Add permissionsPolicyHeader

This method is a replacement of `permissionsPolicy(Customizer)` that returns its own configurer instead of `HeadersConfigurer`. Closes gh-14803
2024-07-29 09:26:42 -03:00 · 2024-07-29 09:26:42 -03:00 · 98af8d1123
parent 27cc06bbdf
commit 98af8d1123
1 changed files with 27 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -584,7 +584,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * </ul>
 	 * @return the {@link PermissionsPolicyConfig} for additional configuration
 	 * @since 5.5
-	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)} or
+	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicyHeader(Customizer)} or
 	 * {@code permissionsPolicy(Customizer.withDefaults())} to stick with defaults. See
 	 * the <a href=
 	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
@ -611,13 +611,38 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @throws IllegalArgumentException if policyDirectives is {@code null} or empty
 	 * @since 5.5
 	 * @see PermissionsPolicyHeaderWriter
+	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicyHeader(Customizer)}
+	 * instead
 	 */
+	@Deprecated(since = "6.4", forRemoval = true)
 	public PermissionsPolicyConfig permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) {
 		this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter();
 		permissionsPolicyCustomizer.customize(this.permissionsPolicy);
 		return this.permissionsPolicy;
 	}

+	/**
+	 * Allows configuration for
+	 * <a href="https://w3c.github.io/webappsec-permissions-policy/"> Permissions
+	 * Policy</a>.
+	 * <p>
+	 * Calling this method automatically enables (includes) the {@code Permissions-Policy}
+	 * header in the response using the supplied policy directive(s).
+	 * <p>
+	 * Configuration is provided to the {@link PermissionsPolicyHeaderWriter} which is
+	 * responsible for writing the header.
+	 * @return the {@link PermissionsPolicyConfig} for additional configuration
+	 * @throws IllegalArgumentException if policyDirectives is {@code null} or empty
+	 * @since 6.4
+	 * @see PermissionsPolicyHeaderWriter
+	 */
+	public HeadersConfigurer<H> permissionsPolicyHeader(
+			Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) {
+		this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter();
+		permissionsPolicyCustomizer.customize(this.permissionsPolicy);
+		return this;
+	}
+
 	/**
 	 * Allows configuration for <a href=
 	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy">