Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs
Closes gh-10003
This commit is contained in:
parent
84616543a3
commit
4142f06259
|
@ -6,7 +6,7 @@ This section covers how to customize the handling of logouts.
|
||||||
[[logout-java-configuration]]
|
[[logout-java-configuration]]
|
||||||
== Logout Java/Kotlin Configuration
|
== Logout Java/Kotlin Configuration
|
||||||
|
|
||||||
When using the `{security-api-url}org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html[WebSecurityConfigurerAdapter]`, logout capabilities are automatically applied.
|
When using the `{security-api-url}org/springframework/security/config/annotation/web/builders/HttpSecurity.html[HttpSecurity]` bean, logout capabilities are automatically applied.
|
||||||
The default is that accessing the URL `/logout` logs the user out by:
|
The default is that accessing the URL `/logout` logs the user out by:
|
||||||
|
|
||||||
- Invalidating the HTTP Session
|
- Invalidating the HTTP Session
|
||||||
|
@ -21,7 +21,7 @@ Similar to configuring login capabilities, however, you also have various option
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
.logout(logout -> logout // <1>
|
.logout(logout -> logout // <1>
|
||||||
.logoutUrl("/my/logout") // <2>
|
.logoutUrl("/my/logout") // <2>
|
||||||
|
@ -38,7 +38,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
-----
|
-----
|
||||||
override fun configure(http: HttpSecurity) {
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
logout {
|
logout {
|
||||||
logoutUrl = "/my/logout" // <1>
|
logoutUrl = "/my/logout" // <1>
|
||||||
|
@ -49,12 +49,12 @@ override fun configure(http: HttpSecurity) {
|
||||||
deleteCookies(cookieNamesToClear) // <6>
|
deleteCookies(cookieNamesToClear) // <6>
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
-----
|
-----
|
||||||
====
|
====
|
||||||
|
|
||||||
<1> Provides logout support.
|
<1> Provides logout support.
|
||||||
This is automatically applied when using `WebSecurityConfigurerAdapter`.
|
|
||||||
<2> The URL that triggers log out to occur (the default is `/logout`).
|
<2> The URL that triggers log out to occur (the default is `/logout`).
|
||||||
If CSRF protection is enabled (the default), the request must also be a POST.
|
If CSRF protection is enabled (the default), the request must also be a POST.
|
||||||
For more information, see {security-api-url}org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.html#logoutUrl-java.lang.String-[`logoutUrl(java.lang.String logoutUrl)`].
|
For more information, see {security-api-url}org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.html#logoutUrl-java.lang.String-[`logoutUrl(java.lang.String logoutUrl)`].
|
||||||
|
|
|
@ -64,10 +64,12 @@ The following example shows a minimal, explicit configuration:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
.Java
|
.Java
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.httpBasic(withDefaults());
|
.httpBasic(withDefaults());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -83,11 +85,13 @@ protected void configure(HttpSecurity http) {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
.Kotlin
|
.Kotlin
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
httpBasic { }
|
httpBasic { }
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
[[servlet-authentication-digest]]
|
**[[**servlet-authentication-digest]]
|
||||||
= Digest Authentication
|
= Digest Authentication
|
||||||
|
|
||||||
This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
|
This section provides details on how Spring Security provides support for https://tools.ietf.org/html/rfc2617[Digest Authentication], which is provided `DigestAuthenticationFilter`.
|
||||||
|
@ -58,11 +58,13 @@ DigestAuthenticationFilter digestAuthenticationFilter() {
|
||||||
result.setAuthenticationEntryPoint(entryPoint());
|
result.setAuthenticationEntryPoint(entryPoint());
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
|
.exceptionHandling(e -> e.authenticationEntryPoint(authenticationEntryPoint()))
|
||||||
.addFilterBefore(digestFilter());
|
.addFilterBefore(digestFilter());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
|
|
@ -71,10 +71,10 @@ The following example shows a minimal, explicit Java configuration:
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
// ...
|
|
||||||
.formLogin(withDefaults());
|
.formLogin(withDefaults());
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -90,11 +90,11 @@ protected void configure(HttpSecurity http) {
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
|
||||||
formLogin { }
|
formLogin { }
|
||||||
}
|
}
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
@ -110,13 +110,13 @@ The following configuration demonstrates how to provide a custom login form.
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
// ...
|
|
||||||
.formLogin(form -> form
|
.formLogin(form -> form
|
||||||
.loginPage("/login")
|
.loginPage("/login")
|
||||||
.permitAll()
|
.permitAll()
|
||||||
);
|
);
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -133,14 +133,14 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
|
||||||
formLogin {
|
formLogin {
|
||||||
loginPage = "/login"
|
loginPage = "/login"
|
||||||
permitAll()
|
permitAll()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
|
@ -11,12 +11,13 @@ To do so, configure the `session-management` element:
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception{
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
.sessionManagement(session -> session
|
.sessionManagement(session -> session
|
||||||
.invalidSessionUrl("/invalidSession.htm")
|
.invalidSessionUrl("/invalidSession.htm")
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -38,12 +39,13 @@ You may be able to explicitly delete the `JSESSIONID` cookie on logging out -- f
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception{
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
.logout(logout -> logout
|
.logout(logout -> logout
|
||||||
.deleteCookies("JSESSIONID")
|
.deleteCookies("JSESSIONID")
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -107,12 +109,13 @@ Then add the following lines to your application context:
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
.sessionManagement(session -> session
|
.sessionManagement(session -> session
|
||||||
.maximumSessions(1)
|
.maximumSessions(1)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -135,13 +138,14 @@ Often, you would prefer to prevent a second login. In that case, you can use:
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) {
|
||||||
http
|
http
|
||||||
.sessionManagement(session -> session
|
.sessionManagement(session -> session
|
||||||
.maximumSessions(1)
|
.maximumSessions(1)
|
||||||
.maxSessionsPreventsLogin(true)
|
.maxSessionsPreventsLogin(true)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
|
|
@ -37,12 +37,14 @@ The following listing shows the explicit configuration:
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.authorizeRequests(authorize -> authorize
|
.authorizeRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -58,13 +60,15 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
@ -76,7 +80,8 @@ We can configure Spring Security to have different rules by adding more rules in
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.authorizeRequests(authorize -> authorize // <1>
|
.authorizeRequests(authorize -> authorize // <1>
|
||||||
|
@ -85,6 +90,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||||
.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
|
.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
|
||||||
.anyRequest().denyAll() // <5>
|
.anyRequest().denyAll() // <5>
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -107,7 +113,8 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests { // <1>
|
authorizeRequests { // <1>
|
||||||
authorize("/resources/**", permitAll) // <2>
|
authorize("/resources/**", permitAll) // <2>
|
||||||
|
@ -119,6 +126,7 @@ fun configure(http: HttpSecurity) {
|
||||||
authorize(anyRequest, denyAll) // <5>
|
authorize(anyRequest, denyAll) // <5>
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
<1> There are multiple authorization rules specified.
|
<1> There are multiple authorization rules specified.
|
||||||
|
|
|
@ -144,19 +144,21 @@ public class MvcWebApplicationInitializer extends
|
||||||
Thus far, our <<jc-hello-wsca,`WebSecurityConfig`>> contains only information about how to authenticate our users.
