10 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2ClientSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Client { oauth2Client {
clientRegistrationRepository = clientRegistrationRepository() clientRegistrationRepository = clientRegistrationRepository()
@ -68,6 +70,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -14,10 +14,10 @@ The following code shows an example:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(authorization -> authorization .authorizationEndpoint(authorization -> authorization
@ -33,6 +33,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
} }
---- ----
@ -41,9 +42,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
authorizationEndpoint { authorizationEndpoint {
@ -60,6 +62,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -92,10 +95,10 @@ The following code shows the complete configuration options available for the `o
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.clientRegistrationRepository(this.clientRegistrationRepository()) .clientRegistrationRepository(this.clientRegistrationRepository())
@ -119,6 +122,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
.oidcUserService(this.oidcUserService()) .oidcUserService(this.oidcUserService())
) )
); );
return http.build();
} }
} }
---- ----
@ -127,9 +131,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
clientRegistrationRepository = clientRegistrationRepository() clientRegistrationRepository = clientRegistrationRepository()
@ -154,6 +159,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -230,10 +236,10 @@ The following listing shows an example:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.loginPage("/login/oauth2") .loginPage("/login/oauth2")
@ -243,6 +249,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
} }
---- ----
@ -251,9 +258,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
loginPage = "/login/oauth2" loginPage = "/login/oauth2"
@ -262,6 +270,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -318,10 +327,10 @@ If you would like to customize the Authorization Response `baseUri`, configure i
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.redirectionEndpoint(redirection -> redirection .redirectionEndpoint(redirection -> redirection
@ -329,6 +338,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
} }
---- ----
@ -337,9 +347,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
redirectionEndpoint { redirectionEndpoint {
@ -347,6 +358,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -427,10 +439,10 @@ Provide an implementation of `GrantedAuthoritiesMapper` and configure it, as fol
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo .userInfoEndpoint(userInfo -> userInfo
@ -438,6 +450,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
private GrantedAuthoritiesMapper userAuthoritiesMapper() { private GrantedAuthoritiesMapper userAuthoritiesMapper() {
@ -475,9 +488,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
userInfoEndpoint { userInfoEndpoint {
@ -485,6 +499,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
private fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> -> private fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
@ -527,12 +542,13 @@ Alternatively, you can register a `GrantedAuthoritiesMapper` `@Bean` to have it
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(withDefaults()); .oauth2Login(withDefaults());
return http.build();
} }
@Bean @Bean
@ -546,12 +562,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { } oauth2Login { }
} }
return http.build()
} }
@Bean @Bean
@ -577,10 +595,10 @@ The following example shows how to implement and configure a delegation-based st
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo .userInfoEndpoint(userInfo -> userInfo
@ -588,6 +606,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() { private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
@ -617,9 +636,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
userInfoEndpoint { userInfoEndpoint {
@ -627,6 +647,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
@Bean @Bean
@ -700,10 +721,10 @@ Whether you customize `DefaultOAuth2UserService` or provide your own implementat
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo .userInfoEndpoint(userInfo -> userInfo
@ -711,6 +732,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() { private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
@ -723,9 +745,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
userInfoEndpoint { userInfoEndpoint {
@ -734,6 +757,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> { private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
@ -760,10 +784,10 @@ Whether you customize `OidcUserService` or provide your own implementation of `O
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.oauth2Login(oauth2 -> oauth2 .oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo .userInfoEndpoint(userInfo -> userInfo
@ -771,6 +795,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
... ...
