Clarify authorize-http-requests docs

Issue gh-11467
This commit is contained in:
Marcus Da Coregio 2022-07-14 10:19:31 -03:00
parent 64ba31aebb
commit 9608eaa138
1 changed files with 2 additions and 6 deletions

View File

@ -206,8 +206,8 @@ open fun web(http: HttpSecurity): SecurityFilterChain {
---- ----
==== ====
Now with the authorization rules applying to all dispatcher types, you have more control of the authorization on them. Instead of setting `shouldFilterAllDispatcherTypes` to `false`, the recommended approach is to customize authorization on the dispatcher types.
For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true` but not apply authorization on requests with dispatcher type `ASYNC` or `FORWARD`. For example, you may want to grant all access on requests with dispatcher type `ASYNC` or `FORWARD`.
.Permit ASYNC and FORWARD dispatcher type .Permit ASYNC and FORWARD dispatcher type
==== ====
@ -218,7 +218,6 @@ For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true
SecurityFilterChain web(HttpSecurity http) throws Exception { SecurityFilterChain web(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests((authorize) -> authorize .authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll() .dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll()
.anyRequest().authenticated() .anyRequest().authenticated()
) )
@ -234,7 +233,6 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
open fun web(http: HttpSecurity): SecurityFilterChain { open fun web(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeHttpRequests { authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll) authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll)
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }
@ -255,7 +253,6 @@ You can also customize it to require a specific role for a dispatcher type:
SecurityFilterChain web(HttpSecurity http) throws Exception { SecurityFilterChain web(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests((authorize) -> authorize .authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN") .dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN")
.anyRequest().authenticated() .anyRequest().authenticated()
) )
@ -271,7 +268,6 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
open fun web(http: HttpSecurity): SecurityFilterChain { open fun web(http: HttpSecurity): SecurityFilterChain {
http { http {
authorizeHttpRequests { authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN")) authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN"))
authorize(anyRequest, authenticated) authorize(anyRequest, authenticated)
} }