|
Thus far, our <<jc-hello-wsca,`WebSecurityConfig`>> contains only information about how to authenticate our users.
|
||||||
How does Spring Security know that we want to require all users to be authenticated?
|
How does Spring Security know that we want to require all users to be authenticated?
|
||||||
How does Spring Security know we want to support form-based authentication?
|
How does Spring Security know we want to support form-based authentication?
|
||||||
Actually, there is a configuration class (called `WebSecurityConfigurerAdapter`) that is being invoked behind the scenes.
|
Actually, there is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
|
||||||
It has a method called `configure` with the following default implementation:
|
It is configured with the following default implementation:
|
||||||
|
|
||||||
====
|
====
|
||||||
[source,java]
|
[source,java]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeRequests(authorize -> authorize
|
.authorizeRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.formLogin(withDefaults())
|
.formLogin(withDefaults())
|
||||||
.httpBasic(withDefaults());
|
.httpBasic(withDefaults());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
@ -183,7 +185,7 @@ Note that this configuration is parallels the XML Namespace configuration:
|
||||||
== Multiple HttpSecurity Instances
|
== Multiple HttpSecurity Instances
|
||||||
|
|
||||||
We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML.
|
We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML.
|
||||||
The key is to extend the `WebSecurityConfigurerAdapter` multiple times.
|
The key is to register multiple `SecurityFilterChain` `@Bean`s.
|
||||||
The following example has a different configuration for URL's that start with `/api/`.
|
The following example has a different configuration for URL's that start with `/api/`.
|
||||||
|
|
||||||
====
|
====
|
||||||
|
@ -201,39 +203,35 @@ public class MultiHttpSecurityConfig {
|
||||||
return manager;
|
return manager;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Configuration
|
@Bean
|
||||||
@Order(1) <2>
|
@Order(1) <2>
|
||||||
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
|
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
|
||||||
http
|
http
|
||||||
.antMatcher("/api/**") <3>
|
.antMatcher("/api/**") <3>
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().hasRole("ADMIN")
|
.anyRequest().hasRole("ADMIN")
|
||||||
)
|
)
|
||||||
.httpBasic(withDefaults());
|
.httpBasic(withDefaults());
|
||||||
}
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Configuration <4>
|
@Bean <4>
|
||||||
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
|
public SecurityFilterChain formLoginFilterChain(HttpSecurity http) throws Exception {
|
||||||
|
|
||||||
@Override
|
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.formLogin(withDefaults());
|
.formLogin(withDefaults());
|
||||||
}
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
<1> Configure Authentication as usual.
|
<1> Configure Authentication as usual.
|
||||||
<2> Create an instance of `WebSecurityConfigurerAdapter` that contains `@Order` to specify which `WebSecurityConfigurerAdapter` should be considered first.
|
<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
|
||||||
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`.
|
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`.
|
||||||
<4> Create another instance of `WebSecurityConfigurerAdapter`.
|
<4> Create another instance of `SecurityFilterChain`.
|
||||||
If the URL does not start with `/api/`, this configuration is used.
|
If the URL does not start with `/api/`, this configuration is used.
|
||||||
This configuration is considered after `ApiWebSecurityConfigurationAdapter`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
|
This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
|
||||||
====
|
====
|
||||||
|
|
||||||
[[jc-custom-dsls]]
|
[[jc-custom-dsls]]
|
||||||
|
@ -287,14 +285,15 @@ You can then use the custom DSL:
|
||||||
[source,java]
|
[source,java]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class Config extends WebSecurityConfigurerAdapter {
|
public class Config {
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.apply(customDsl())
|
.apply(customDsl())
|
||||||
.flag(true)
|
.flag(true)
|
||||||
.and()
|
.and()
|
||||||
...;
|
...;
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -306,7 +305,7 @@ The code is invoked in the following order:
|
||||||
* Code in the `MyCustomDsl.init` method is invoked
|
* Code in the `MyCustomDsl.init` method is invoked
|
||||||
* Code in the `MyCustomDsl.configure` method is invoked
|
* Code in the `MyCustomDsl.configure` method is invoked
|
||||||
|
|
||||||
If you want, you can have `WebSecurityConfigurerAdapter` add `MyCustomDsl` by default by using `SpringFactories`.
|
If you want, you can have `HttpSecurity` add `MyCustomDsl` by default by using `SpringFactories`.
|
||||||
For example, you can create a resource on the classpath named `META-INF/spring.factories` with the following contents:
|
For example, you can create a resource on the classpath named `META-INF/spring.factories` with the following contents:
|
||||||
|
|
||||||
.META-INF/spring.factories
|
.META-INF/spring.factories
|
||||||
|
@ -323,12 +322,13 @@ You can also explicit disable the default:
|
||||||
[source,java]
|
[source,java]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class Config extends WebSecurityConfigurerAdapter {
|
public class Config {
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.apply(customDsl()).disable()
|
.apply(customDsl()).disable()
|
||||||
...;
|
...;
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -348,8 +348,8 @@ For example, to configure the `filterSecurityPublishAuthorizationSuccess` proper
|
||||||
====
|
====
|
||||||
[source,java]
|
[source,java]
|
||||||
----
|
----
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeRequests(authorize -> authorize
|
.authorizeRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -361,6 +361,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
|
@ -14,13 +14,14 @@ Spring Security provides https://github.com/spring-projects/spring-security-samp
|
||||||
|
|
||||||
How does Spring Security know that we want to require all users to be authenticated?
|
How does Spring Security know that we want to require all users to be authenticated?
|
||||||
How does Spring Security know we want to support form-based authentication?
|
How does Spring Security know we want to support form-based authentication?
|
||||||
There is a configuration class (called `WebSecurityConfigurerAdapter`) that is being invoked behind the scenes.
|
There is a configuration class (called `SecurityFilterChain`) that is being invoked behind the scenes.
|
||||||
It has a method called `configure` with the following default implementation:
|
It is configured with the following default implementation:
|
||||||
|
|
||||||
====
|
====
|
||||||
[source,kotlin]
|
[source,kotlin]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -28,6 +29,7 @@ fun configure(http: HttpSecurity) {
|
||||||
formLogin { }
|
formLogin { }
|
||||||
httpBasic { }
|
httpBasic { }
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
@ -54,7 +56,7 @@ Note that this configuration is parallels the XML namespace configuration:
|
||||||
== Multiple HttpSecurity Instances
|
== Multiple HttpSecurity Instances
|
||||||
|
|
||||||
We can configure multiple HttpSecurity instances, just as we can have multiple `<http>` blocks.
|
We can configure multiple HttpSecurity instances, just as we can have multiple `<http>` blocks.
|
||||||
The key is to extend the `WebSecurityConfigurerAdapter` multiple times.
|
The key is to register multiple `SecurityFilterChain` `@Bean`s.
