SEC-2436: Add @EnableWebMvcSecurity

2025-05-30 16:52:13 +00:00 · 2013-12-14 14:39:52 -06:00 · 2013-12-14 14:39:52 -06:00 · b7041ed00e
commit b7041ed00e
parent 053c890a69
17 changed files with 82 additions and 66 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
@ -77,7 +77,7 @@ import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
@Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value={java.lang.annotation.ElementType.TYPE})
@Documented
-@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class, SpringWebMvcImportSelector.class})
+@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class})
 public @interface EnableWebSecurity {

    /**
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.java
@ -1,39 +0,0 @@
-/*
- * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.config.annotation.web.configuration;
-
-import org.springframework.context.annotation.ImportSelector;
-import org.springframework.core.type.AnnotationMetadata;
-import org.springframework.util.ClassUtils;
-
-/**
- * Used by {@link EnableWebSecurity} to conditionaly import
- * {@link WebMvcSecurityConfiguration} when the DispatcherServlet is present on the
- * classpath.
- *
- * @author Rob Winch
- * @since 3.2
- */
-class SpringWebMvcImportSelector implements ImportSelector {
-
-    /* (non-Javadoc)
-     * @see org.springframework.context.annotation.ImportSelector#selectImports(org.springframework.core.type.AnnotationMetadata)
-     */
-    public String[] selectImports(AnnotationMetadata importingClassMetadata) {
-        boolean webmvcPresent = ClassUtils.isPresent("org.springframework.web.servlet.DispatcherServlet", getClass().getClassLoader());
-        return webmvcPresent ? new String[] {"org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration"} : new String[] {};
-    }
-}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java
@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.servlet.configuration;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Import;
+
+
+/**
+ * Add this annotation to an {@code @Configuration} class to have the Spring Security
+ * configuration integrate with Spring MVC.
+ *
+ * @author Rob Winch
+ * @since 3.2
+ */
+@Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
+@Target(value={java.lang.annotation.ElementType.TYPE})
+@Documented
+@Import(WebMvcSecurityConfiguration.class)
+public @interface EnableWebMvcSecurity {
+}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java
@ -13,12 +13,13 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-package org.springframework.security.config.annotation.web.configuration;
+package org.springframework.security.config.annotation.web.servlet.configuration;

 import java.util.List;

 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver;
 import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
@ -38,7 +39,8 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
 * @since 3.2
 */
@Configuration
-class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter {
+@EnableWebSecurity
+public class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter {

    @Override
    public void addArgumentResolvers(
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
@ -25,6 +25,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
 import org.springframework.security.web.access.AccessDeniedHandler
 import org.springframework.security.web.csrf.CsrfFilter
 import org.springframework.security.web.csrf.CsrfTokenRepository
@ -70,7 +71,7 @@ class CsrfConfigurerTests extends BaseSpringSpec {
    }

    @Configuration
-    @EnableWebSecurity
+    @EnableWebMvcSecurity
    static class CsrfAppliedDefaultConfig extends WebSecurityConfigurerAdapter {

        @Override
--- a/docs/guides/src/asciidoc/hellomvc.asc
+++ b/docs/guides/src/asciidoc/hellomvc.asc
@ -110,10 +110,25 @@ We can view the user name, but how are we able to log out? Below you can see how
    <input type="submit" value="Log out" />
 </form>
 ----
+
+If you try to log out right now the request will fail. The reason is that we have not enabled the Spring MVC integration. Update our configuration to use the `@EnableWebMvcSecurity` annotation instead.
+
+.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+[source,java]
+----
+import org.springframework.security.config.annotation.web.servlet.configuration.*;
+
+@Configuration
+@EnableWebMvcSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+----
+
 In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:

 * the HTTP method must be a POST
-* the CSRF token must be added to the request. Since we are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf
+* the CSRF token must be added to the request. Since we have used `@EnableWebMvcSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf
+
+NOTE: `@EnableWebMvcSecurity` also adds `@EnableWebSecurity`, so there is no need to add both.

 Click the button and see that the application logs you out successfully.

--- a/samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -5,11 +5,11 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
--- a/samples/form-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/form-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -4,11 +4,11 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
--- a/samples/hellojs-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/hellojs-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -3,11 +3,11 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
--- a/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -3,11 +3,11 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
--- a/samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -3,11 +3,11 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
--- a/samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -6,11 +6,11 @@ import javax.sql.DataSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private DataSource dataSource;
--- a/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -3,11 +3,11 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void registerGlobalAuthentication(
--- a/samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -2,12 +2,12 @@ package org.springframework.security.samples.config;

 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
 import org.springframework.security.samples.security.CustomUserDetailsService;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
--- a/samples/preauth-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/preauth-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -2,11 +2,11 @@ package org.springframework.security.samples.config;

 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
--- a/samples/rememberme-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/rememberme-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -4,11 +4,11 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
--- a/samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -4,11 +4,11 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
-@EnableWebSecurity
+@EnableWebMvcSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired