Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-31 06:38:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve docs on dispatcherTypeMatcher

Browse Source 
Closes gh-11467
This commit is contained in:
Marcus Da Coregio 2022-07-13 09:04:21 -03:00
parent 624fdfa731
commit 57d6ab7134
2 changed files with 143 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File

@ -205,3 +205,78 @@ open fun web(http: HttpSecurity): SecurityFilterChain {
} }
---- ----
==== ====
Now with the authorization rules applying to all dispatcher types, you have more control of the authorization on them.
For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true` but not apply authorization on requests with dispatcher type `ASYNC` or `FORWARD`.
.Permit ASYNC and FORWARD dispatcher type
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll()
.anyRequest().authenticated()
)
// ...
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun web(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll)
authorize(anyRequest, authenticated)
}
}
return http.build()
}
----
====
You can also customize it to require a specific role for a dispatcher type:
.Require ADMIN for Dispatcher Type ERROR
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN")
.anyRequest().authenticated()
)
// ...
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun web(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN"))
authorize(anyRequest, authenticated)
}
}
return http.build()
}
----
====

68
docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
View File

@ -137,3 +137,71 @@ You will notice that since we are invoking the `hasRole` method we do not need t
You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix. You will notice that since we are using the `hasRole` expression we do not need to specify the "ROLE_" prefix.
<5> Any URL that has not already been matched on is denied access. <5> Any URL that has not already been matched on is denied access.
This is a good strategy if you do not want to accidentally forget to update your authorization rules. This is a good strategy if you do not want to accidentally forget to update your authorization rules.
[[filtersecurityinterceptor-every-request]]
== Apply FilterSecurityInterceptor to every request
By default, the `FilterSecurityInterceptor` only applies once to a request.
This means that if a request is dispatched from a request that was already filtered, the `FilterSecurityInterceptor` will back-off and not perform any authorization checks.
In some scenarios, you may want to apply the filter to every request.
You can configure Spring Security to apply the authorization rules to every request by using the `filterSecurityInterceptorOncePerRequest` method:
.Set filterSecurityInterceptorOncePerRequest to false
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeRequests((authorize) -> authorize
.filterSecurityInterceptorOncePerRequest(false)
.anyRequest.authenticated()
)
// ...
return http.build();
}
----
.XML
[source,xml]
----
<http once-per-request="false">
<intercept-url pattern="/**" access="authenticated"/>
</http>
----
====
You can also configure authorization based on the request dispatcher type:
.Permit ASYNC dispatcher type
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeRequests((authorize) -> authorize
.filterSecurityInterceptorOncePerRequest(false)
.dispatcherTypeMatchers(DispatcherType.ASYNC).permitAll()
.anyRequest.authenticated()
)
// ...
return http.build();
}
----
.XML
[source,xml]
----
<http auto-config="true" once-per-request="false">
<intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
<intercept-url pattern="/**" access="authenticated"/>
</http>
<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
<b:constructor-arg value="ASYNC"/>
</b:bean>
----
====