|
||||||
The following example has a different configuration for URL's that start with `/api/`:
|
The following example has a different configuration for URL's that start with `/api/`:
|
||||||
|
|
||||||
====
|
====
|
||||||
|
@ -71,10 +73,9 @@ class MultiHttpSecurityConfig {
|
||||||
return manager
|
return manager
|
||||||
}
|
}
|
||||||
|
|
||||||
@Configuration
|
|
||||||
@Order(1) <2>
|
@Order(1) <2>
|
||||||
class ApiWebSecurityConfigurationAdapter: WebSecurityConfigurerAdapter() {
|
@Bean
|
||||||
override fun configure(http: HttpSecurity) {
|
open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
securityMatcher("/api/**") <3>
|
securityMatcher("/api/**") <3>
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
|
@ -82,27 +83,26 @@ class MultiHttpSecurityConfig {
|
||||||
}
|
}
|
||||||
httpBasic { }
|
httpBasic { }
|
||||||
}
|
}
|
||||||
}
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
@Configuration <4>
|
@Bean <4>
|
||||||
class FormLoginWebSecurityConfigurerAdapter: WebSecurityConfigurerAdapter() {
|
open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
override fun configure(http: HttpSecurity) {
|
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
}
|
}
|
||||||
formLogin { }
|
formLogin { }
|
||||||
}
|
}
|
||||||
}
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
<1> Configure Authentication as usual.
|
<1> Configure Authentication as usual.
|
||||||
<2> Create an instance of `WebSecurityConfigurerAdapter` that contains `@Order` to specify which `WebSecurityConfigurerAdapter` should be considered first.
|
<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
|
||||||
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
|
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
|
||||||
<4> Create another instance of `WebSecurityConfigurerAdapter`.
|
<4> Create another instance of `SecurityFilterChain`.
|
||||||
If the URL does not start with `/api/`, this configuration is used.
|
If the URL does not start with `/api/`, this configuration is used.
|
||||||
This configuration is considered after `ApiWebSecurityConfigurationAdapter`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
|
This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).
|
||||||
====
|
====
|
||||||
|
|
|
@ -65,15 +65,15 @@ You can configure `CookieCsrfTokenRepository` in Java or Kotlin configuration by
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.csrf(csrf -> csrf
|
.csrf(csrf -> csrf
|
||||||
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
|
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -82,14 +82,16 @@ public class WebSecurityConfig extends
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
csrf {
|
csrf {
|
||||||
csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse()
|
csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -129,13 +131,13 @@ The following Java or Kotlin configuration disables CSRF protection:
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.csrf(csrf -> csrf.disable());
|
.csrf(csrf -> csrf.disable());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -145,14 +147,16 @@ public class WebSecurityConfig extends
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
csrf {
|
csrf {
|
||||||
disable()
|
disable()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -329,15 +333,15 @@ For example, the following Java Configuration logs out when the `/logout` URL is
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.logout(logout -> logout
|
.logout(logout -> logout
|
||||||
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -346,14 +350,16 @@ public class WebSecurityConfig extends
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
logout {
|
logout {
|
||||||
logoutRequestMatcher = AntPathRequestMatcher("/logout")
|
logoutRequestMatcher = AntPathRequestMatcher("/logout")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -21,11 +21,10 @@ You can do so with the following configuration:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -33,6 +32,7 @@ public class WebSecurityConfig extends
|
||||||
.sameOrigin()
|
.sameOrigin()
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -53,8 +53,9 @@ public class WebSecurityConfig extends
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -63,6 +64,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -79,11 +81,10 @@ If you use Spring Security's configuration, the following adds only xref:feature
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -91,6 +92,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.defaultsDisabled()
|
.defaultsDisabled()
|
||||||
.cacheControl(withDefaults())
|
.cacheControl(withDefaults())
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -111,8 +113,9 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -122,6 +125,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -135,14 +139,14 @@ If necessary, you can disable all of the HTTP Security response headers with the
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers.disable());
|
.headers(headers -> headers.disable());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -161,14 +165,16 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
disable()
|
disable()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -194,16 +200,16 @@ If necessary, you can also disable Spring Security's cache control HTTP response
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
.cacheControl(cache -> cache.disable())
|
.cacheControl(cache -> cache.disable())
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -224,9 +230,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
headers {
|
headers {
|
||||||
cacheControl {
|
cacheControl {
|
||||||
|
@ -234,6 +241,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -252,16 +260,16 @@ However, you can disable it:
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
.contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable())
|
.contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable())
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -282,9 +290,10 @@ public class WebSecurityConfig extends
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
headers {
|
headers {
|
||||||
contentTypeOptions {
|
contentTypeOptions {
|
||||||
|
@ -292,6 +301,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -310,11 +320,10 @@ The following example explicitly provides HSTS:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -324,6 +333,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.maxAgeInSeconds(31536000)
|
.maxAgeInSeconds(31536000)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -347,9 +357,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
headers {
|
headers {
|
||||||
httpStrictTransportSecurity {
|
httpStrictTransportSecurity {
|
||||||
|
@ -359,6 +370,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -376,11 +388,10 @@ You can enable HPKP headers with the following configuration:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -390,6 +401,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=")
|
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=")
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -416,9 +428,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
headers {
|
headers {
|
||||||
httpPublicKeyPinning {
|
httpPublicKeyPinning {
|
||||||
|
@ -429,6 +442,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -447,11 +461,10 @@ For example, the following configuration specifies that Spring Security should n
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -459,6 +472,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.sameOrigin()
|
.sameOrigin()
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -481,9 +495,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
headers {
|
headers {
|
||||||
frameOptions {
|
frameOptions {
|
||||||
|
@ -491,6 +506,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -509,11 +525,10 @@ For example, the following configuration specifies that Spring Security should n
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -521,6 +536,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.block(false)
|
.block(false)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -541,9 +557,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
// ...
|
// ...
