diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
index 7b1884b86b..e7397d9c04 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -548,9 +548,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .anyRequest().hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .anyRequest().hasRole("USER")
+ * )
* .formLogin(formLogin ->
* formLogin
* .permitAll()
@@ -769,9 +770,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .jee(jee ->
* jee
* .mappableRoles("USER", "ADMIN")
@@ -878,10 +880,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**")
- * .hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .x509(withDefaults());
* }
* }
@@ -952,9 +954,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .formLogin(withDefaults())
* .rememberMe(withDefaults());
* }
@@ -1042,6 +1045,91 @@ public final class HttpSecurity extends
.getRegistry();
}
+ /**
+ * Allows restricting access based upon the {@link HttpServletRequest} using
+ * {@link RequestMatcher} implementations (i.e. via URL patterns).
+ *
+ * Example Configurations
+ *
+ * The most basic example is to configure all URLs to require the role "ROLE_USER".
+ * The configuration below requires authentication to every URL and will grant access
+ * to both the user "admin" and "user".
+ *
+ *
+ * @Configuration
+ * @EnableWebSecurity
+ * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+ *
+ * @Override
+ * protected void configure(HttpSecurity http) throws Exception {
+ * http
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
+ * .formLogin(withDefaults());
+ * }
+ * }
+ *
+ *
+ * We can also configure multiple URLs. The configuration below requires
+ * authentication to every URL and will grant access to URLs starting with /admin/ to
+ * only the "admin" user. All other URLs either user can access.
+ *
+ *
+ * @Configuration
+ * @EnableWebSecurity
+ * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+ *
+ * @Override
+ * protected void configure(HttpSecurity http) throws Exception {
+ * http
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/admin/**").hasRole("ADMIN")
+ * .antMatchers("/**").hasRole("USER")
+ * )
+ * .formLogin(withDefaults());
+ * }
+ * }
+ *
+ *
+ * Note that the matchers are considered in order. Therefore, the following is invalid
+ * because the first matcher matches every request and will never get to the second
+ * mapping:
+ *
+ *
+ * @Configuration
+ * @EnableWebSecurity
+ * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+ *
+ * @Override
+ * protected void configure(HttpSecurity http) throws Exception {
+ * http
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * .antMatchers("/admin/**").hasRole("ADMIN")
+ * );
+ * }
+ * }
+ *
+ *
+ * @see #requestMatcher(RequestMatcher)
+ *
+ * @param authorizeRequestsCustomizer the {@link Customizer} to provide more options for
+ * the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry}
+ * @return the {@link HttpSecurity} for further customizations
+ * @throws Exception
+ */
+ public HttpSecurity authorizeRequests(Customizer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
+ throws Exception {
+ ApplicationContext context = getContext();
+ authorizeRequestsCustomizer.customize(getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context))
+ .getRegistry());
+ return HttpSecurity.this;
+ }
+
/**
* Allows configuring the Request Cache. For example, a protected page (/protected)
* may be requested prior to authentication. The application will redirect the user to
@@ -1075,9 +1163,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .requestCache(requestCache ->
* requestCache.disable()
* );
@@ -1124,9 +1213,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* // sample exception handling customization
* .exceptionHandling(exceptionHandling ->
* exceptionHandling
@@ -1288,9 +1378,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .formLogin(withDefaults())
* // sample logout customization
* .logout(logout ->
@@ -1460,9 +1551,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .formLogin(withDefaults());
* }
* }
@@ -1478,9 +1570,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .formLogin(formLogin ->
* formLogin
* .usernameParameter("username")
@@ -1717,9 +1810,10 @@ public final class HttpSecurity extends
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http
- * .authorizeRequests()
- * .antMatchers("/**").hasRole("USER")
- * .and()
+ * .authorizeRequests(authorizeRequests ->
+ * authorizeRequests
+ * .antMatchers("/**").hasRole("USER")
+ * )
* .httpBasic(withDefaults());
* }
* }
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
index 526f3b8657..b9fb86db21 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -49,6 +49,7 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.spy;
+import static org.springframework.security.config.Customizer.withDefaults;
/**
* @author Rob Winch
@@ -113,6 +114,39 @@ public class AuthorizeRequestsTests {
}
}
+ @Test
+ public void postWhenPostDenyAllInLambdaThenRespondsWithForbidden() throws Exception {