) )
); );
return http.build();
} }
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() { private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
@ -783,9 +808,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
oauth2Login { oauth2Login {
userInfoEndpoint { userInfoEndpoint {
@ -794,6 +820,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> { private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
@ -887,13 +914,13 @@ Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which impleme
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Autowired @Autowired
private ClientRegistrationRepository clientRegistrationRepository; private ClientRegistrationRepository clientRegistrationRepository;
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -902,6 +929,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
.logout(logout -> logout .logout(logout -> logout
.logoutSuccessHandler(oidcLogoutSuccessHandler()) .logoutSuccessHandler(oidcLogoutSuccessHandler())
); );
return http.build();
} }
private LogoutSuccessHandler oidcLogoutSuccessHandler() { private LogoutSuccessHandler oidcLogoutSuccessHandler() {
@ -921,11 +949,12 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
@Autowired @Autowired
private lateinit var clientRegistrationRepository: ClientRegistrationRepository private lateinit var clientRegistrationRepository: ClientRegistrationRepository
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -935,6 +964,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
logoutSuccessHandler = oidcLogoutSuccessHandler() logoutSuccessHandler = oidcLogoutSuccessHandler()
} }
} }
return http.build()
} }
private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler { private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {

View File

@ -243,15 +243,14 @@ The Spring Boot 2.x auto-configuration class for OAuth Client support is `OAuth2
It performs the following tasks: It performs the following tasks:
* Registers a `ClientRegistrationRepository` `@Bean` composed of `ClientRegistration`(s) from the configured OAuth Client properties. * Registers a `ClientRegistrationRepository` `@Bean` composed of `ClientRegistration`(s) from the configured OAuth Client properties.
* Provides a `WebSecurityConfigurerAdapter` `@Configuration` and enables OAuth 2.0 Login through `httpSecurity.oauth2Login()`. * Registers a `SecurityFilterChain` `@Bean` and enables OAuth 2.0 Login through `httpSecurity.oauth2Login()`.
If you need to override the auto-configuration based on your specific requirements, you may do so in the following ways: If you need to override the auto-configuration based on your specific requirements, you may do so in the following ways:
* <<oauth2login-register-clientregistrationrepository-bean>> * <<oauth2login-register-clientregistrationrepository-bean>>
* <<oauth2login-provide-websecurityconfigureradapter>> * <<oauth2login-provide-securityfilterchain-bean>>
* <<oauth2login-completely-override-autoconfiguration>> * <<oauth2login-completely-override-autoconfiguration>>
[[oauth2login-register-clientregistrationrepository-bean]] [[oauth2login-register-clientregistrationrepository-bean]]
=== Register a ClientRegistrationRepository @Bean === Register a ClientRegistrationRepository @Bean
@ -319,10 +318,10 @@ class OAuth2LoginConfig {
==== ====
[[oauth2login-provide-websecurityconfigureradapter]] [[oauth2login-provide-securityfilterchain-bean]]
=== Provide a WebSecurityConfigurerAdapter === Register a SecurityFilterChain @Bean
The following example shows how to provide a `WebSecurityConfigurerAdapter` with `@EnableWebSecurity` and enable OAuth 2.0 login through `httpSecurity.oauth2Login()`: The following example shows how to register a `SecurityFilterChain` `@Bean` with `@EnableWebSecurity` and enable OAuth 2.0 login through `httpSecurity.oauth2Login()`:
.OAuth2 Login Configuration .OAuth2 Login Configuration
==== ====
@ -330,15 +329,16 @@ The following example shows how to provide a `WebSecurityConfigurerAdapter` with
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public class OAuth2LoginSecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2Login(withDefaults()); .oauth2Login(withDefaults());
return http.build();
} }
} }
---- ----
@ -347,15 +347,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { class OAuth2LoginSecurityConfig {
override fun configure(http: HttpSecurity) { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
oauth2Login { } oauth2Login { }
} }
return http.build()
} }
} }
---- ----
@ -365,7 +366,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
[[oauth2login-completely-override-autoconfiguration]] [[oauth2login-completely-override-autoconfiguration]]
=== Completely Override the Auto-configuration === Completely Override the Auto-configuration
The following example shows how to completely override the auto-configuration by registering a `ClientRegistrationRepository` `@Bean` and providing a `WebSecurityConfigurerAdapter`. The following example shows how to completely override the auto-configuration by registering a `ClientRegistrationRepository` `@Bean` and a `SecurityFilterChain` `@Bean`.