|
||||||
http {
|
http {
|
||||||
headers {
|
headers {
|
||||||
|
@ -552,6 +569,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -581,11 +599,10 @@ Given the preceding security policy, you can enable the CSP header:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -593,6 +610,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
|
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -614,9 +632,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -625,6 +644,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -638,11 +658,10 @@ To enable the CSP `report-only` header, provide the following configuration:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -651,6 +670,7 @@ public class WebSecurityConfig extends
|
||||||
.reportOnly()
|
.reportOnly()
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -673,9 +693,10 @@ public class WebSecurityConfig extends
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -685,6 +706,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -702,11 +724,10 @@ You can enable the Referrer Policy header by using the configuration:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -714,6 +735,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.policy(ReferrerPolicy.SAME_ORIGIN)
|
.policy(ReferrerPolicy.SAME_ORIGIN)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -734,9 +756,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -745,6 +768,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -772,16 +796,16 @@ You can enable the preceding feature policy header by using the following config
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
.featurePolicy("geolocation 'self'")
|
.featurePolicy("geolocation 'self'")
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -802,15 +826,17 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
featurePolicy("geolocation 'self'")
|
featurePolicy("geolocation 'self'")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -838,11 +864,10 @@ You can enable the preceding permissions policy header using the following confi
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -850,6 +875,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.policy("geolocation=(self)")
|
.policy("geolocation=(self)")
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -870,9 +896,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -881,6 +908,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -907,16 +935,16 @@ You can send the preceding header on log out with the following configuration:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.logout((logout) -> logout
|
.logout((logout) -> logout
|
||||||
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES)))
|
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES)))
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -925,15 +953,17 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
logout {
|
logout {
|
||||||
addLogoutHandler(HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(CACHE, COOKIES)))
|
addLogoutHandler(HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(CACHE, COOKIES)))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -962,16 +992,16 @@ Given the preceding header, you could add the headers to the response by using t
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"))
|
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"))
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -992,15 +1022,17 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
addHeaderWriter(StaticHeadersWriter("X-Custom-Security-Header","header-value"))
|
addHeaderWriter(StaticHeadersWriter("X-Custom-Security-Header","header-value"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -1019,16 +1051,16 @@ If you wanted to explicitly configure <<servlet-headers-frame-options>>, you cou
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
|
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -1055,15 +1087,17 @@ See https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsi
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
addHeaderWriter(XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
|
addHeaderWriter(XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -1084,11 +1118,10 @@ The following configuration example uses `DelegatingRequestMatcherHeaderWriter`:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
RequestMatcher matcher = new AntPathRequestMatcher("/login");
|
RequestMatcher matcher = new AntPathRequestMatcher("/login");
|
||||||
DelegatingRequestMatcherHeaderWriter headerWriter =
|
DelegatingRequestMatcherHeaderWriter headerWriter =
|
||||||
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
|
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
|
||||||
|
@ -1098,6 +1131,7 @@ WebSecurityConfigurerAdapter {
|
||||||
.frameOptions(frameOptions -> frameOptions.disable())
|
.frameOptions(frameOptions -> frameOptions.disable())
|
||||||
.addHeaderWriter(headerWriter)
|
.addHeaderWriter(headerWriter)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -1131,9 +1165,10 @@ WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
val matcher: RequestMatcher = AntPathRequestMatcher("/login")
|
val matcher: RequestMatcher = AntPathRequestMatcher("/login")
|
||||||
val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter())
|
val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter())
|
||||||
http {
|
http {
|
||||||
|
@ -1144,6 +1179,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
addHeaderWriter(headerWriter)
|
addHeaderWriter(headerWriter)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -19,16 +19,16 @@ For example, the following Java or Kotlin configuration redirects any HTTP reque
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.requiresChannel(channel -> channel
|
.requiresChannel(channel -> channel
|
||||||
.anyRequest().requiresSecure()
|
.anyRequest().requiresSecure()
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -38,15 +38,17 @@ public class WebSecurityConfig extends
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
requiresChannel {
|
requiresChannel {
|
||||||
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
|
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -13,14 +13,15 @@ Users can integrate the `CorsFilter` with Spring Security by providing a `CorsCo
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class WebSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// by default uses a Bean by the name of corsConfigurationSource
|
// by default uses a Bean by the name of corsConfigurationSource
|
||||||
.cors(withDefaults())
|
.cors(withDefaults())
|
||||||
...
|
...
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -39,13 +40,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
|
open class WebSecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// by default uses a Bean by the name of corsConfigurationSource
|
// by default uses a Bean by the name of corsConfigurationSource
|
||||||
cors { }
|
cors { }
|
||||||
// ...
|
// ...
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -83,15 +86,16 @@ If you use Spring MVC's CORS support, you can omit specifying the `CorsConfigura
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class WebSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
|
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
|
||||||
// Spring Security will use CORS configuration provided to Spring MVC
|
// Spring Security will use CORS configuration provided to Spring MVC
|
||||||
.cors(withDefaults())
|
.cors(withDefaults())
|
||||||
...
|
...
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -100,14 +104,16 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
|
open class WebSecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
|
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
|
||||||
// Spring Security will use CORS configuration provided to Spring MVC
|
// Spring Security will use CORS configuration provided to Spring MVC
|
||||||
cors { }
|
cors { }
|
||||||
// ...
|
// ...
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -148,23 +148,27 @@ To restrict access to this controller method to admin users, you can provide aut
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected configure(HttpSecurity http) throws Exception {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.antMatchers("/admin").hasRole("ADMIN")
|
.antMatchers("/admin").hasRole("ADMIN")
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(AntPathRequestMatcher("/admin"), hasRole("ADMIN"))
|
authorize(AntPathRequestMatcher("/admin"), hasRole("ADMIN"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
@ -194,23 +198,27 @@ The following configuration protects the same URLs that Spring MVC matches on by
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected configure(HttpSecurity http) throws Exception {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.mvcMatchers("/admin").hasRole("ADMIN")
|
.mvcMatchers("/admin").hasRole("ADMIN")
|
||||||
);
|
);
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/admin", hasRole("ADMIN"))
|
authorize("/admin", hasRole("ADMIN"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// ...
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
|
@ -379,11 +379,10 @@ Similarly, you can customize frame options to use the same origin within Java Co
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig extends
|
public class WebSecurityConfig {
|
||||||
WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
// ...
|
// ...
|
||||||
.headers(headers -> headers
|
.headers(headers -> headers
|
||||||
|
@ -391,6 +390,7 @@ public class WebSecurityConfig extends
|
||||||
.sameOrigin()
|
.sameOrigin()
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -399,8 +399,9 @@ public class WebSecurityConfig extends
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
|
open class WebSecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
// ...
|
// ...
