From b004f9f677db404643af26dc5c819e77db69439e Mon Sep 17 00:00:00 2001 From: Eleftheria Stein Date: Fri, 12 Jul 2019 13:58:17 -0400 Subject: [PATCH] Use http security nested builder in docs Issue: gh-5557 --- .../servlet/additional-topics/mvc.adoc | 12 +- .../servlet/additional-topics/oauth2.adoc | 168 ++++++---- .../authorization/expression-based.adoc | 8 +- .../servlet/preface/java-configuration.adoc | 202 +++++++----- .../servlet/preface/oauth2-client.adoc | 65 ++-- .../servlet/preface/oauth2-login.adoc | 27 +- .../asciidoc/_includes/servlet/web/cors.adoc | 4 +- .../asciidoc/_includes/servlet/web/csrf.adoc | 16 +- .../_includes/servlet/web/headers.adoc | 303 +++++++++++------- .../_includes/servlet/web/websocket.adoc | 37 ++- 10 files changed, 507 insertions(+), 335 deletions(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/mvc.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/mvc.adoc index a23b9bf0a1..7173999ca1 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/mvc.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/mvc.adoc @@ -104,8 +104,10 @@ If we wanted to restrict access to this controller method to admin users, a deve ---- protected configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .antMatchers("/admin").hasRole("ADMIN"); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .antMatchers("/admin").hasRole("ADMIN") + ); } ---- @@ -133,8 +135,10 @@ The following configuration will protect the same URLs that Spring MVC will matc ---- protected configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .mvcMatchers("/admin").hasRole("ADMIN"); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/admin").hasRole("ADMIN") + ); } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc index 511de42d09..0fb146b07b 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc @@ -16,15 +16,25 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .authorizationEndpoint() - ... - .redirectionEndpoint() - ... - .tokenEndpoint() - ... - .userInfoEndpoint() - ... + .oauth2Login(oauth2Login -> + oauth2Login + .authorizationEndpoint(authorizationEndpoint -> + authorizationEndpoint + ... + ) + .redirectionEndpoint(redirectionEndpoint -> + redirectionEndpoint + ... + ) + .tokenEndpoint(tokenEndpoint -> + tokenEndpoint + ... + ) + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + ... + ) + ); } } ---- @@ -58,27 +68,34 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .clientRegistrationRepository(this.clientRegistrationRepository()) - .authorizedClientRepository(this.authorizedClientRepository()) - .authorizedClientService(this.authorizedClientService()) - .loginPage("/login") - .authorizationEndpoint() - .baseUri(this.authorizationRequestBaseUri()) - .authorizationRequestRepository(this.authorizationRequestRepository()) - .authorizationRequestResolver(this.authorizationRequestResolver()) - .and() - .redirectionEndpoint() - .baseUri(this.authorizationResponseBaseUri()) - .and() - .tokenEndpoint() - .accessTokenResponseClient(this.accessTokenResponseClient()) - .and() - .userInfoEndpoint() - .userAuthoritiesMapper(this.userAuthoritiesMapper()) - .userService(this.oauth2UserService()) - .oidcUserService(this.oidcUserService()) - .customUserType(GitHubOAuth2User.class, "github"); + .oauth2Login(oauth2Login -> + oauth2Login + .clientRegistrationRepository(this.clientRegistrationRepository()) + .authorizedClientRepository(this.authorizedClientRepository()) + .authorizedClientService(this.authorizedClientService()) + .loginPage("/login") + .authorizationEndpoint(authorizationEndpoint -> + authorizationEndpoint + .baseUri(this.authorizationRequestBaseUri()) + .authorizationRequestRepository(this.authorizationRequestRepository()) + .authorizationRequestResolver(this.authorizationRequestResolver()) + ) + .redirectionEndpoint(redirectionEndpoint -> + redirectionEndpoint + .baseUri(this.authorizationResponseBaseUri()) + ) + .tokenEndpoint(tokenEndpoint -> + tokenEndpoint + .accessTokenResponseClient(this.accessTokenResponseClient()) + ) + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + .userAuthoritiesMapper(this.userAuthoritiesMapper()) + .userService(this.oauth2UserService()) + .oidcUserService(this.oidcUserService()) + .customUserType(GitHubOAuth2User.class, "github") + ) + ); } } ---- @@ -123,12 +140,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .loginPage("/login/oauth2") - ... - .authorizationEndpoint() - .baseUri("/login/oauth2/authorization") - .... + .oauth2Login(oauth2Login -> + oauth2Login + .loginPage("/login/oauth2") + ... + .authorizationEndpoint(authorizationEndpoint -> + authorizationEndpoint + .baseUri("/login/oauth2/authorization") + ... + ) + ); } } ---- @@ -171,10 +192,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .redirectionEndpoint() - .baseUri("/login/oauth2/callback/*") - .... + .oauth2Login(oauth2Login -> + oauth2Login + .redirectionEndpoint(redirectionEndpoint -> + redirectionEndpoint + .baseUri("/login/oauth2/callback/*") + ... + ) + ); } } ---- @@ -234,10 +259,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .userInfoEndpoint() - .userAuthoritiesMapper(this.userAuthoritiesMapper()) - ... + .oauth2Login(oauth2Login -> + oauth2Login + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + .userAuthoritiesMapper(this.userAuthoritiesMapper()) + ... + ) + ); } private GrantedAuthoritiesMapper userAuthoritiesMapper() { @@ -280,7 +309,8 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.oauth2Login(); + http + .oauth2Login(withDefaults()); } @Bean @@ -308,10 +338,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .userInfoEndpoint() - .oidcUserService(this.oidcUserService()) - ... + .oauth2Login(oauth2Login -> + oauth2Login + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + .oidcUserService(this.oidcUserService()) + ... + ) + ); } private OAuth2UserService oidcUserService() { @@ -355,10 +389,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .userInfoEndpoint() - .customUserType(GitHubOAuth2User.class, "github") - ... + .oauth2Login(oauth2Login -> + oauth2Login + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + .customUserType(GitHubOAuth2User.class, "github") + ... + ) + ); } } ---- @@ -469,10 +507,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .userInfoEndpoint() - .userService(this.oauth2UserService()) - ... + .oauth2Login(oauth2Login -> + oauth2Login + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + .userService(this.oauth2UserService()) + ... + ) + ); } private OAuth2UserService oauth2UserService() { @@ -501,10 +543,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login() - .userInfoEndpoint() - .oidcUserService(this.oidcUserService()) - ... + .oauth2Login(oauth2Login -> + oauth2Login + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint + .oidcUserService(this.oidcUserService()) + ... + ) + ); } private OAuth2UserService oidcUserService() { diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc index aac5044dd1..e2308674e1 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc @@ -169,9 +169,11 @@ or in Java configuration [source,java] ---- http - .authorizeRequests() - .antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)") - ... + .authorizeRequests(authorizeRequests -> + authorizeRequests + .antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)") + ... + ); ---- In both configurations URLs that match would pass in the path variable (and convert it) into checkUserId method. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc index 5990618e51..36141a4426 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc @@ -137,12 +137,12 @@ How does Spring Security know that we want to require all users to be authentica ---- protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .formLogin() - .and() - .httpBasic(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .formLogin(withDefaults()) + .httpBasic(withDefaults()); } ---- @@ -163,10 +163,6 @@ You will notice that this configuration is quite similar the XML Namespace confi ---- -The Java Configuration equivalent of closing an XML tag is expressed using the `and()` method which allows us to continue configuring the parent. -If you read the code it also makes sense. -I want to configure authorized requests __and__ configure form login __and__ configure HTTP Basic authentication. - [[jc-form]] == Java Configuration and Form Login You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs. @@ -180,12 +176,15 @@ To do so we can update our configuration as seen below: ---- protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .formLogin() - .loginPage("/login") // <1> - .permitAll(); // <2> + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .formLogin(formLogin -> + formLogin + .loginPage("/login") // <1> + .permitAll() // <2> + ); } ---- @@ -245,14 +244,14 @@ For example: ---- protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() <1> - .antMatchers("/resources/**", "/signup", "/about").permitAll() <2> - .antMatchers("/admin/**").hasRole("ADMIN") <3> - .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") <4> - .anyRequest().authenticated() <5> - .and() - // ... - .formLogin(); + .authorizeRequests(authorizeRequests -> // <1> + authorizeRequests + .antMatchers("/resources/**", "/signup", "/about").permitAll() // <2> + .antMatchers("/admin/**").hasRole("ADMIN") // <3> + .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4> + .anyRequest().authenticated() // <5> + ) + .formLogin(withDefaults()); } ---- @@ -282,14 +281,15 @@ Similar to configuring login capabilities, however, you also have various option ---- protected void configure(HttpSecurity http) throws Exception { http - .logout() <1> - .logoutUrl("/my/logout") <2> - .logoutSuccessUrl("/my/index") <3> - .logoutSuccessHandler(logoutSuccessHandler) <4> - .invalidateHttpSession(true) <5> - .addLogoutHandler(logoutHandler) <6> - .deleteCookies(cookieNamesToClear) <7> - .and() + .logout(logout -> // <1> + logout + .logoutUrl("/my/logout") // <2> + .logoutSuccessUrl("/my/index") // <3> + .logoutSuccessHandler(logoutSuccessHandler) // <4> + .invalidateHttpSession(true) // <5> + .addLogoutHandler(logoutHandler) // <6> + .deleteCookies(cookieNamesToClear) // <7> + ) ... } ---- @@ -510,11 +510,14 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou ```java protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(withDefaults()) + ); } ``` @@ -527,13 +530,18 @@ Replacing this is as simple as exposing the bean within the application: public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .jwtAuthenticationConverter(myConverter()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwtAuthenticationConverter(myConverter()) + ) + ); } } ``` @@ -565,12 +573,17 @@ An authorization server's JWK Set Uri can be configured < + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwkSetUri("https://idp.example.com/.well-known/jwks.json") + ) + ); } } ``` @@ -587,12 +600,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .decoder(myCustomDecoder()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .decoder(myCustomDecoder()) + ) + ); } } ``` @@ -627,13 +645,16 @@ This means that to protect an endpoint or method with a scope derived from a JWT public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts") - .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages") - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts") + .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages") + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(withDefaults()) + ); } } ``` @@ -659,12 +680,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`: public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .jwtAuthenticationConverter(grantedAuthoritiesExtractor()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) + ) + ); } } @@ -1078,10 +1104,11 @@ public class MultiHttpSecurityConfig { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") <3> - .authorizeRequests() - .anyRequest().hasRole("ADMIN") - .and() - .httpBasic(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("ADMIN") + ) + .httpBasic(withDefaults()); } } @@ -1091,10 +1118,11 @@ public class MultiHttpSecurityConfig { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .formLogin(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .formLogin(withDefaults()); } } } @@ -1221,15 +1249,17 @@ For example, if you wanted to configure the `filterSecurityPublishAuthorizationS @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .withObjectPostProcessor(new ObjectPostProcessor() { - public O postProcess( - O fsi) { - fsi.setPublishAuthorizationSuccess(true); - return fsi; - } - }); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + .withObjectPostProcessor(new ObjectPostProcessor() { + public O postProcess( + O fsi) { + fsi.setPublishAuthorizationSuccess(true); + return fsi; + } + }) + ); } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc index f362a11f7c..74fb98708a 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc @@ -20,14 +20,18 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Client() - .clientRegistrationRepository(this.clientRegistrationRepository()) - .authorizedClientRepository(this.authorizedClientRepository()) - .authorizedClientService(this.authorizedClientService()) - .authorizationCodeGrant() - .authorizationRequestRepository(this.authorizationRequestRepository()) - .authorizationRequestResolver(this.authorizationRequestResolver()) - .accessTokenResponseClient(this.accessTokenResponseClient()); + .oauth2Client(oauth2Client -> + oauth2Client + .clientRegistrationRepository(this.clientRegistrationRepository()) + .authorizedClientRepository(this.authorizedClientRepository()) + .authorizedClientService(this.authorizedClientService()) + .authorizationCodeGrant(authorizationCodeGrant -> + authorizationCodeGrant + .authorizationRequestRepository(this.authorizationRequestRepository()) + .authorizationRequestResolver(this.authorizationRequestResolver()) + .accessTokenResponseClient(this.accessTokenResponseClient()) + ) + ); } } ---- @@ -245,10 +249,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Client() - .authorizationCodeGrant() - .authorizationRequestRepository(this.cookieAuthorizationRequestRepository()) - ... + .oauth2Client(oauth2Client -> + oauth2Client + .authorizationCodeGrant(authorizationCodeGrant -> + authorizationCodeGrant + .authorizationRequestRepository(this.cookieAuthorizationRequestRepository()) + ... + ) + ); } private AuthorizationRequestRepository cookieAuthorizationRequestRepository() { @@ -285,14 +293,19 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2Login() - .authorizationEndpoint() - .authorizationRequestResolver( - new CustomAuthorizationRequestResolver( - this.clientRegistrationRepository)); <1> + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2Login(oauth2Login -> + oauth2Login + .authorizationEndpoint(authorizationEndpoint -> + authorizationEndpoint + .authorizationRequestResolver( + new CustomAuthorizationRequestResolver( + this.clientRegistrationRepository)) <1> + ) + ); } } @@ -422,10 +435,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Client() - .authorizationCodeGrant() - .accessTokenResponseClient(this.customAccessTokenResponseClient()) - ... + .oauth2Client(oauth2Client -> + oauth2Client + .authorizationCodeGrant(authorizationCodeGrant -> + authorizationCodeGrant + .accessTokenResponseClient(this.customAccessTokenResponseClient()) + ... + ) + ); } private OAuth2AccessTokenResponseClient customAccessTokenResponseClient() { diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc index 5d5307e65d..adead1a92d 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc @@ -285,10 +285,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2Login(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2Login(withDefaults()); } } ---- @@ -310,10 +311,11 @@ public class OAuth2LoginConfig { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2Login(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2Login(withDefaults()); } } @@ -358,10 +360,11 @@ public class OAuth2LoginConfig { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2Login(); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2Login(withDefaults()); } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc index 11fd3f9e39..17283ae6a9 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc @@ -18,7 +18,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // by default uses a Bean by the name of corsConfigurationSource - .cors().and() + .cors(withDefaults()) ... } @@ -59,7 +59,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { http // if Spring MVC is on classpath and no CorsConfigurationSource is provided, // Spring Security will use CORS configuration provided to Spring MVC - .cors().and() + .cors(withDefaults()) ... } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/web/csrf.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/web/csrf.adoc index 957950a5f4..aa4e6b8215 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/web/csrf.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/web/csrf.adoc @@ -187,7 +187,9 @@ WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .csrf().disable(); + .csrf(csrf -> + csrf.disable() + ); } } ---- @@ -314,8 +316,10 @@ public class WebSecurityConfig extends @Override protected void configure(HttpSecurity http) throws Exception { http - .csrf() - .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); + .csrf(csrf -> + csrf + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + ); } } ---- @@ -391,8 +395,10 @@ WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .logout() - .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); + .logout(logout -> + logout + .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) + ); } } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc index 26e0fe5157..72cfc6c20e 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc @@ -60,9 +60,15 @@ public class WebSecurityConfig extends protected void configure(HttpSecurity http) throws Exception { http // ... - .headers() - .frameOptions().sameOrigin() - .httpStrictTransportSecurity().disable(); + .headers(headers -> + headers + .frameOptions(frameOptions -> + frameOptions.sameOrigin() + ) + .httpStrictTransportSecurity(hsts -> + hsts.disable() + ) + ); } } ---- @@ -92,15 +98,17 @@ If you are using Spring Security's Java Configuration the following will only ad public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - // do not use any default headers unless explicitly listed - .defaultsDisabled() - .cacheControl(); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + // do not use any default headers unless explicitly listed + .defaultsDisabled() + .cacheControl(withDefaults()) + ); + } } ---- @@ -126,12 +134,14 @@ If necessary, you can disable all of the HTTP Security response headers with the public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers().disable(); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers.disable() + ); + } } ---- @@ -182,14 +192,16 @@ Similarly, you can enable only cache control within Java Configuration with the public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .defaultsDisabled() - .cacheControl(); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .defaultsDisabled() + .cacheControl(withDefaults()) + ); + } } ---- @@ -263,14 +275,16 @@ If you want more control over the headers, you can explicitly specify the conten public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .defaultsDisabled() - .contentTypeOptions(); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .defaultsDisabled() + .contentTypeOptions(withDefaults()) + ); + } } ---- @@ -327,16 +341,20 @@ Similarly, you can enable only HSTS headers with Java Configuration: public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .httpStrictTransportSecurity() - .includeSubdomains(true) - .preload(true) - .maxAgeSeconds(31536000); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .httpStrictTransportSecurity(hsts -> + hsts + .includeSubDomains(true) + .preload(true) + .maxAgeInSeconds(31536000) + ) + ); + } } ---- @@ -399,16 +417,20 @@ Similarly, you can enable HPKP headers with Java Configuration: public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .httpPublicKeyPinning() - .includeSubdomains(true) - .reportUri("https://example.net/pkp-report") - .