+ loadConfig(AntMatchersNoPatternsInLambdaConfig.class);
+ this.request.setMethod("POST");
+
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
+ }
+
+ @EnableWebSecurity
+ @Configuration
+ static class AntMatchersNoPatternsInLambdaConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ // @formatter:off
+ http
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .antMatchers(HttpMethod.POST).denyAll()
+ );
+ // @formatter:on
+ }
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ // @formatter:off
+ auth
+ .inMemoryAuthentication();
+ // @formatter:on
+ }
+ }
+
// SEC-2256
@Test
public void antMatchersPathVariables() throws Exception {
@@ -314,6 +348,66 @@ public class AuthorizeRequestsTests {
}
}
+ @Test
+ public void requestWhenMvcMatcherDenyAllThenRespondsWithUnauthorized() throws Exception {
+ loadConfig(MvcMatcherInLambdaConfig.class);
+
+ this.request.setRequestURI("/path");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+ setup();
+
+ this.request.setRequestURI("/path.html");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+ setup();
+
+ this.request.setServletPath("/path/");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+ }
+
+ @EnableWebSecurity
+ @Configuration
+ @EnableWebMvc
+ static class MvcMatcherInLambdaConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ // @formatter:off
+ http
+ .httpBasic(withDefaults())
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .mvcMatchers("/path").denyAll()
+ );
+ // @formatter:on
+ }
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ // @formatter:off
+ auth
+ .inMemoryAuthentication();
+ // @formatter:on
+ }
+
+ @RestController
+ static class PathController {
+ @RequestMapping("/path")
+ public String path() {
+ return "path";
+ }
+ }
+ }
+
@Test
public void mvcMatcherServletPath() throws Exception {
loadConfig(MvcMatcherServletPathConfig.class);
@@ -391,6 +485,85 @@ public class AuthorizeRequestsTests {
}
}
+ @Test
+ public void requestWhenMvcMatcherServletPathDenyAllThenMatchesOnServletPath() throws Exception {
+ loadConfig(MvcMatcherServletPathInLambdaConfig.class);
+
+ this.request.setServletPath("/spring");
+ this.request.setRequestURI("/spring/path");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+ setup();
+
+ this.request.setServletPath("/spring");
+ this.request.setRequestURI("/spring/path.html");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+ setup();
+
+ this.request.setServletPath("/spring");
+ this.request.setRequestURI("/spring/path/");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+
+ setup();
+
+ this.request.setServletPath("/foo");
+ this.request.setRequestURI("/foo/path");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+
+ setup();
+
+ this.request.setServletPath("/");
+ this.request.setRequestURI("/path");
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+ }
+
+ @EnableWebSecurity
+ @Configuration
+ @EnableWebMvc
+ static class MvcMatcherServletPathInLambdaConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ // @formatter:off
+ http
+ .httpBasic(withDefaults())
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .mvcMatchers("/path").servletPath("/spring").denyAll()
+ );
+ // @formatter:on
+ }
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ // @formatter:off
+ auth
+ .inMemoryAuthentication();
+ // @formatter:on
+ }
+
+ @RestController
+ static class PathController {
+ @RequestMapping("/path")
+ public String path() {
+ return "path";
+ }
+ }
+ }
+
@Test
public void mvcMatcherPathVariables() throws Exception {
loadConfig(MvcMatcherPathVariablesConfig.class);
@@ -441,6 +614,58 @@ public class AuthorizeRequestsTests {
}
}
+ @Test
+ public void requestWhenMvcMatcherPathVariablesThenMatchesOnPathVariables() throws Exception {
+ loadConfig(MvcMatcherPathVariablesInLambdaConfig.class);
+
+ this.request.setRequestURI("/user/user");
+
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+
+ this.setup();
+ this.request.setRequestURI("/user/deny");
+
+ this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+
+ assertThat(this.response.getStatus())
+ .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+ }
+
+ @EnableWebSecurity
+ @Configuration
+ @EnableWebMvc
+ static class MvcMatcherPathVariablesInLambdaConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ // @formatter:off
+ http
+ .httpBasic(withDefaults())
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .mvcMatchers("/user/{userName}").access("#userName == 'user'")
+ );
+ // @formatter:on
+ }
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ // @formatter:off
+ auth
+ .inMemoryAuthentication();
+ // @formatter:on
+ }
+
+ @RestController
+ static class PathController {
+ @RequestMapping("/path")
+ public String path() {
+ return "path";
+ }
+ }
+ }
+
@EnableWebSecurity
@Configuration
@EnableWebMvc
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java
index b6bb33e58f..b880b3ef5b 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java
@@ -162,9 +162,10 @@ public class CorsConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.cors(withDefaults());