.Overriding the auto-configuration .Overriding the auto-configuration
==== ====
@ -375,17 +376,14 @@ The following example shows how to completely override the auto-configuration by
@Configuration @Configuration
public class OAuth2LoginConfig { public class OAuth2LoginConfig {
@EnableWebSecurity @Bean
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
@Override
protected void configure(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2Login(withDefaults()); .oauth2Login(withDefaults());
} return http.build();
} }
@Bean @Bean
@ -418,17 +416,15 @@ public class OAuth2LoginConfig {
@Configuration @Configuration
class OAuth2LoginConfig { class OAuth2LoginConfig {
@EnableWebSecurity @Bean
class OAuth2LoginSecurityConfig: WebSecurityConfigurerAdapter() { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
override fun configure(http: HttpSecurity) {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
oauth2Login { } oauth2Login { }
} }
} return http.build()
} }
@Bean @Bean
@ -467,20 +463,17 @@ If you are not able to use Spring Boot 2.x and would like to configure one of th
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Configuration @EnableWebSecurity
public class OAuth2LoginConfig { public class OAuth2LoginConfig {
@EnableWebSecurity @Bean
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
@Override
protected void configure(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2Login(withDefaults()); .oauth2Login(withDefaults());
} return http.build();
} }
@Bean @Bean
@ -512,18 +505,17 @@ public class OAuth2LoginConfig {
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@Configuration @EnableWebSecurity
open class OAuth2LoginConfig { open class OAuth2LoginConfig {
@EnableWebSecurity @Bean
open class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
override fun configure(http: HttpSecurity) {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
oauth2Login { } oauth2Login { }
} }
} return http.build()
} }
@Bean @Bean

View File

@ -137,26 +137,29 @@ This property can also be supplied directly on the <<oauth2resourceserver-jwt-jw
There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf. There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf.
The first is a `WebSecurityConfigurerAdapter` that configures the app as a resource server. When including `spring-security-oauth2-jose`, this `WebSecurityConfigurerAdapter` looks like: The first is a `SecurityFilterChain` that configures the app as a resource server. When including `spring-security-oauth2-jose`, this `SecurityFilterChain` looks like:
.Default JWT Configuration .Default JWT Configuration
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
} }
---- ----
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -165,11 +168,12 @@ fun configure(http: HttpSecurity) {
jwt { } jwt { }
} }
} }
return http.build()
} }
---- ----
==== ====
If the application doesn't expose a `WebSecurityConfigurerAdapter` bean, then Spring Boot will expose the above default one. If the application doesn't expose a `SecurityFilterChain` bean, then Spring Boot will expose the above default one.
Replacing this is as simple as exposing the bean within the application: Replacing this is as simple as exposing the bean within the application:
@ -179,8 +183,9 @@ Replacing this is as simple as exposing the bean within the application:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { public class MyCustomSecurityConfiguration {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
@ -191,6 +196,7 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
.jwtAuthenticationConverter(myConverter()) .jwtAuthenticationConverter(myConverter())
) )
); );
return http.build();
} }
} }
---- ----
@ -199,8 +205,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() { class MyCustomSecurityConfiguration {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/messages/**", hasAuthority("SCOPE_message:read")) authorize("/messages/**", hasAuthority("SCOPE_message:read"))
@ -212,6 +219,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -296,8 +304,9 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredJwkSetUri {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -307,6 +316,7 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
.jwkSetUri("https://idp.example.com/.well-known/jwks.json") .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
) )
); );
return http.build();
} }
} }
---- ----
@ -315,8 +325,9 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() { class DirectlyConfiguredJwkSetUri {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -327,6 +338,7 @@ class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -356,8 +368,9 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredJwtDecoder {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -367,6 +380,7 @@ public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
.decoder(myCustomDecoder()) .decoder(myCustomDecoder())
) )
); );
return http.build();
} }
} }
---- ----
@ -375,8 +389,9 @@ public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class DirectlyConfiguredJwtDecoder : WebSecurityConfigurerAdapter() { class DirectlyConfiguredJwtDecoder {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -387,6 +402,7 @@ class DirectlyConfiguredJwtDecoder : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -716,8 +732,9 @@ This means that to protect an endpoint or method with a scope derived from a JWT
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredJwkSetUri {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts") .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
@ -725,6 +742,7 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
} }
} }
---- ----
@ -733,8 +751,9 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() { class DirectlyConfiguredJwkSetUri {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/contacts/**", hasAuthority("SCOPE_contacts")) authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
@ -745,6 +764,7 @@ class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() {
jwt { } jwt { }
} }
} }
return http.build()
} }
} }
---- ----
@ -923,8 +943,9 @@ static class CustomAuthenticationConverter implements Converter<Jwt, AbstractAut
// ... // ...