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; - } + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .httpPublicKeyPinning(hpkp -> + hpkp + .includeSubDomains(true) + .reportUri("https://example.net/pkp-report") + .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=") + ) + ); + } } ---- @@ -461,14 +483,18 @@ Similarly, you can customize frame options to use the same origin within Java Co public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .frameOptions() - .sameOrigin(); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .frameOptions(frameOptions -> + frameOptions + .sameOrigin() + ) + ); + } } ---- @@ -511,14 +537,18 @@ Similarly, you can customize XSS protection within Java Configuration with the f public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .xssProtection() - .block(false); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .xssProtection(xssProtection -> + xssProtection + .block(false) + ) + ); + } } ---- @@ -625,13 +655,18 @@ Similarly, you can enable the CSP header using Java configuration as shown below public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .contentSecurityPolicy(csp -> + csp + .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") + ) + ); + } } ---- @@ -643,14 +678,19 @@ To enable the CSP _'report-only'_ header, provide the following Java configurati public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") - .reportOnly(); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .contentSecurityPolicy(csp -> + csp + .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") + .reportOnly() + ) + ); + } } ---- @@ -707,13 +747,18 @@ Similarly, you can enable the Referrer Policy header using Java configuration as public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .referrerPolicy(ReferrerPolicy.SAME_ORIGIN); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .referrerPolicy(referrerPolicy -> + referrerPolicy + .policy(ReferrerPolicy.SAME_ORIGIN) + ) + ); + } } ---- @@ -757,13 +802,15 @@ Similarly, you can enable the Feature Policy header using Java configuration as public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .featurePolicy("geolocation 'self'"); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .featurePolicy("geolocation 'self'") + ); + } } ---- @@ -804,13 +851,15 @@ Similarly, the headers could be added to the response using Java Configuration a public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value")); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value")) + ); + } } ---- @@ -849,13 +898,15 @@ We could also restrict framing of content to the same origin with Java configura public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> + headers + .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) + ); + } } ---- @@ -903,17 +954,21 @@ We could also prevent framing of content to the log in page using java configura public class WebSecurityConfig extends WebSecurityConfigurerAdapter { -@Override -protected void configure(HttpSecurity http) throws Exception { - RequestMatcher matcher = new AntPathRequestMatcher("/login"); - DelegatingRequestMatcherHeaderWriter headerWriter = - new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); - http - // ... - .headers() - .frameOptions().disabled() - .addHeaderWriter(headerWriter); -} + @Override + protected void configure(HttpSecurity http) throws Exception { + RequestMatcher matcher = new AntPathRequestMatcher("/login"); + DelegatingRequestMatcherHeaderWriter headerWriter = + new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); + http + // ... + .headers(headers -> + headers + .frameOptions(frameOptions -> + frameOptions.disable() + ) + .addHeaderWriter(headerWriter) + ); + } } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/web/websocket.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/web/websocket.adoc index 0553b46023..8dd70cb2c6 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/web/websocket.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/web/websocket.adoc @@ -323,9 +323,13 @@ public class WebSecurityConfig extends protected void configure(HttpSecurity http) throws Exception { http // ... - .headers() - .frameOptions() - .sameOrigin(); + .headers(headers -> + headers + .frameOptions(frameOptions -> + frameOptions + .sameOrigin() + ) + ); } } ---- @@ -356,18 +360,23 @@ public class WebSecurityConfig @Override protected void configure(HttpSecurity http) throws Exception { - http - .csrf() - // ignore our stomp endpoints since they are protected using Stomp headers - .ignoringAntMatchers("/chat/**") - .and() - .headers() - // allow same origin to frame our site to support iframe SockJS - .frameOptions().sameOrigin() - .and() - .authorizeRequests() - + .csrf(csrf -> + csrf + // ignore our stomp endpoints since they are protected using Stomp headers + .ignoringAntMatchers("/chat/**") + ) + .headers(headers -> + headers + // allow same origin to frame our site to support iframe SockJS + .frameOptions(frameOptions -> + frameOptions + .sameOrigin() + ) + ) + .authorizeRequests(authorizeRequests -> + ... + ) ... ----