|
||||||
headers {
|
headers {
|
||||||
|
@ -409,6 +410,7 @@ open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -437,11 +439,10 @@ For example, if our stomp endpoint is `/chat`, we can disable CSRF protection on
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig
|
public class WebSecurityConfig {
|
||||||
extends WebSecurityConfigurerAdapter {
|
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.csrf(csrf -> csrf
|
.csrf(csrf -> csrf
|
||||||
// ignore our stomp endpoints since they are protected using Stomp headers
|
// ignore our stomp endpoints since they are protected using Stomp headers
|
||||||
|
@ -466,8 +467,9 @@ public class WebSecurityConfig
|
||||||
----
|
----
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
|
open class WebSecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
csrf {
|
csrf {
|
||||||
ignoringAntMatchers("/chat/**")
|
ignoringAntMatchers("/chat/**")
|
||||||
|
|
|
@ -130,13 +130,13 @@ The following example shows how to configure the `DefaultOAuth2AuthorizationRequ
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private ClientRegistrationRepository clientRegistrationRepository;
|
private ClientRegistrationRepository clientRegistrationRepository;
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -148,6 +148,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
private OAuth2AuthorizationRequestResolver authorizationRequestResolver(
|
private OAuth2AuthorizationRequestResolver authorizationRequestResolver(
|
||||||
|
@ -173,12 +174,13 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class SecurityConfig : WebSecurityConfigurerAdapter() {
|
class SecurityConfig {
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private lateinit var customClientRegistrationRepository: ClientRegistrationRepository
|
private lateinit var customClientRegistrationRepository: ClientRegistrationRepository
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -189,6 +191,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun authorizationRequestResolver(
|
private fun authorizationRequestResolver(
|
||||||
|
@ -283,10 +286,10 @@ If you have a custom implementation of `AuthorizationRequestRepository`, you can
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2ClientSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Client(oauth2 -> oauth2
|
.oauth2Client(oauth2 -> oauth2
|
||||||
.authorizationCodeGrant(codeGrant -> codeGrant
|
.authorizationCodeGrant(codeGrant -> codeGrant
|
||||||
|
@ -294,6 +297,7 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -302,9 +306,10 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2ClientSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Client {
|
oauth2Client {
|
||||||
authorizationCodeGrant {
|
authorizationCodeGrant {
|
||||||
|
@ -312,6 +317,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -403,10 +409,10 @@ Whether you customize `DefaultAuthorizationCodeTokenResponseClient` or provide y
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2ClientSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Client(oauth2 -> oauth2
|
.oauth2Client(oauth2 -> oauth2
|
||||||
.authorizationCodeGrant(codeGrant -> codeGrant
|
.authorizationCodeGrant(codeGrant -> codeGrant
|
||||||
|
@ -414,6 +420,7 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -422,9 +429,10 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2ClientSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Client {
|
oauth2Client {
|
||||||
authorizationCodeGrant {
|
authorizationCodeGrant {
|
||||||
|
@ -432,6 +440,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -30,10 +30,10 @@ The following code shows the complete configuration options provided by the `Htt
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2ClientSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Client(oauth2 -> oauth2
|
.oauth2Client(oauth2 -> oauth2
|
||||||
.clientRegistrationRepository(this.clientRegistrationRepository())
|
.clientRegistrationRepository(this.clientRegistrationRepository())
|
||||||
|
@ -45,6 +45,7 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
.accessTokenResponseClient(this.accessTokenResponseClient())
|
.accessTokenResponseClient(this.accessTokenResponseClient())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -53,9 +54,10 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2ClientSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Client {
|
oauth2Client {
|
||||||
clientRegistrationRepository = clientRegistrationRepository()
|
clientRegistrationRepository = clientRegistrationRepository()
|
||||||
|
@ -68,6 +70,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -14,10 +14,10 @@ The following code shows an example:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.authorizationEndpoint(authorization -> authorization
|
.authorizationEndpoint(authorization -> authorization
|
||||||
|
@ -33,6 +33,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -41,9 +42,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
authorizationEndpoint {
|
authorizationEndpoint {
|
||||||
|
@ -60,6 +62,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -92,10 +95,10 @@ The following code shows the complete configuration options available for the `o
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.clientRegistrationRepository(this.clientRegistrationRepository())
|
.clientRegistrationRepository(this.clientRegistrationRepository())
|
||||||
|
@ -119,6 +122,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
.oidcUserService(this.oidcUserService())
|
.oidcUserService(this.oidcUserService())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -127,9 +131,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
clientRegistrationRepository = clientRegistrationRepository()
|
clientRegistrationRepository = clientRegistrationRepository()
|
||||||
|
@ -154,6 +159,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -230,10 +236,10 @@ The following listing shows an example:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.loginPage("/login/oauth2")
|
.loginPage("/login/oauth2")
|
||||||
|
@ -243,6 +249,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -251,9 +258,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
loginPage = "/login/oauth2"
|
loginPage = "/login/oauth2"
|
||||||
|
@ -262,6 +270,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -318,10 +327,10 @@ If you would like to customize the Authorization Response `baseUri`, configure i
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.redirectionEndpoint(redirection -> redirection
|
.redirectionEndpoint(redirection -> redirection
|
||||||
|
@ -329,6 +338,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -337,9 +347,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
redirectionEndpoint {
|
redirectionEndpoint {
|
||||||
|
@ -347,6 +358,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -427,10 +439,10 @@ Provide an implementation of `GrantedAuthoritiesMapper` and configure it, as fol
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.userInfoEndpoint(userInfo -> userInfo
|
.userInfoEndpoint(userInfo -> userInfo
|
||||||
|
@ -438,6 +450,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
|
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
|
||||||
|
@ -475,9 +488,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
userInfoEndpoint {
|
userInfoEndpoint {
|
||||||
|
@ -485,6 +499,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
|
private fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
|
||||||
|
@ -527,12 +542,13 @@ Alternatively, you can register a `GrantedAuthoritiesMapper` `@Bean` to have it
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(withDefaults());
|
.oauth2Login(withDefaults());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -546,12 +562,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login { }
|
oauth2Login { }
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -577,10 +595,10 @@ The following example shows how to implement and configure a delegation-based st
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.userInfoEndpoint(userInfo -> userInfo
|
.userInfoEndpoint(userInfo -> userInfo
|
||||||
|
@ -588,6 +606,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
||||||
|
@ -617,9 +636,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
userInfoEndpoint {
|
userInfoEndpoint {
|
||||||
|
@ -627,6 +647,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -700,10 +721,10 @@ Whether you customize `DefaultOAuth2UserService` or provide your own implementat
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.userInfoEndpoint(userInfo -> userInfo
|
.userInfoEndpoint(userInfo -> userInfo
|
||||||
|
@ -711,6 +732,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
|
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
|
||||||
|
@ -723,9 +745,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
userInfoEndpoint {
|
userInfoEndpoint {
|
||||||
|
@ -734,6 +757,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
|
private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
|
||||||
|
@ -760,10 +784,10 @@ Whether you customize `OidcUserService` or provide your own implementation of `O
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.oauth2Login(oauth2 -> oauth2
|
.oauth2Login(oauth2 -> oauth2
|
||||||
.userInfoEndpoint(userInfo -> userInfo
|
.userInfoEndpoint(userInfo -> userInfo
|
||||||
|
@ -771,6 +795,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
...
|
...
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
||||||
|
@ -783,9 +808,10 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
oauth2Login {
|
oauth2Login {
|
||||||
userInfoEndpoint {
|
userInfoEndpoint {
|
||||||
|
@ -794,6 +820,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
|
private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
|
||||||
|
@ -887,13 +914,13 @@ Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which impleme
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private ClientRegistrationRepository clientRegistrationRepository;
|
private ClientRegistrationRepository clientRegistrationRepository;
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -902,6 +929,7 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
.logout(logout -> logout
|
.logout(logout -> logout
|
||||||
.logoutSuccessHandler(oidcLogoutSuccessHandler())
|
.logoutSuccessHandler(oidcLogoutSuccessHandler())
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
private LogoutSuccessHandler oidcLogoutSuccessHandler() {
|
private LogoutSuccessHandler oidcLogoutSuccessHandler() {
|
||||||
|
@ -921,11 +949,12 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
@Autowired
|
@Autowired
|
||||||
private lateinit var clientRegistrationRepository: ClientRegistrationRepository
|
private lateinit var clientRegistrationRepository: ClientRegistrationRepository
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -935,6 +964,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
logoutSuccessHandler = oidcLogoutSuccessHandler()
|
logoutSuccessHandler = oidcLogoutSuccessHandler()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {
|
private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {
|
||||||
|
|
|
@ -243,15 +243,14 @@ The Spring Boot 2.x auto-configuration class for OAuth Client support is `OAuth2
|
||||||
It performs the following tasks:
|
It performs the following tasks:
|
||||||
|
|
||||||
* Registers a `ClientRegistrationRepository` `@Bean` composed of `ClientRegistration`(s) from the configured OAuth Client properties.
|
* Registers a `ClientRegistrationRepository` `@Bean` composed of `ClientRegistration`(s) from the configured OAuth Client properties.