@EnableWebSecurity @EnableWebSecurity
public class CustomAuthenticationConverterConfig extends WebSecurityConfigurerAdapter { public class CustomAuthenticationConverterConfig {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -934,6 +955,7 @@ public class CustomAuthenticationConverterConfig extends WebSecurityConfigurerAd
.jwtAuthenticationConverter(new CustomAuthenticationConverter()) .jwtAuthenticationConverter(new CustomAuthenticationConverter())
) )
); );
return http.build();
} }
} }
---- ----
@ -950,8 +972,9 @@ internal class CustomAuthenticationConverter : Converter<Jwt, AbstractAuthentica
// ... // ...
@EnableWebSecurity @EnableWebSecurity
class CustomAuthenticationConverterConfig : WebSecurityConfigurerAdapter() { class CustomAuthenticationConverterConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -962,6 +985,7 @@ class CustomAuthenticationConverterConfig : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -178,27 +178,30 @@ fun forFoosEyesOnly(): String {
There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf. There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf.
The first is a `WebSecurityConfigurerAdapter` that configures the app as a resource server. The first is a `SecurityFilterChain` that configures the app as a resource server.
When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like: When use Opaque Token, this `SecurityFilterChain` looks like:
.Default Opaque Token Configuration .Default Opaque Token Configuration
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
return http.build();
} }
---- ----
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -207,11 +210,12 @@ override fun configure(http: HttpSecurity) {
opaqueToken { } opaqueToken { }
} }
} }
return http.build()
} }
---- ----
==== ====
If the application doesn't expose a `WebSecurityConfigurerAdapter` bean, then Spring Boot will expose the above default one. If the application doesn't expose a `SecurityFilterChain` bean, then Spring Boot will expose the above default one.
Replacing this is as simple as exposing the bean within the application: Replacing this is as simple as exposing the bean within the application:
@ -221,8 +225,9 @@ Replacing this is as simple as exposing the bean within the application:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { public class MyCustomSecurityConfiguration {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
@ -233,6 +238,7 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
.introspector(myIntrospector()) .introspector(myIntrospector())
) )
); );
return http.build();
} }
} }
---- ----
@ -241,8 +247,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() { class MyCustomSecurityConfiguration {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/messages/**", hasAuthority("SCOPE_message:read")) authorize("/messages/**", hasAuthority("SCOPE_message:read"))
@ -254,6 +261,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -335,8 +343,9 @@ An authorization server's Introspection Uri can be configured <<oauth2resourcese
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredIntrospectionUri {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -347,6 +356,7 @@ public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAda
.introspectionClientCredentials("client", "secret") .introspectionClientCredentials("client", "secret")
) )
); );
return http.build();
} }
} }
---- ----
@ -355,8 +365,9 @@ public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAda
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class DirectlyConfiguredIntrospectionUri : WebSecurityConfigurerAdapter() { class DirectlyConfiguredIntrospectionUri {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -368,6 +379,7 @@ class DirectlyConfiguredIntrospectionUri : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -397,8 +409,9 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredIntrospector {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
@ -408,6 +421,7 @@ public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter
.introspector(myCustomIntrospector()) .introspector(myCustomIntrospector())
) )
); );
return http.build();
} }
} }
---- ----
@ -416,8 +430,9 @@ public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class DirectlyConfiguredIntrospector : WebSecurityConfigurerAdapter() { class DirectlyConfiguredIntrospector {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
@ -428,6 +443,7 @@ class DirectlyConfiguredIntrospector : WebSecurityConfigurerAdapter() {
} }
} }
} }
return http.build()
} }
} }
---- ----
@ -476,8 +492,9 @@ This means that to protect an endpoint or method with a scope derived from an Op
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class MappedAuthorities extends WebSecurityConfigurerAdapter { public class MappedAuthorities {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorizeRequests -> authorizeRequests .authorizeHttpRequests(authorizeRequests -> authorizeRequests
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts") .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
@ -485,6 +502,7 @@ public class MappedAuthorities extends WebSecurityConfigurerAdapter {
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
return http.build();
} }
} }
---- ----
