Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.2.x'

This commit is contained in:
Steve Riesenberg 2023-12-29 11:18:37 -06:00
parent ad776b2d82 7113e1b502
commit 6b9ba64483
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
2 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/modules/ROOT/pages/servlet/configuration/java.adoc
View File

@ -112,7 +112,7 @@ public class SecurityWebApplicationInitializer
} }
---- ----
This onlys register the `springSecurityFilterChain` for every URL in your application. This only registers the `springSecurityFilterChain` for every URL in your application.
After that, we need to ensure that `WebSecurityConfig` was loaded in our existing `ApplicationInitializer`. After that, we need to ensure that `WebSecurityConfig` was loaded in our existing `ApplicationInitializer`.
For example, if we use Spring MVC it is added in the `getServletConfigClasses()`: For example, if we use Spring MVC it is added in the `getServletConfigClasses()`:
@ -131,7 +131,7 @@ public class MvcWebApplicationInitializer extends
} }
---- ----
The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#_request_matchers[underlying request matchers], so they need to be in the same application context. The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#authorizing-endpoints[underlying request matchers], so they need to be in the same application context.
Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`. Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`.
==== Configuring for Multiple Spring MVC Dispatchers ==== Configuring for Multiple Spring MVC Dispatchers
@ -203,7 +203,7 @@ Note that this configuration is parallels the XML Namespace configuration:
We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML. We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML.
The key is to register multiple `SecurityFilterChain` ``@Bean``s. The key is to register multiple `SecurityFilterChain` ``@Bean``s.
The following example has a different configuration for URL's that start with `/api/`. The following example has a different configuration for URLs that start with `/api/`.
[source,java] [source,java]
---- ----
@ -224,7 +224,7 @@ public class MultiHttpSecurityConfig {
@Order(1) <2> @Order(1) <2>
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
http http
.securityMatcher("/api/**") <3> .securityMatcher("/api/**") <3>
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
.anyRequest().hasRole("ADMIN") .anyRequest().hasRole("ADMIN")
) )

17
docs/modules/ROOT/pages/servlet/configuration/kotlin.adoc
View File

@ -1,6 +1,7 @@
[[kotlin-config]] [[kotlin-config]]
= Kotlin Configuration = Kotlin Configuration
Spring Security Kotlin configuration has been available since Spring Security 5.3. Spring Security Kotlin configuration has been available since Spring Security 5.3.
It lets users configure Spring Security by using a native Kotlin DSL. It lets users configure Spring Security by using a native Kotlin DSL.
@ -23,19 +24,19 @@ import org.springframework.security.config.annotation.web.invoke
@Bean @Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeHttpRequests { authorizeHttpRequests {
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
formLogin { } formLogin { }
httpBasic { } httpBasic { }
} }
return http.build() return http.build()
} }
---- ----
[NOTE] [NOTE]
Make sure that import the `invoke` function in your class, sometimes the IDE will not auto-import it causing compilation issues. Make sure to import the `invoke` function in your class, as the IDE will not always auto-import the method, causing compilation issues.
The default configuration (shown in the preceding listing): The default configuration (shown in the preceding listing):
@ -43,7 +44,7 @@ The default configuration (shown in the preceding listing):
* Lets users authenticate with form-based login * Lets users authenticate with form-based login
* Lets users authenticate with HTTP Basic authentication * Lets users authenticate with HTTP Basic authentication
Note that this configuration is parallels the XML namespace configuration: Note that this configuration parallels the XML namespace configuration:
[source,xml] [source,xml]
---- ----
@ -58,13 +59,13 @@ Note that this configuration is parallels the XML namespace configuration:
We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks. We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
The key is to register multiple `SecurityFilterChain` ``@Bean``s. The key is to register multiple `SecurityFilterChain` ``@Bean``s.
The following example has a different configuration for URL's that start with `/api/`: The following example has a different configuration for URLs that start with `/api/`:
[source,kotlin] [source,kotlin]
---- ----
@Configuration
import org.springframework.security.config.annotation.web.invoke import org.springframework.security.config.annotation.web.invoke
@Configuration
@EnableWebSecurity @EnableWebSecurity
class MultiHttpSecurityConfig { class MultiHttpSecurityConfig {
@Bean <1> @Bean <1>
@ -104,7 +105,7 @@ class MultiHttpSecurityConfig {
<1> Configure Authentication as usual. <1> Configure Authentication as usual.
<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first. <2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/` <3> The `http.securityMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
<4> Create another instance of `SecurityFilterChain`. <4> Create another instance of `SecurityFilterChain`.
If the URL does not start with `/api/`, this configuration is used. If the URL does not start with `/api/`, this configuration is used.
This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last). This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).