|
||||||
* Provides a `WebSecurityConfigurerAdapter` `@Configuration` and enables OAuth 2.0 Login through `httpSecurity.oauth2Login()`.
|
* Registers a `SecurityFilterChain` `@Bean` and enables OAuth 2.0 Login through `httpSecurity.oauth2Login()`.
|
||||||
|
|
||||||
If you need to override the auto-configuration based on your specific requirements, you may do so in the following ways:
|
If you need to override the auto-configuration based on your specific requirements, you may do so in the following ways:
|
||||||
|
|
||||||
* <<oauth2login-register-clientregistrationrepository-bean>>
|
* <<oauth2login-register-clientregistrationrepository-bean>>
|
||||||
* <<oauth2login-provide-websecurityconfigureradapter>>
|
* <<oauth2login-provide-securityfilterchain-bean>>
|
||||||
* <<oauth2login-completely-override-autoconfiguration>>
|
* <<oauth2login-completely-override-autoconfiguration>>
|
||||||
|
|
||||||
|
|
||||||
[[oauth2login-register-clientregistrationrepository-bean]]
|
[[oauth2login-register-clientregistrationrepository-bean]]
|
||||||
=== Register a ClientRegistrationRepository @Bean
|
=== Register a ClientRegistrationRepository @Bean
|
||||||
|
|
||||||
|
@ -319,10 +318,10 @@ class OAuth2LoginConfig {
|
||||||
====
|
====
|
||||||
|
|
||||||
|
|
||||||
[[oauth2login-provide-websecurityconfigureradapter]]
|
[[oauth2login-provide-securityfilterchain-bean]]
|
||||||
=== Provide a WebSecurityConfigurerAdapter
|
=== Register a SecurityFilterChain @Bean
|
||||||
|
|
||||||
The following example shows how to provide a `WebSecurityConfigurerAdapter` with `@EnableWebSecurity` and enable OAuth 2.0 login through `httpSecurity.oauth2Login()`:
|
The following example shows how to register a `SecurityFilterChain` `@Bean` with `@EnableWebSecurity` and enable OAuth 2.0 login through `httpSecurity.oauth2Login()`:
|
||||||
|
|
||||||
.OAuth2 Login Configuration
|
.OAuth2 Login Configuration
|
||||||
====
|
====
|
||||||
|
@ -330,15 +329,16 @@ The following example shows how to provide a `WebSecurityConfigurerAdapter` with
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2Login(withDefaults());
|
.oauth2Login(withDefaults());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -347,15 +347,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
class OAuth2LoginSecurityConfig {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
}
|
}
|
||||||
oauth2Login { }
|
oauth2Login { }
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -365,7 +366,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
[[oauth2login-completely-override-autoconfiguration]]
|
[[oauth2login-completely-override-autoconfiguration]]
|
||||||
=== Completely Override the Auto-configuration
|
=== Completely Override the Auto-configuration
|
||||||
|
|
||||||
The following example shows how to completely override the auto-configuration by registering a `ClientRegistrationRepository` `@Bean` and providing a `WebSecurityConfigurerAdapter`.
|
The following example shows how to completely override the auto-configuration by registering a `ClientRegistrationRepository` `@Bean` and a `SecurityFilterChain` `@Bean`.
|
||||||
|
|
||||||
.Overriding the auto-configuration
|
.Overriding the auto-configuration
|
||||||
====
|
====
|
||||||
|
@ -375,17 +376,14 @@ The following example shows how to completely override the auto-configuration by
|
||||||
@Configuration
|
@Configuration
|
||||||
public class OAuth2LoginConfig {
|
public class OAuth2LoginConfig {
|
||||||
|
|
||||||
@EnableWebSecurity
|
@Bean
|
||||||
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
|
|
||||||
@Override
|
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2Login(withDefaults());
|
.oauth2Login(withDefaults());
|
||||||
}
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -418,17 +416,15 @@ public class OAuth2LoginConfig {
|
||||||
@Configuration
|
@Configuration
|
||||||
class OAuth2LoginConfig {
|
class OAuth2LoginConfig {
|
||||||
|
|
||||||
@EnableWebSecurity
|
@Bean
|
||||||
class OAuth2LoginSecurityConfig: WebSecurityConfigurerAdapter() {
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
}
|
}
|
||||||
oauth2Login { }
|
oauth2Login { }
|
||||||
}
|
}
|
||||||
}
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -467,20 +463,17 @@ If you are not able to use Spring Boot 2.x and would like to configure one of th
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Configuration
|
@EnableWebSecurity
|
||||||
public class OAuth2LoginConfig {
|
public class OAuth2LoginConfig {
|
||||||
|
|
||||||
@EnableWebSecurity
|
@Bean
|
||||||
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
|
|
||||||
@Override
|
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2Login(withDefaults());
|
.oauth2Login(withDefaults());
|
||||||
}
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
@ -512,18 +505,17 @@ public class OAuth2LoginConfig {
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@Configuration
|
@EnableWebSecurity
|
||||||
open class OAuth2LoginConfig {
|
open class OAuth2LoginConfig {
|
||||||
@EnableWebSecurity
|
@Bean
|
||||||
open class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
override fun configure(http: HttpSecurity) {
|
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
}
|
}
|
||||||
oauth2Login { }
|
oauth2Login { }
|
||||||
}
|
}
|
||||||
}
|
return http.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
|
|
@ -137,26 +137,29 @@ This property can also be supplied directly on the <<oauth2resourceserver-jwt-jw
|
||||||
|
|
||||||
There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf.
|
There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf.
|
||||||
|
|
||||||
The first is a `WebSecurityConfigurerAdapter` that configures the app as a resource server. When including `spring-security-oauth2-jose`, this `WebSecurityConfigurerAdapter` looks like:
|
The first is a `SecurityFilterChain` that configures the app as a resource server. When including `spring-security-oauth2-jose`, this `SecurityFilterChain` looks like:
|
||||||
|
|
||||||
.Default JWT Configuration
|
.Default JWT Configuration
|
||||||
====
|
====
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
|
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -165,11 +168,12 @@ fun configure(http: HttpSecurity) {
|
||||||
jwt { }
|
jwt { }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
||||||
If the application doesn't expose a `WebSecurityConfigurerAdapter` bean, then Spring Boot will expose the above default one.
|
If the application doesn't expose a `SecurityFilterChain` bean, then Spring Boot will expose the above default one.