@ -493,8 +511,9 @@ public class MappedAuthorities extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class MappedAuthorities : WebSecurityConfigurerAdapter() { class MappedAuthorities {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/contacts/**", hasAuthority("SCOPE_contacts")) authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
@ -505,6 +524,7 @@ class MappedAuthorities : WebSecurityConfigurerAdapter() {
opaqueToken { } opaqueToken { }
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -23,10 +23,10 @@ For that reason, you can configure `OpenSaml4AuthenticationProvider` 's default
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter { public class SecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider(); OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
authenticationProvider.setAssertionValidator(OpenSaml4AuthenticationProvider authenticationProvider.setAssertionValidator(OpenSaml4AuthenticationProvider
.createDefaultAssertionValidator(assertionToken -> { .createDefaultAssertionValidator(assertionToken -> {
@ -44,6 +44,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
.saml2Login(saml2 -> saml2 .saml2Login(saml2 -> saml2
.authenticationManager(new ProviderManager(authenticationProvider)) .authenticationManager(new ProviderManager(authenticationProvider))
); );
return http.build();
} }
} }
---- ----
@ -52,8 +53,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
open class SecurityConfig : WebSecurityConfigurerAdapter() { open class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
val authenticationProvider = OpenSaml4AuthenticationProvider() val authenticationProvider = OpenSaml4AuthenticationProvider()
authenticationProvider.setAssertionValidator( authenticationProvider.setAssertionValidator(
OpenSaml4AuthenticationProvider OpenSaml4AuthenticationProvider
@ -72,6 +74,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
authenticationManager = ProviderManager(authenticationProvider) authenticationManager = ProviderManager(authenticationProvider)
} }
} }
return http.build()
} }
} }
---- ----
@ -88,12 +91,12 @@ In that case, the response authentication converter can come in handy, as can be
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter { public class SecurityConfig {
@Autowired @Autowired
UserDetailsService userDetailsService; UserDetailsService userDetailsService;
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider(); OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
authenticationProvider.setResponseAuthenticationConverter(responseToken -> { authenticationProvider.setResponseAuthenticationConverter(responseToken -> {
Saml2Authentication authentication = OpenSaml4AuthenticationProvider Saml2Authentication authentication = OpenSaml4AuthenticationProvider
@ -112,6 +115,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
.saml2Login(saml2 -> saml2 .saml2Login(saml2 -> saml2
.authenticationManager(new ProviderManager(authenticationProvider)) .authenticationManager(new ProviderManager(authenticationProvider))
); );
return http.build();
} }
} }
---- ----
@ -120,11 +124,12 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
open class SecurityConfig : WebSecurityConfigurerAdapter() { open class SecurityConfig {
@Autowired @Autowired
var userDetailsService: UserDetailsService? = null var userDetailsService: UserDetailsService? = null
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
val authenticationProvider = OpenSaml4AuthenticationProvider() val authenticationProvider = OpenSaml4AuthenticationProvider()
authenticationProvider.setResponseAuthenticationConverter { responseToken: OpenSaml4AuthenticationProvider.ResponseToken -> authenticationProvider.setResponseAuthenticationConverter { responseToken: OpenSaml4AuthenticationProvider.ResponseToken ->
val authentication = OpenSaml4AuthenticationProvider val authentication = OpenSaml4AuthenticationProvider
@ -143,6 +148,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
authenticationManager = ProviderManager(authenticationProvider) authenticationManager = ProviderManager(authenticationProvider)
} }
} }
return http.build()
} }
} }
---- ----
@ -304,10 +310,10 @@ This authentication manager should expect a `Saml2AuthenticationToken` object co
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter { public class SecurityConfig {
@Override @Bean
protected void configure(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...); AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...);
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
@ -317,6 +323,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
.authenticationManager(authenticationManager) .authenticationManager(authenticationManager)
) )
; ;
return http.build();
} }
} }
---- ----
@ -325,8 +332,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
open class SecurityConfig : WebSecurityConfigurerAdapter() { open class SecurityConfig {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
val customAuthenticationManager: AuthenticationManager = MySaml2AuthenticationManager(...) val customAuthenticationManager: AuthenticationManager = MySaml2AuthenticationManager(...)
http { http {
authorizeRequests { authorizeRequests {
@ -336,6 +344,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
authenticationManager = customAuthenticationManager authenticationManager = customAuthenticationManager
} }
} }
return http.build()
} }
} }
---- ----

View File

@ -297,38 +297,42 @@ The `requireInitialize` method may be called only once per application instance.
