parent
7961b819aa
commit
b004f9f677
|
@ -104,8 +104,10 @@ If we wanted to restrict access to this controller method to admin users, a deve
|
|||
----
|
||||
protected configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin").hasRole("ADMIN");
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
);
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -133,8 +135,10 @@ The following configuration will protect the same URLs that Spring MVC will matc
|
|||
----
|
||||
protected configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/admin").hasRole("ADMIN");
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/admin").hasRole("ADMIN")
|
||||
);
|
||||
}
|
||||
----
|
||||
|
||||
|
|
|
@ -16,15 +16,25 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.authorizationEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.authorizationEndpoint(authorizationEndpoint ->
|
||||
authorizationEndpoint
|
||||
...
|
||||
.redirectionEndpoint()
|
||||
)
|
||||
.redirectionEndpoint(redirectionEndpoint ->
|
||||
redirectionEndpoint
|
||||
...
|
||||
.tokenEndpoint()
|
||||
)
|
||||
.tokenEndpoint(tokenEndpoint ->
|
||||
tokenEndpoint
|
||||
...
|
||||
.userInfoEndpoint()
|
||||
)
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -58,27 +68,34 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.clientRegistrationRepository(this.clientRegistrationRepository())
|
||||
.authorizedClientRepository(this.authorizedClientRepository())
|
||||
.authorizedClientService(this.authorizedClientService())
|
||||
.loginPage("/login")
|
||||
.authorizationEndpoint()
|
||||
.authorizationEndpoint(authorizationEndpoint ->
|
||||
authorizationEndpoint
|
||||
.baseUri(this.authorizationRequestBaseUri())
|
||||
.authorizationRequestRepository(this.authorizationRequestRepository())
|
||||
.authorizationRequestResolver(this.authorizationRequestResolver())
|
||||
.and()
|
||||
.redirectionEndpoint()
|
||||
)
|
||||
.redirectionEndpoint(redirectionEndpoint ->
|
||||
redirectionEndpoint
|
||||
.baseUri(this.authorizationResponseBaseUri())
|
||||
.and()
|
||||
.tokenEndpoint()
|
||||
)
|
||||
.tokenEndpoint(tokenEndpoint ->
|
||||
tokenEndpoint
|
||||
.accessTokenResponseClient(this.accessTokenResponseClient())
|
||||
.and()
|
||||
.userInfoEndpoint()
|
||||
)
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
.userAuthoritiesMapper(this.userAuthoritiesMapper())
|
||||
.userService(this.oauth2UserService())
|
||||
.oidcUserService(this.oidcUserService())
|
||||
.customUserType(GitHubOAuth2User.class, "github");
|
||||
.customUserType(GitHubOAuth2User.class, "github")
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -123,12 +140,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.loginPage("/login/oauth2")
|
||||
...
|
||||
.authorizationEndpoint()
|
||||
.authorizationEndpoint(authorizationEndpoint ->
|
||||
authorizationEndpoint
|
||||
.baseUri("/login/oauth2/authorization")
|
||||
....
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -171,10 +192,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.redirectionEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.redirectionEndpoint(redirectionEndpoint ->
|
||||
redirectionEndpoint
|
||||
.baseUri("/login/oauth2/callback/*")
|
||||
....
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -234,10 +259,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.userInfoEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
.userAuthoritiesMapper(this.userAuthoritiesMapper())
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
|
||||
|
@ -280,7 +309,8 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.oauth2Login();
|
||||
http
|
||||
.oauth2Login(withDefaults());
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
@ -308,10 +338,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.userInfoEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
.oidcUserService(this.oidcUserService())
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
||||
|
@ -355,10 +389,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.userInfoEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
.customUserType(GitHubOAuth2User.class, "github")
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -469,10 +507,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.userInfoEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
.userService(this.oauth2UserService())
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
|
||||
|
@ -501,10 +543,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Login()
|
||||
.userInfoEndpoint()
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.userInfoEndpoint(userInfoEndpoint ->
|
||||
userInfoEndpoint
|
||||
.oidcUserService(this.oidcUserService())
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
||||
|
|
|
@ -169,9 +169,11 @@ or in Java configuration
|
|||
[source,java]
|
||||
----
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)")
|
||||
...
|
||||
);
|
||||
----
|
||||
|
||||
In both configurations URLs that match would pass in the path variable (and convert it) into checkUserId method.