|
||||||
|
|
||||||
Replacing this is as simple as exposing the bean within the application:
|
Replacing this is as simple as exposing the bean within the application:
|
||||||
|
|
||||||
|
@ -179,8 +183,9 @@ Replacing this is as simple as exposing the bean within the application:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
public class MyCustomSecurityConfiguration {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||||
|
@ -191,6 +196,7 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
.jwtAuthenticationConverter(myConverter())
|
.jwtAuthenticationConverter(myConverter())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -199,8 +205,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
class MyCustomSecurityConfiguration {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/messages/**", hasAuthority("SCOPE_message:read"))
|
authorize("/messages/**", hasAuthority("SCOPE_message:read"))
|
||||||
|
@ -212,6 +219,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -296,8 +304,9 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
public class DirectlyConfiguredJwkSetUri {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -307,6 +316,7 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||||
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
|
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -315,8 +325,9 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() {
|
class DirectlyConfiguredJwkSetUri {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -327,6 +338,7 @@ class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -356,8 +368,9 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
|
public class DirectlyConfiguredJwtDecoder {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -367,6 +380,7 @@ public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
|
||||||
.decoder(myCustomDecoder())
|
.decoder(myCustomDecoder())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -375,8 +389,9 @@ public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class DirectlyConfiguredJwtDecoder : WebSecurityConfigurerAdapter() {
|
class DirectlyConfiguredJwtDecoder {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -387,6 +402,7 @@ class DirectlyConfiguredJwtDecoder : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -716,8 +732,9 @@ This means that to protect an endpoint or method with a scope derived from a JWT
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
public class DirectlyConfiguredJwkSetUri {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
|
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
|
||||||
|
@ -725,6 +742,7 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
|
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -733,8 +751,9 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() {
|
class DirectlyConfiguredJwkSetUri {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
|
authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
|
||||||
|
@ -745,6 +764,7 @@ class DirectlyConfiguredJwkSetUri : WebSecurityConfigurerAdapter() {
|
||||||
jwt { }
|
jwt { }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -923,8 +943,9 @@ static class CustomAuthenticationConverter implements Converter<Jwt, AbstractAut
|
||||||
// ...
|
// ...
|
||||||
|
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class CustomAuthenticationConverterConfig extends WebSecurityConfigurerAdapter {
|
public class CustomAuthenticationConverterConfig {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -934,6 +955,7 @@ public class CustomAuthenticationConverterConfig extends WebSecurityConfigurerAd
|
||||||
.jwtAuthenticationConverter(new CustomAuthenticationConverter())
|
.jwtAuthenticationConverter(new CustomAuthenticationConverter())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -950,8 +972,9 @@ internal class CustomAuthenticationConverter : Converter<Jwt, AbstractAuthentica
|
||||||
// ...
|
// ...
|
||||||
|
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class CustomAuthenticationConverterConfig : WebSecurityConfigurerAdapter() {
|
class CustomAuthenticationConverterConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -962,6 +985,7 @@ class CustomAuthenticationConverterConfig : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -178,27 +178,30 @@ fun forFoosEyesOnly(): String {
|
||||||
|
|
||||||
There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf.
|
There are two ``@Bean``s that Spring Boot generates on Resource Server's behalf.
|
||||||
|
|
||||||
The first is a `WebSecurityConfigurerAdapter` that configures the app as a resource server.
|
The first is a `SecurityFilterChain` that configures the app as a resource server.
|
||||||
When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like:
|
When use Opaque Token, this `SecurityFilterChain` looks like:
|
||||||
|
|
||||||
.Default Opaque Token Configuration
|
.Default Opaque Token Configuration
|
||||||
====
|
====
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
|
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -207,11 +210,12 @@ override fun configure(http: HttpSecurity) {
|
||||||
opaqueToken { }
|
opaqueToken { }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
||||||
If the application doesn't expose a `WebSecurityConfigurerAdapter` bean, then Spring Boot will expose the above default one.
|
If the application doesn't expose a `SecurityFilterChain` bean, then Spring Boot will expose the above default one.
|
||||||
|
|
||||||
Replacing this is as simple as exposing the bean within the application:
|
Replacing this is as simple as exposing the bean within the application:
|
||||||
|
|
||||||
|
@ -221,8 +225,9 @@ Replacing this is as simple as exposing the bean within the application:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
public class MyCustomSecurityConfiguration {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||||
|
@ -233,6 +238,7 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
.introspector(myIntrospector())
|
.introspector(myIntrospector())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -241,8 +247,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
class MyCustomSecurityConfiguration {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/messages/**", hasAuthority("SCOPE_message:read"))
|
authorize("/messages/**", hasAuthority("SCOPE_message:read"))
|
||||||
|
@ -254,6 +261,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -335,8 +343,9 @@ An authorization server's Introspection Uri can be configured <<oauth2resourcese
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter {
|
public class DirectlyConfiguredIntrospectionUri {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -347,6 +356,7 @@ public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAda
|
||||||
.introspectionClientCredentials("client", "secret")
|
.introspectionClientCredentials("client", "secret")
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -355,8 +365,9 @@ public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAda
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class DirectlyConfiguredIntrospectionUri : WebSecurityConfigurerAdapter() {
|
class DirectlyConfiguredIntrospectionUri {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -368,6 +379,7 @@ class DirectlyConfiguredIntrospectionUri : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -397,8 +409,9 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter {
|
public class DirectlyConfiguredIntrospector {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
|
@ -408,6 +421,7 @@ public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter
|
||||||
.introspector(myCustomIntrospector())
|
.introspector(myCustomIntrospector())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -416,8 +430,9 @@ public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class DirectlyConfiguredIntrospector : WebSecurityConfigurerAdapter() {
|
class DirectlyConfiguredIntrospector {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
|
@ -428,6 +443,7 @@ class DirectlyConfiguredIntrospector : WebSecurityConfigurerAdapter() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -476,8 +492,9 @@ This means that to protect an endpoint or method with a scope derived from an Op
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class MappedAuthorities extends WebSecurityConfigurerAdapter {
|
public class MappedAuthorities {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorizeRequests -> authorizeRequests
|
.authorizeHttpRequests(authorizeRequests -> authorizeRequests
|
||||||
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
|
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
|
||||||
|
@ -485,6 +502,7 @@ public class MappedAuthorities extends WebSecurityConfigurerAdapter {
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
|
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -493,8 +511,9 @@ public class MappedAuthorities extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class MappedAuthorities : WebSecurityConfigurerAdapter() {
|
class MappedAuthorities {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
|
authorize("/contacts/**", hasAuthority("SCOPE_contacts"))
|
||||||
|
@ -505,6 +524,7 @@ class MappedAuthorities : WebSecurityConfigurerAdapter() {
|
||||||
opaqueToken { }
|
opaqueToken { }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -23,10 +23,10 @@ For that reason, you can configure `OpenSaml4AuthenticationProvider` 's default
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
public class SecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
|