Spring Boot generates two `@Bean` objects for a relying party. Spring Boot generates two `@Bean` objects for a relying party.
The first is a `WebSecurityConfigurerAdapter` that configures the application as a relying party. The first is a `SecurityFilterChain` that configures the application as a relying party.
When including `spring-security-saml2-service-provider`, the `WebSecurityConfigurerAdapter` looks like: When including `spring-security-saml2-service-provider`, the `SecurityFilterChain` looks like:
.Default JWT Configuration .Default JWT Configuration
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
---- ----
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.saml2Login(withDefaults()); .saml2Login(withDefaults());
return http.build();
} }
---- ----
.Kotlin .Kotlin
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
saml2Login { } saml2Login { }
} }
return http.build()
} }
---- ----
==== ====
If the application does not expose a `WebSecurityConfigurerAdapter` bean, Spring Boot exposes the preceding default one. If the application does not expose a `SecurityFilterChain` bean, Spring Boot exposes the preceding default one.
You can replace this by exposing the bean within the application: You can replace this by exposing the bean within the application:
@ -338,14 +342,16 @@ You can replace this by exposing the bean within the application:
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { public class MyCustomSecurityConfiguration {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/messages/**").hasAuthority("ROLE_USER") .mvcMatchers("/messages/**").hasAuthority("ROLE_USER")
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.saml2Login(withDefaults()); .saml2Login(withDefaults());
return http.build();
} }
} }
---- ----
@ -354,8 +360,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() { class MyCustomSecurityConfiguration {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/messages/**", hasAuthority("ROLE_USER")) authorize("/messages/**", hasAuthority("ROLE_USER"))
@ -364,6 +371,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
saml2Login { saml2Login {
} }
} }
return http.build()
} }
} }
---- ----
@ -480,7 +488,7 @@ open fun relyingPartyRegistrations(): RelyingPartyRegistrationRepository {
[[servlet-saml2login-relyingpartyregistrationrepository-dsl]] [[servlet-saml2login-relyingpartyregistrationrepository-dsl]]
Alternatively, you can directly wire up the repository by using the DSL, which also overrides the auto-configured `WebSecurityConfigurerAdapter`: Alternatively, you can directly wire up the repository by using the DSL, which also overrides the auto-configured `SecurityFilterChain`:
.Custom Relying Party Registration DSL .Custom Relying Party Registration DSL
==== ====
@ -488,8 +496,9 @@ Alternatively, you can directly wire up the repository by using the DSL, which a
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { public class MyCustomSecurityConfiguration {
protected void configure(HttpSecurity http) { @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/messages/**").hasAuthority("ROLE_USER") .mvcMatchers("/messages/**").hasAuthority("ROLE_USER")
@ -498,6 +507,7 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
.saml2Login(saml2 -> saml2 .saml2Login(saml2 -> saml2
.relyingPartyRegistrationRepository(relyingPartyRegistrations()) .relyingPartyRegistrationRepository(relyingPartyRegistrations())
); );
return http.build();
} }
} }
---- ----
@ -506,8 +516,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@EnableWebSecurity @EnableWebSecurity
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() { class MyCustomSecurityConfiguration {
override fun configure(http: HttpSecurity) { @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeRequests { authorizeRequests {
authorize("/messages/**", hasAuthority("ROLE_USER")) authorize("/messages/**", hasAuthority("ROLE_USER"))
@ -517,6 +528,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
relyingPartyRegistrationRepository = relyingPartyRegistrations() relyingPartyRegistrationRepository = relyingPartyRegistrations()
} }
} }
return http.build()
} }
} }
---- ----