|
||||
|
|
|
@ -137,12 +137,12 @@ How does Spring Security know that we want to require all users to be authentica
|
|||
----
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin()
|
||||
.and()
|
||||
.httpBasic();
|
||||
)
|
||||
.formLogin(withDefaults())
|
||||
.httpBasic(withDefaults());
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -163,10 +163,6 @@ You will notice that this configuration is quite similar the XML Namespace confi
|
|||
</http>
|
||||
----
|
||||
|
||||
The Java Configuration equivalent of closing an XML tag is expressed using the `and()` method which allows us to continue configuring the parent.
|
||||
If you read the code it also makes sense.
|
||||
I want to configure authorized requests __and__ configure form login __and__ configure HTTP Basic authentication.
|
||||
|
||||
[[jc-form]]
|
||||
== Java Configuration and Form Login
|
||||
You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs.
|
||||
|
@ -180,12 +176,15 @@ To do so we can update our configuration as seen below:
|
|||
----
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin()
|
||||
)
|
||||
.formLogin(formLogin ->
|
||||
formLogin
|
||||
.loginPage("/login") // <1>
|
||||
.permitAll(); // <2>
|
||||
.permitAll() // <2>
|
||||
);
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -245,14 +244,14 @@ For example:
|
|||
----
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests() <1>
|
||||
.antMatchers("/resources/**", "/signup", "/about").permitAll() <2>
|
||||
.antMatchers("/admin/**").hasRole("ADMIN") <3>
|
||||
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") <4>
|
||||
.anyRequest().authenticated() <5>
|
||||
.and()
|
||||
// ...
|
||||
.formLogin();
|
||||
.authorizeRequests(authorizeRequests -> // <1>
|
||||
authorizeRequests
|
||||
.antMatchers("/resources/**", "/signup", "/about").permitAll() // <2>
|
||||
.antMatchers("/admin/**").hasRole("ADMIN") // <3>
|
||||
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
|
||||
.anyRequest().authenticated() // <5>
|
||||
)
|
||||
.formLogin(withDefaults());
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -282,14 +281,15 @@ Similar to configuring login capabilities, however, you also have various option
|
|||
----
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.logout() <1>
|
||||
.logoutUrl("/my/logout") <2>
|
||||
.logoutSuccessUrl("/my/index") <3>
|
||||
.logoutSuccessHandler(logoutSuccessHandler) <4>
|
||||
.invalidateHttpSession(true) <5>
|
||||
.addLogoutHandler(logoutHandler) <6>
|
||||
.deleteCookies(cookieNamesToClear) <7>
|
||||
.and()
|
||||
.logout(logout -> // <1>
|
||||
logout
|
||||
.logoutUrl("/my/logout") // <2>
|
||||
.logoutSuccessUrl("/my/index") // <3>
|
||||
.logoutSuccessHandler(logoutSuccessHandler) // <4>
|
||||
.invalidateHttpSession(true) // <5>
|
||||
.addLogoutHandler(logoutHandler) // <6>
|
||||
.deleteCookies(cookieNamesToClear) // <7>
|
||||
)
|
||||
...
|
||||
}
|
||||
----
|
||||
|
@ -510,11 +510,14 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou
|
|||
```java
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt();
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(withDefaults())
|
||||
);
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -527,13 +530,18 @@ Replacing this is as simple as exposing the bean within the application:
|
|||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwtAuthenticationConverter(myConverter());
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwtAuthenticationConverter(myConverter())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -565,12 +573,17 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
|
|||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwkSetUri("https://idp.example.com/.well-known/jwks.json");
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -587,12 +600,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
|
|||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.decoder(myCustomDecoder());
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.decoder(myCustomDecoder())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -627,13 +645,16 @@ This means that to protect an endpoint or method with a scope derived from a JWT
|
|||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
|
||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt();
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(withDefaults())
|
||||
);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -659,12 +680,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