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
|
||||||
authenticationProvider.setAssertionValidator(OpenSaml4AuthenticationProvider
|
authenticationProvider.setAssertionValidator(OpenSaml4AuthenticationProvider
|
||||||
.createDefaultAssertionValidator(assertionToken -> {
|
.createDefaultAssertionValidator(assertionToken -> {
|
||||||
|
@ -44,6 +44,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
.saml2Login(saml2 -> saml2
|
.saml2Login(saml2 -> saml2
|
||||||
.authenticationManager(new ProviderManager(authenticationProvider))
|
.authenticationManager(new ProviderManager(authenticationProvider))
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -52,8 +53,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
open class SecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
val authenticationProvider = OpenSaml4AuthenticationProvider()
|
val authenticationProvider = OpenSaml4AuthenticationProvider()
|
||||||
authenticationProvider.setAssertionValidator(
|
authenticationProvider.setAssertionValidator(
|
||||||
OpenSaml4AuthenticationProvider
|
OpenSaml4AuthenticationProvider
|
||||||
|
@ -72,6 +74,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
authenticationManager = ProviderManager(authenticationProvider)
|
authenticationManager = ProviderManager(authenticationProvider)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -88,12 +91,12 @@ In that case, the response authentication converter can come in handy, as can be
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
public class SecurityConfig {
|
||||||
@Autowired
|
@Autowired
|
||||||
UserDetailsService userDetailsService;
|
UserDetailsService userDetailsService;
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
|
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
|
||||||
authenticationProvider.setResponseAuthenticationConverter(responseToken -> {
|
authenticationProvider.setResponseAuthenticationConverter(responseToken -> {
|
||||||
Saml2Authentication authentication = OpenSaml4AuthenticationProvider
|
Saml2Authentication authentication = OpenSaml4AuthenticationProvider
|
||||||
|
@ -112,6 +115,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
.saml2Login(saml2 -> saml2
|
.saml2Login(saml2 -> saml2
|
||||||
.authenticationManager(new ProviderManager(authenticationProvider))
|
.authenticationManager(new ProviderManager(authenticationProvider))
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -120,11 +124,12 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
open class SecurityConfig {
|
||||||
@Autowired
|
@Autowired
|
||||||
var userDetailsService: UserDetailsService? = null
|
var userDetailsService: UserDetailsService? = null
|
||||||
|
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
val authenticationProvider = OpenSaml4AuthenticationProvider()
|
val authenticationProvider = OpenSaml4AuthenticationProvider()
|
||||||
authenticationProvider.setResponseAuthenticationConverter { responseToken: OpenSaml4AuthenticationProvider.ResponseToken ->
|
authenticationProvider.setResponseAuthenticationConverter { responseToken: OpenSaml4AuthenticationProvider.ResponseToken ->
|
||||||
val authentication = OpenSaml4AuthenticationProvider
|
val authentication = OpenSaml4AuthenticationProvider
|
||||||
|
@ -143,6 +148,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
authenticationManager = ProviderManager(authenticationProvider)
|
authenticationManager = ProviderManager(authenticationProvider)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -304,10 +310,10 @@ This authentication manager should expect a `Saml2AuthenticationToken` object co
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
public class SecurityConfig {
|
||||||
|
|
||||||
@Override
|
@Bean
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...);
|
AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...);
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
|
@ -317,6 +323,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
.authenticationManager(authenticationManager)
|
.authenticationManager(authenticationManager)
|
||||||
)
|
)
|
||||||
;
|
;
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -325,8 +332,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
open class SecurityConfig {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
val customAuthenticationManager: AuthenticationManager = MySaml2AuthenticationManager(...)
|
val customAuthenticationManager: AuthenticationManager = MySaml2AuthenticationManager(...)
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
|
@ -336,6 +344,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
authenticationManager = customAuthenticationManager
|
authenticationManager = customAuthenticationManager
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -297,38 +297,42 @@ The `requireInitialize` method may be called only once per application instance.
|
||||||
|
|
||||||
Spring Boot generates two `@Bean` objects for a relying party.
|
Spring Boot generates two `@Bean` objects for a relying party.
|
||||||
|
|
||||||
The first is a `WebSecurityConfigurerAdapter` that configures the application as a relying party.
|
The first is a `SecurityFilterChain` that configures the application as a relying party.
|
||||||
When including `spring-security-saml2-service-provider`, the `WebSecurityConfigurerAdapter` looks like:
|
When including `spring-security-saml2-service-provider`, the `SecurityFilterChain` looks like:
|
||||||
|
|
||||||
.Default JWT Configuration
|
.Default JWT Configuration
|
||||||
====
|
====
|
||||||
.Java
|
.Java
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.saml2Login(withDefaults());
|
.saml2Login(withDefaults());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
.Kotlin
|
.Kotlin
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize(anyRequest, authenticated)
|
authorize(anyRequest, authenticated)
|
||||||
}
|
}
|
||||||
saml2Login { }
|
saml2Login { }
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
||||||
If the application does not expose a `WebSecurityConfigurerAdapter` bean, Spring Boot exposes the preceding default one.
|
If the application does not expose a `SecurityFilterChain` bean, Spring Boot exposes the preceding default one.
|
||||||
|
|
||||||
You can replace this by exposing the bean within the application:
|
You can replace this by exposing the bean within the application:
|
||||||
|
|
||||||
|
@ -338,14 +342,16 @@ You can replace this by exposing the bean within the application:
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
public class MyCustomSecurityConfiguration {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.mvcMatchers("/messages/**").hasAuthority("ROLE_USER")
|
.mvcMatchers("/messages/**").hasAuthority("ROLE_USER")
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.saml2Login(withDefaults());
|
.saml2Login(withDefaults());
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -354,8 +360,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
class MyCustomSecurityConfiguration {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/messages/**", hasAuthority("ROLE_USER"))
|
authorize("/messages/**", hasAuthority("ROLE_USER"))
|
||||||
|
@ -364,6 +371,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
||||||
saml2Login {
|
saml2Login {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -480,7 +488,7 @@ open fun relyingPartyRegistrations(): RelyingPartyRegistrationRepository {
|
||||||
|
|
||||||
[[servlet-saml2login-relyingpartyregistrationrepository-dsl]]
|
[[servlet-saml2login-relyingpartyregistrationrepository-dsl]]
|
||||||
|
|
||||||
Alternatively, you can directly wire up the repository by using the DSL, which also overrides the auto-configured `WebSecurityConfigurerAdapter`:
|
Alternatively, you can directly wire up the repository by using the DSL, which also overrides the auto-configured `SecurityFilterChain`:
|
||||||
|
|
||||||
.Custom Relying Party Registration DSL
|
.Custom Relying Party Registration DSL
|
||||||
====
|
====
|
||||||
|
@ -488,8 +496,9 @@ Alternatively, you can directly wire up the repository by using the DSL, which a
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
public class MyCustomSecurityConfiguration {
|
||||||
protected void configure(HttpSecurity http) {
|
@Bean
|
||||||
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
.mvcMatchers("/messages/**").hasAuthority("ROLE_USER")
|
.mvcMatchers("/messages/**").hasAuthority("ROLE_USER")
|
||||||
|
@ -498,6 +507,7 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
.saml2Login(saml2 -> saml2
|
.saml2Login(saml2 -> saml2
|
||||||
.relyingPartyRegistrationRepository(relyingPartyRegistrations())
|
.relyingPartyRegistrationRepository(relyingPartyRegistrations())
|
||||||
);
|
);
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -506,8 +516,9 @@ public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
class MyCustomSecurityConfiguration {
|
||||||
override fun configure(http: HttpSecurity) {
|
@Bean
|
||||||
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
http {
|
http {
|
||||||
authorizeRequests {
|
authorizeRequests {
|
||||||
authorize("/messages/**", hasAuthority("ROLE_USER"))
|
authorize("/messages/**", hasAuthority("ROLE_USER"))
|
||||||
|
@ -517,6 +528,7 @@ class MyCustomSecurityConfiguration : WebSecurityConfigurerAdapter() {
|
||||||
relyingPartyRegistrationRepository = relyingPartyRegistrations()
|
relyingPartyRegistrationRepository = relyingPartyRegistrations()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return http.build()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
Loading…
Reference in New Issue