Merge branch '6.2.x'

This commit is contained in:
Steve Riesenberg 2023-12-29 11:18:37 -06:00
commit 6b9ba64483
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
2 changed files with 13 additions and 12 deletions

View File

@ -112,7 +112,7 @@ public class SecurityWebApplicationInitializer
}
----
This onlys register the `springSecurityFilterChain` for every URL in your application.
This only registers the `springSecurityFilterChain` for every URL in your application.
After that, we need to ensure that `WebSecurityConfig` was loaded in our existing `ApplicationInitializer`.
For example, if we use Spring MVC it is added in the `getServletConfigClasses()`:
@ -131,7 +131,7 @@ public class MvcWebApplicationInitializer extends
}
----
The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#_request_matchers[underlying request matchers], so they need to be in the same application context.
The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#authorizing-endpoints[underlying request matchers], so they need to be in the same application context.
Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`.
==== Configuring for Multiple Spring MVC Dispatchers
@ -203,7 +203,7 @@ Note that this configuration is parallels the XML Namespace configuration:
We can configure multiple `HttpSecurity` instances just as we can have multiple `<http>` blocks in XML.
The key is to register multiple `SecurityFilterChain` ``@Bean``s.
The following example has a different configuration for URL's that start with `/api/`.
The following example has a different configuration for URLs that start with `/api/`.
[source,java]
----

View File

@ -1,6 +1,7 @@
[[kotlin-config]]
= Kotlin Configuration
Spring Security Kotlin configuration has been available since Spring Security 5.3.
It lets users configure Spring Security by using a native Kotlin DSL.
@ -35,7 +36,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
----
[NOTE]
Make sure that import the `invoke` function in your class, sometimes the IDE will not auto-import it causing compilation issues.
Make sure to import the `invoke` function in your class, as the IDE will not always auto-import the method, causing compilation issues.
The default configuration (shown in the preceding listing):
@ -43,7 +44,7 @@ The default configuration (shown in the preceding listing):
* Lets users authenticate with form-based login
* Lets users authenticate with HTTP Basic authentication
Note that this configuration is parallels the XML namespace configuration:
Note that this configuration parallels the XML namespace configuration:
[source,xml]
----
@ -58,13 +59,13 @@ Note that this configuration is parallels the XML namespace configuration:
We can configure multiple `HttpSecurity` instances, just as we can have multiple `<http>` blocks.
The key is to register multiple `SecurityFilterChain` ``@Bean``s.
The following example has a different configuration for URL's that start with `/api/`:
The following example has a different configuration for URLs that start with `/api/`:
[source,kotlin]
----
@Configuration
import org.springframework.security.config.annotation.web.invoke
@Configuration
@EnableWebSecurity
class MultiHttpSecurityConfig {
@Bean <1>
@ -104,7 +105,7 @@ class MultiHttpSecurityConfig {
<1> Configure Authentication as usual.
<2> Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
<3> The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
<3> The `http.securityMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
<4> Create another instance of `SecurityFilterChain`.
If the URL does not start with `/api/`, this configuration is used.
This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).