// @formatter:on
}
@@ -261,9 +262,10 @@ public class CorsConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.cors(withDefaults());
// @formatter:on
}
@@ -359,9 +361,10 @@ public class CorsConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.cors(withDefaults());
// @formatter:on
}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java
index b2f92d4247..ef1084cdbd 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java
@@ -109,9 +109,10 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().denyAll()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().denyAll()
+ )
.exceptionHandling(exceptionHandling ->
exceptionHandling
.defaultAccessDeniedHandlerFor(
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
index ae5a2379e4..f7b9c1635e 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
@@ -254,9 +254,10 @@ public class FormLoginConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.formLogin(withDefaults());
// @formatter:on
}
@@ -387,9 +388,10 @@ public class FormLoginConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.formLogin(formLogin ->
formLogin
.loginPage("/authenticate")
@@ -458,9 +460,10 @@ public class FormLoginConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.formLogin(formLogin ->
formLogin
.loginProcessingUrl("/loginCheck")
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java
index a6445aa35b..43d956b3e5 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java
@@ -107,9 +107,10 @@ public class HttpBasicConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.httpBasic(withDefaults());
// @formatter:on
}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java
index c55ad59f47..57de13f087 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java
@@ -151,9 +151,10 @@ public class JeeConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.jee(jee ->
jee
.mappableRoles("USER")
@@ -185,9 +186,10 @@ public class JeeConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.jee(jee ->
jee
.mappableAuthorities("ROLE_USER")
@@ -226,9 +228,10 @@ public class JeeConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.jee(jee ->
jee
.authenticatedUserDetailsService(authenticationUserDetailsService)
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java
index 83d0508057..9a66e356fd 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java
@@ -125,9 +125,10 @@ public class NamespaceHttpBasicTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.httpBasic(withDefaults());
// @formatter:on
}
@@ -174,9 +175,10 @@ public class NamespaceHttpBasicTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.httpBasic(httpBasicConfig -> httpBasicConfig.realmName("Custom Realm"));
// @formatter:on
}
@@ -310,9 +312,10 @@ public class NamespaceHttpBasicTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.httpBasic(httpBasicConfig ->
httpBasicConfig.authenticationEntryPoint(this.authenticationEntryPoint));
// @formatter:on
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java
index b6ddacb237..0aea788b3d 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java
@@ -98,9 +98,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().denyAll()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().denyAll()
+ )
.exceptionHandling(exceptionHandling ->
exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig")
);
@@ -152,9 +153,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().denyAll()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().denyAll()
+ )
.exceptionHandling(exceptionHandling ->
exceptionHandling.accessDeniedHandler(accessDeniedHandler())
);
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java
index 84c9ec8816..1e3ee6018d 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java
@@ -320,9 +320,10 @@ public class RememberMeConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.formLogin(withDefaults())
.rememberMe(withDefaults());
// @formatter:on
@@ -394,9 +395,10 @@ public class RememberMeConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().hasRole("USER")
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().hasRole("USER")
+ )
.formLogin(withDefaults())
.rememberMe(rememberMe ->
rememberMe
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java
index c21aca1162..7b16123165 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java
@@ -291,9 +291,10 @@ public class RequestCacheConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.formLogin(withDefaults())
.requestCache(RequestCacheConfigurer::disable);
// @formatter:on
@@ -318,9 +319,10 @@ public class RequestCacheConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.formLogin(withDefaults())
.requestCache(withDefaults());
// @formatter:on
@@ -345,9 +347,10 @@ public class RequestCacheConfigurerTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
- .authorizeRequests()
- .anyRequest().authenticated()
- .and()
+ .authorizeRequests(authorizeRequests ->
+ authorizeRequests
+ .anyRequest().authenticated()
+ )
.formLogin(withDefaults())
.requestCache(requestCache ->
requestCache