|
|||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwtAuthenticationConverter(grantedAuthoritiesExtractor());
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1078,10 +1104,11 @@ public class MultiHttpSecurityConfig {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.antMatcher("/api/**") <3>
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().hasRole("ADMIN")
|
||||
.and()
|
||||
.httpBasic();
|
||||
)
|
||||
.httpBasic(withDefaults());
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1091,10 +1118,11 @@ public class MultiHttpSecurityConfig {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin();
|
||||
)
|
||||
.formLogin(withDefaults());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1221,7 +1249,8 @@ For example, if you wanted to configure the `filterSecurityPublishAuthorizationS
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
|
||||
public <O extends FilterSecurityInterceptor> O postProcess(
|
||||
|
@ -1229,7 +1258,8 @@ protected void configure(HttpSecurity http) throws Exception {
|
|||
fsi.setPublishAuthorizationSuccess(true);
|
||||
return fsi;
|
||||
}
|
||||
});
|
||||
})
|
||||
);
|
||||
}
|
||||
----
|
||||
|
||||
|
|
|
@ -20,14 +20,18 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Client()
|
||||
.oauth2Client(oauth2Client ->
|
||||
oauth2Client
|
||||
.clientRegistrationRepository(this.clientRegistrationRepository())
|
||||
.authorizedClientRepository(this.authorizedClientRepository())
|
||||
.authorizedClientService(this.authorizedClientService())
|
||||
.authorizationCodeGrant()
|
||||
.authorizationCodeGrant(authorizationCodeGrant ->
|
||||
authorizationCodeGrant
|
||||
.authorizationRequestRepository(this.authorizationRequestRepository())
|
||||
.authorizationRequestResolver(this.authorizationRequestResolver())
|
||||
.accessTokenResponseClient(this.accessTokenResponseClient());
|
||||
.accessTokenResponseClient(this.accessTokenResponseClient())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -245,10 +249,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Client()
|
||||
.authorizationCodeGrant()
|
||||
.oauth2Client(oauth2Client ->
|
||||
oauth2Client
|
||||
.authorizationCodeGrant(authorizationCodeGrant ->
|
||||
authorizationCodeGrant
|
||||
.authorizationRequestRepository(this.cookieAuthorizationRequestRepository())
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
private AuthorizationRequestRepository<OAuth2AuthorizationRequest> cookieAuthorizationRequestRepository() {
|
||||
|
@ -285,14 +293,19 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login()
|
||||
.authorizationEndpoint()
|
||||
)
|
||||
.oauth2Login(oauth2Login ->
|
||||
oauth2Login
|
||||
.authorizationEndpoint(authorizationEndpoint ->
|
||||
authorizationEndpoint
|
||||
.authorizationRequestResolver(
|
||||
new CustomAuthorizationRequestResolver(
|
||||
this.clientRegistrationRepository)); <1>
|
||||
this.clientRegistrationRepository)) <1>
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -422,10 +435,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.oauth2Client()
|
||||
.authorizationCodeGrant()
|
||||
.oauth2Client(oauth2Client ->
|
||||
oauth2Client
|
||||
.authorizationCodeGrant(authorizationCodeGrant ->
|
||||
authorizationCodeGrant
|
||||
.accessTokenResponseClient(this.customAccessTokenResponseClient())
|
||||
...
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> customAccessTokenResponseClient() {
|
||||
|
|
|
@ -285,10 +285,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login();
|
||||
)
|
||||
.oauth2Login(withDefaults());
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -310,10 +311,11 @@ public class OAuth2LoginConfig {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login();
|
||||
)
|
||||
.oauth2Login(withDefaults());
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -358,10 +360,11 @@ public class OAuth2LoginConfig {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login();
|
||||
)
|
||||
.oauth2Login(withDefaults());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// by default uses a Bean by the name of corsConfigurationSource
|
||||
.cors().and()
|
||||
.cors(withDefaults())
|
||||
...
|
||||
}
|
||||
|
||||
|
@ -59,7 +59,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
http
|
||||
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
|
||||
// Spring Security will use CORS configuration provided to Spring MVC
|
||||
.cors().and()
|
||||
.cors(withDefaults())
|
||||
...
