Use http security nested builder in docs

Issue: gh-5557
This commit is contained in:
Eleftheria Stein 2019-07-12 13:58:17 -04:00
parent 7961b819aa
commit b004f9f677
10 changed files with 507 additions and 335 deletions

View File

@ -104,8 +104,10 @@ If we wanted to restrict access to this controller method to admin users, a deve
----
protected configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin").hasRole("ADMIN");
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/admin").hasRole("ADMIN")
);
}
----
@ -133,8 +135,10 @@ The following configuration will protect the same URLs that Spring MVC will matc
----
protected configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.mvcMatchers("/admin").hasRole("ADMIN");
.authorizeRequests(authorizeRequests ->
authorizeRequests
.mvcMatchers("/admin").hasRole("ADMIN")
);
}
----

View File

@ -16,15 +16,25 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.authorizationEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
...
.redirectionEndpoint()
)
.redirectionEndpoint(redirectionEndpoint ->
redirectionEndpoint
...
.tokenEndpoint()
)
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
...
.userInfoEndpoint()
)
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
...
)
);
}
}
----
@ -58,27 +68,34 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.oauth2Login(oauth2Login ->
oauth2Login
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.loginPage("/login")
.authorizationEndpoint()
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.baseUri(this.authorizationRequestBaseUri())
.authorizationRequestRepository(this.authorizationRequestRepository())
.authorizationRequestResolver(this.authorizationRequestResolver())
.and()
.redirectionEndpoint()
)
.redirectionEndpoint(redirectionEndpoint ->
redirectionEndpoint
.baseUri(this.authorizationResponseBaseUri())
.and()
.tokenEndpoint()
)
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenResponseClient(this.accessTokenResponseClient())
.and()
.userInfoEndpoint()
)
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userAuthoritiesMapper(this.userAuthoritiesMapper())
.userService(this.oauth2UserService())
.oidcUserService(this.oidcUserService())
.customUserType(GitHubOAuth2User.class, "github");
.customUserType(GitHubOAuth2User.class, "github")
)
);
}
}
----
@ -123,12 +140,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.oauth2Login(oauth2Login ->
oauth2Login
.loginPage("/login/oauth2")
...
.authorizationEndpoint()
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.baseUri("/login/oauth2/authorization")
....
...
)
);
}
}
----
@ -171,10 +192,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.redirectionEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.redirectionEndpoint(redirectionEndpoint ->
redirectionEndpoint
.baseUri("/login/oauth2/callback/*")
....
...
)
);
}
}
----
@ -234,10 +259,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.userInfoEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userAuthoritiesMapper(this.userAuthoritiesMapper())
...
)
);
}
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
@ -280,7 +309,8 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.oauth2Login();
http
.oauth2Login(withDefaults());
}
@Bean
@ -308,10 +338,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.userInfoEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.oidcUserService(this.oidcUserService())
...
)
);
}
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
@ -355,10 +389,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.userInfoEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.customUserType(GitHubOAuth2User.class, "github")
...
)
);
}
}
----
@ -469,10 +507,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.userInfoEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userService(this.oauth2UserService())
...
)
);
}
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
@ -501,10 +543,14 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login()
.userInfoEndpoint()
.oauth2Login(oauth2Login ->
oauth2Login
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.oidcUserService(this.oidcUserService())
...
)
);
}
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {

View File

@ -169,9 +169,11 @@ or in Java configuration
[source,java]
----
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)")
...
);
----
In both configurations URLs that match would pass in the path variable (and convert it) into checkUserId method.

