Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve docs on dispatcherTypeMatcher

Browse Source 
Closes gh-11467
This commit is contained in:
Marcus Da Coregio 2022-07-13 09:04:21 -03:00
parent 7df9c6eba5
commit 64ba31aebb
2 changed files with 115 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File

@ -205,3 +205,78 @@ open fun web(http: HttpSecurity): SecurityFilterChain {
} }
---- ----
==== ====
Now with the authorization rules applying to all dispatcher types, you have more control of the authorization on them.
For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true` but not apply authorization on requests with dispatcher type `ASYNC` or `FORWARD`.
.Permit ASYNC and FORWARD dispatcher type
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll()
.anyRequest().authenticated()
)
// ...
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun web(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll)
authorize(anyRequest, authenticated)
}
}
return http.build()
}
----
====
You can also customize it to require a specific role for a dispatcher type:
.Require ADMIN for Dispatcher Type ERROR
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN")
.anyRequest().authenticated()
)
// ...
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun web(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN"))
authorize(anyRequest, authenticated)
}
}
return http.build()
}
----
====

40
docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
View File

@ -129,6 +129,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
return http.build() return http.build()
} }
---- ----
====
<1> There are multiple authorization rules specified. <1> There are multiple authorization rules specified.
Each rule is considered in the order they were declared. Each rule is considered in the order they were declared.
<2> We specified multiple URL patterns that any user can access. <2> We specified multiple URL patterns that any user can access.
@ -141,3 +142,42 @@ You will notice that since we are using the `hasRole` expression we do not need
This is a good strategy if you do not want to accidentally forget to update your authorization rules. This is a good strategy if you do not want to accidentally forget to update your authorization rules.
==== ====
[[filtersecurityinterceptor-every-request]]
== Configure FilterSecurityInterceptor with Dispatcher Types
By default, the `FilterSecurityInterceptor` applies to every request.
This means that if a request is dispatched from a request that was already filtered, the `FilterSecurityInterceptor` will perform the same authorization checks on the dispatched request.
In some scenarios, you may not want to apply authorization on some dispatcher types:
.Permit ASYNC and ERROR dispatcher types
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeRequests((authorize) -> authorize
.dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.ERROR).permitAll()
.anyRequest.authenticated()
)
// ...
return http.build();
}
----
.XML
[source,xml]
----
<http auto-config="true">
<intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
<intercept-url pattern="/**" access="authenticated"/>
</http>
<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
<b:constructor-arg value="ASYNC"/>
<b:constructor-arg value="ERROR"/>
</b:bean>
----
====