|
||||
}
|
||||
}
|
||||
|
|
|
@ -187,7 +187,9 @@ WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.csrf().disable();
|
||||
.csrf(csrf ->
|
||||
csrf.disable()
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -314,8 +316,10 @@ public class WebSecurityConfig extends
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.csrf()
|
||||
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
|
||||
.csrf(csrf ->
|
||||
csrf
|
||||
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -391,8 +395,10 @@ WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.logout()
|
||||
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
|
||||
.logout(logout ->
|
||||
logout
|
||||
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
|
|
@ -60,9 +60,15 @@ public class WebSecurityConfig extends
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.frameOptions().sameOrigin()
|
||||
.httpStrictTransportSecurity().disable();
|
||||
.headers(headers ->
|
||||
headers
|
||||
.frameOptions(frameOptions ->
|
||||
frameOptions.sameOrigin()
|
||||
)
|
||||
.httpStrictTransportSecurity(hsts ->
|
||||
hsts.disable()
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -96,10 +102,12 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.headers(headers ->
|
||||
headers
|
||||
// do not use any default headers unless explicitly listed
|
||||
.defaultsDisabled()
|
||||
.cacheControl();
|
||||
.cacheControl(withDefaults())
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -130,7 +138,9 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers().disable();
|
||||
.headers(headers ->
|
||||
headers.disable()
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -186,9 +196,11 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.headers(headers ->
|
||||
headers
|
||||
.defaultsDisabled()
|
||||
.cacheControl();
|
||||
.cacheControl(withDefaults())
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -267,9 +279,11 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.headers(headers ->
|
||||
headers
|
||||
.defaultsDisabled()
|
||||
.contentTypeOptions();
|
||||
.contentTypeOptions(withDefaults())
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -331,11 +345,15 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.httpStrictTransportSecurity()
|
||||
.includeSubdomains(true)
|
||||
.headers(headers ->
|
||||
headers
|
||||
.httpStrictTransportSecurity(hsts ->
|
||||
hsts
|
||||
.includeSubDomains(true)
|
||||
.preload(true)
|
||||
.maxAgeSeconds(31536000);
|
||||
.maxAgeInSeconds(31536000)
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -403,11 +421,15 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.httpPublicKeyPinning()
|
||||
.includeSubdomains(true)
|
||||
.headers(headers ->
|
||||
headers
|
||||
.httpPublicKeyPinning(hpkp ->
|
||||
hpkp
|
||||
.includeSubDomains(true)
|
||||
.reportUri("https://example.net/pkp-report")
|
||||
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
|
||||
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=")
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -465,9 +487,13 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.frameOptions()
|
||||
.sameOrigin();
|
||||
.headers(headers ->
|
||||
headers
|
||||
.frameOptions(frameOptions ->
|
||||
frameOptions
|
||||
.sameOrigin()
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -515,9 +541,13 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.xssProtection()
|
||||
.block(false);
|
||||
.headers(headers ->
|
||||
headers
|
||||
.xssProtection(xssProtection ->
|
||||
xssProtection
|
||||
.block(false)
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -629,8 +659,13 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
|
||||
.headers(headers ->
|
||||
headers
|
||||
.contentSecurityPolicy(csp ->
|
||||
csp
|
||||
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -647,9 +682,14 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
|
||||
.reportOnly();
|
||||
.headers(headers ->
|
||||
headers
|
||||
.contentSecurityPolicy(csp ->
|
||||
csp
|
||||
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
|
||||
.reportOnly()
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -711,8 +751,13 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.referrerPolicy(ReferrerPolicy.SAME_ORIGIN);
|
||||
.headers(headers ->
|
||||
headers
|
||||
.referrerPolicy(referrerPolicy ->
|
||||
referrerPolicy
|
||||
.policy(ReferrerPolicy.SAME_ORIGIN)
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -761,8 +806,10 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.featurePolicy("geolocation 'self'");
|
||||
.headers(headers ->
|
||||
headers
|
||||
.featurePolicy("geolocation 'self'")
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -808,8 +855,10 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"));
|
||||
.headers(headers ->
|
||||
headers
|
||||
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"))
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -853,8 +902,10 @@ WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN));
|
||||
.headers(headers ->
|
||||
headers
|
||||
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -910,9 +961,13 @@ protected void configure(HttpSecurity http) throws Exception {
|
|||
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.frameOptions().disabled()
|
||||
.addHeaderWriter(headerWriter);
|
||||
.headers(headers ->
|
||||
headers
|
||||
.frameOptions(frameOptions ->
|
||||
frameOptions.disable()
|
||||
)
|
||||
.addHeaderWriter(headerWriter)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
|
|
@ -323,9 +323,13 @@ public class WebSecurityConfig extends
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
// ...
|
||||
.headers()
|
||||
.frameOptions()
|
||||
.sameOrigin();
|
||||
.headers(headers ->
|
||||
headers
|
||||
.frameOptions(frameOptions ->
|
||||
frameOptions
|
||||
.sameOrigin()
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -356,18 +360,23 @@ public class WebSecurityConfig
|
|||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
|
||||
http
|
||||
.csrf()
|
||||
.csrf(csrf ->
|
||||
csrf
|
||||
// ignore our stomp endpoints since they are protected using Stomp headers
|
||||
.ignoringAntMatchers("/chat/**")
|
||||
.and()
|
||||
.headers()
|
||||
)
|
||||
.headers(headers ->
|
||||
headers
|
||||
// allow same origin to frame our site to support iframe SockJS
|
||||
.frameOptions().sameOrigin()
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
|
||||
.frameOptions(frameOptions ->
|
||||
frameOptions
|
||||
.sameOrigin()
|
||||
)
|
||||
)
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
...
|
||||
)
|
||||
...
|
||||
----
|
||||
|
||||
|
|
Loading…
Reference in New Issue