View File

@ -137,12 +137,12 @@ How does Spring Security know that we want to require all users to be authentica
----
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
)
.formLogin(withDefaults())
.httpBasic(withDefaults());
}
----
@ -163,10 +163,6 @@ You will notice that this configuration is quite similar the XML Namespace confi
</http>
----
The Java Configuration equivalent of closing an XML tag is expressed using the `and()` method which allows us to continue configuring the parent.
If you read the code it also makes sense.
I want to configure authorized requests __and__ configure form login __and__ configure HTTP Basic authentication.
[[jc-form]]
== Java Configuration and Form Login
You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs.
@ -180,12 +176,15 @@ To do so we can update our configuration as seen below:
----
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.formLogin()
)
.formLogin(formLogin ->
formLogin
.loginPage("/login") // <1>
.permitAll(); // <2>
.permitAll() // <2>
);
}
----
@ -245,14 +244,14 @@ For example:
----
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() <1>
.antMatchers("/resources/**", "/signup", "/about").permitAll() <2>
.antMatchers("/admin/**").hasRole("ADMIN") <3>
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") <4>
.anyRequest().authenticated() <5>
.and()
// ...
.formLogin();
.authorizeRequests(authorizeRequests -> // <1>
authorizeRequests
.antMatchers("/resources/**", "/signup", "/about").permitAll() // <2>
.antMatchers("/admin/**").hasRole("ADMIN") // <3>
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
.anyRequest().authenticated() // <5>
)
.formLogin(withDefaults());
}
----
@ -282,14 +281,15 @@ Similar to configuring login capabilities, however, you also have various option
----
protected void configure(HttpSecurity http) throws Exception {
http
.logout() <1>
.logoutUrl("/my/logout") <2>
.logoutSuccessUrl("/my/index") <3>
.logoutSuccessHandler(logoutSuccessHandler) <4>
.invalidateHttpSession(true) <5>
.addLogoutHandler(logoutHandler) <6>
.deleteCookies(cookieNamesToClear) <7>
.and()
.logout(logout -> // <1>
logout
.logoutUrl("/my/logout") // <2>
.logoutSuccessUrl("/my/index") // <3>
.logoutSuccessHandler(logoutSuccessHandler) // <4>
.invalidateHttpSession(true) // <5>
.addLogoutHandler(logoutHandler) // <6>
.deleteCookies(cookieNamesToClear) // <7>
)
...
}
----
@ -510,11 +510,14 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou
```java
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(withDefaults())
);
}
```
@ -527,13 +530,18 @@ Replacing this is as simple as exposing the bean within the application:
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(myConverter());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(myConverter())
)
);
}
}
```
@ -565,12 +573,17 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwkSetUri("https://idp.example.com/.well-known/jwks.json");
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
)
);
}
}
```
@ -587,12 +600,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.decoder(myCustomDecoder());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.decoder(myCustomDecoder())
)
);
}
}
```
@ -627,13 +645,16 @@ This means that to protect an endpoint or method with a scope derived from a JWT
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
.mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(withDefaults())
);
}
}
```
@ -659,12 +680,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(grantedAuthoritiesExtractor());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
)
);
}
}
@ -1078,10 +1104,11 @@ public class MultiHttpSecurityConfig {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**") <3>
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
)
.httpBasic(withDefaults());
}
}
@ -1091,10 +1118,11 @@ public class MultiHttpSecurityConfig {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.formLogin();
)
.formLogin(withDefaults());
}
}
}
@ -1221,7 +1249,8 @@ For example, if you wanted to configure the `filterSecurityPublishAuthorizationS
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
public <O extends FilterSecurityInterceptor> O postProcess(
@ -1229,7 +1258,8 @@ protected void configure(HttpSecurity http) throws Exception {
fsi.setPublishAuthorizationSuccess(true);
return fsi;
}
});
})
);
}
----

View File

@ -20,14 +20,18 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Client()
.oauth2Client(oauth2Client ->
oauth2Client
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.authorizationCodeGrant()
.authorizationCodeGrant(authorizationCodeGrant ->
authorizationCodeGrant
.authorizationRequestRepository(this.authorizationRequestRepository())
.authorizationRequestResolver(this.authorizationRequestResolver())
.accessTokenResponseClient(this.accessTokenResponseClient());
.accessTokenResponseClient(this.accessTokenResponseClient())
)
);
}
}
----
@ -245,10 +249,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Client()
.authorizationCodeGrant()
.oauth2Client(oauth2Client ->
oauth2Client
.authorizationCodeGrant(authorizationCodeGrant ->
authorizationCodeGrant
.authorizationRequestRepository(this.cookieAuthorizationRequestRepository())
...
)
);
}
private AuthorizationRequestRepository<OAuth2AuthorizationRequest> cookieAuthorizationRequestRepository() {
@ -285,14 +293,19 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2Login()
.authorizationEndpoint()
)
.oauth2Login(oauth2Login ->
oauth2Login
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authorizationRequestResolver(
new CustomAuthorizationRequestResolver(
this.clientRegistrationRepository)); <1>
this.clientRegistrationRepository)) <1>
)
);
}
}
@ -422,10 +435,14 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Client()
.authorizationCodeGrant()
.oauth2Client(oauth2Client ->
oauth2Client
.authorizationCodeGrant(authorizationCodeGrant ->
authorizationCodeGrant
.accessTokenResponseClient(this.customAccessTokenResponseClient())
...
)
);
}
private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> customAccessTokenResponseClient() {

View File

@ -285,10 +285,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2Login();
)
.oauth2Login(withDefaults());
}
}
----
@ -310,10 +311,11 @@ public class OAuth2LoginConfig {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2Login();
)
.oauth2Login(withDefaults());
}
}
@ -358,10 +360,11 @@ public class OAuth2LoginConfig {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2Login();
)
.oauth2Login(withDefaults());
}
}

View File

@ -18,7 +18,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// by default uses a Bean by the name of corsConfigurationSource
.cors().and()
.cors(withDefaults())
...
}
@ -59,7 +59,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
http
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC
.cors().and()
.cors(withDefaults())
...
}
}

View File

@ -187,7 +187,9 @@ WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable();
.csrf(csrf ->
csrf.disable()
);
}
}
----
@ -314,8 +316,10 @@ public class WebSecurityConfig extends
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
.csrf(csrf ->
csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
);
}
}
----
@ -391,8 +395,10 @@ WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
.logout(logout ->
logout
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
);
}
}
----

View File

@ -60,9 +60,15 @@ public class WebSecurityConfig extends
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.frameOptions().sameOrigin()
.httpStrictTransportSecurity().disable();
.headers(headers ->
headers
.frameOptions(frameOptions ->
frameOptions.sameOrigin()
)
.httpStrictTransportSecurity(hsts ->
hsts.disable()
)
);
}
}
----
@ -96,10 +102,12 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.headers(headers ->
headers
// do not use any default headers unless explicitly listed
.defaultsDisabled()
.cacheControl();
.cacheControl(withDefaults())
);
}
}
----
@ -130,7 +138,9 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers().disable();
.headers(headers ->
headers.disable()
);
}
}
----
@ -186,9 +196,11 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.headers(headers ->
headers
.defaultsDisabled()
.cacheControl();
.cacheControl(withDefaults())
);
}
}
----
@ -267,9 +279,11 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.headers(headers ->
headers
.defaultsDisabled()
.contentTypeOptions();
.contentTypeOptions(withDefaults())
);
}
}
----
@ -331,11 +345,15 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.httpStrictTransportSecurity()
.includeSubdomains(true)
.headers(headers ->
headers
.httpStrictTransportSecurity(hsts ->
hsts
.includeSubDomains(true)
.preload(true)
.maxAgeSeconds(31536000);
.maxAgeInSeconds(31536000)
)
);
}
}
----
@ -403,11 +421,15 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.httpPublicKeyPinning()
.includeSubdomains(true)
.headers(headers ->
headers
.httpPublicKeyPinning(hpkp ->
hpkp
.includeSubDomains(true)
.reportUri("https://example.net/pkp-report")
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=")
)
);
}
}
----
@ -465,9 +487,13 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.frameOptions()
.sameOrigin();
.headers(headers ->
headers
.frameOptions(frameOptions ->
frameOptions
.sameOrigin()
)
);
}
}
----
@ -515,9 +541,13 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.xssProtection()
.block(false);
.headers(headers ->
headers
.xssProtection(xssProtection ->
xssProtection
.block(false)
)
);
}
}
----
@ -629,8 +659,13 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
.headers(headers ->
headers
.contentSecurityPolicy(csp ->
csp
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
)
);
}
}
----
@ -647,9 +682,14 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
.reportOnly();
.headers(headers ->
headers
.contentSecurityPolicy(csp ->
csp
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
.reportOnly()
)
);
}
}
----
@ -711,8 +751,13 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.referrerPolicy(ReferrerPolicy.SAME_ORIGIN);
.headers(headers ->
headers
.referrerPolicy(referrerPolicy ->
referrerPolicy
.policy(ReferrerPolicy.SAME_ORIGIN)
)
);
}
}
----
@ -761,8 +806,10 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.featurePolicy("geolocation 'self'");
.headers(headers ->
headers
.featurePolicy("geolocation 'self'")
);
}
}
----
@ -808,8 +855,10 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"));
.headers(headers ->
headers
.addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value"))
);
}
}
----
@ -853,8 +902,10 @@ WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN));
.headers(headers ->
headers
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
);
}
}
----
@ -910,9 +961,13 @@ protected void configure(HttpSecurity http) throws Exception {
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
http
// ...
.headers()
.frameOptions().disabled()
.addHeaderWriter(headerWriter);
.headers(headers ->
headers
.frameOptions(frameOptions ->
frameOptions.disable()
)
.addHeaderWriter(headerWriter)
);
}
}
----

View File

@ -323,9 +323,13 @@ public class WebSecurityConfig extends
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.frameOptions()
.sameOrigin();
.headers(headers ->
headers
.frameOptions(frameOptions ->
frameOptions
.sameOrigin()
)
);
}
}
----
@ -356,18 +360,23 @@ public class WebSecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrf(csrf ->
csrf
// ignore our stomp endpoints since they are protected using Stomp headers
.ignoringAntMatchers("/chat/**")
.and()
.headers()
)
.headers(headers ->
headers
// allow same origin to frame our site to support iframe SockJS
.frameOptions().sameOrigin()
.and()
.authorizeRequests()
.frameOptions(frameOptions ->
frameOptions
.sameOrigin()
)
)
.authorizeRequests(authorizeRequests ->
...
)
...
----