Use lambda DSL in all samples in documentation
Issue: gh-7774
This commit is contained in:
parent
0295b51e78
commit
f109388211
|
@ -217,12 +217,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
|
|||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.authorizeExchange()
|
||||
.anyExchange().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.decoder(myCustomDecoder());
|
||||
.authorizeExchange(exchanges ->
|
||||
exchanges
|
||||
.anyExchange().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.decoder(myCustomDecoder())
|
||||
)
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
@ -425,12 +430,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
|
|||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.authorizeExchange()
|
||||
.anyExchange().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwtAuthenticationConverter(grantedAuthoritiesExtractor());
|
||||
.authorizeExchange(exchanges ->
|
||||
exchanges
|
||||
.anyExchange().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
|
||||
)
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
|
||||
|
@ -667,9 +677,10 @@ When use Opaque Token, this `SecurityWebFilterChain` looks like:
|
|||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.authorizeExchange()
|
||||
.anyExchange().authenticated()
|
||||
.and()
|
||||
.authorizeExchange(exchanges ->
|
||||
exchanges
|
||||
.anyExchange().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)
|
||||
return http.build();
|
||||
}
|
||||
|
@ -686,13 +697,18 @@ public class MyCustomSecurityConfiguration {
|
|||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.authorizeExchange()
|
||||
.pathMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyExchange().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspector(myIntrospector());
|
||||
.authorizeExchange(exchanges ->
|
||||
exchanges
|
||||
.pathMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyExchange().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.opaqueToken(opaqueToken ->
|
||||
opaqueToken
|
||||
.introspector(myIntrospector())
|
||||
)
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
}
|
||||
|
@ -728,13 +744,18 @@ public class DirectlyConfiguredIntrospectionUri {
|
|||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.authorizeExchange()
|
||||
.anyExchange().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspectionUri("https://idp.example.com/introspect")
|
||||
.introspectionClientCredentials("client", "secret");
|
||||
.authorizeExchange(exchanges ->
|
||||
exchanges
|
||||
.anyExchange().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.opaqueToken(opaqueToken ->
|
||||
opaqueToken
|
||||
.introspectionUri("https://idp.example.com/introspect")
|
||||
.introspectionClientCredentials("client", "secret")
|
||||
)
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
}
|
||||
|
@ -754,12 +775,17 @@ public class DirectlyConfiguredIntrospector {
|
|||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.authorizeExchange()
|
||||
.anyExchange().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspector(myCustomIntrospector());
|
||||
.authorizeExchange(exchanges ->
|
||||
exchanges
|
||||
.anyExchange().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.opaqueToken(opaqueToken ->
|
||||
opaqueToken
|
||||
.introspector(myCustomIntrospector())
|
||||
)
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -140,9 +140,11 @@ or in Java configuration
|
|||
[source,java]
|
||||
----
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
|
||||
...
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
|
||||
...
|
||||
)
|
||||
----
|
||||
|
||||
[[el-access-web-path-variables]]
|
||||
|
|
|
@ -128,10 +128,11 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou
|
|||
----
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -145,13 +146,18 @@ Replacing this is as simple as exposing the bean within the application:
|
|||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwtAuthenticationConverter(myConverter());
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwtAuthenticationConverter(myConverter())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -188,12 +194,17 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
|
|||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwkSetUri("https://idp.example.com/.well-known/jwks.json");
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -211,12 +222,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
|
|||
public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.decoder(myCustomDecoder());
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.decoder(myCustomDecoder())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -444,12 +460,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
|
|||
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
.jwtAuthenticationConverter(grantedAuthoritiesExtractor());
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.jwt(jwt ->
|
||||
jwt
|
||||
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -806,10 +827,11 @@ When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like:
|
|||
----
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken)
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -823,13 +845,18 @@ Replacing this is as simple as exposing the bean within the application:
|
|||
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspector(myIntrospector());
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.opaqueToken(opaqueToken ->
|
||||
opaqueToken
|
||||
.introspector(myIntrospector())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -863,13 +890,18 @@ An authorization server's Introspection Uri can be configured <<oauth2resourcese
|
|||
public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspectionUri("https://idp.example.com/introspect")
|
||||
.introspectionClientCredentials("client", "secret");
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.opaqueToken(opaqueToken ->
|
||||
opaqueToken
|
||||
.introspectionUri("https://idp.example.com/introspect")
|
||||
.introspectionClientCredentials("client", "secret")
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -887,12 +919,17 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete
|
|||
public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter {
|
||||
protected void configure(HttpSecurity http) {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.opaqueToken()
|
||||
.introspector(myCustomIntrospector());
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.opaqueToken(opaqueToken ->
|
||||
opaqueToken
|
||||
.introspector(myCustomIntrospector())
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
@ -1182,11 +1219,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL:
|
|||
[source,java]
|
||||
----
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver);
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver)
|
||||
);
|
||||
----
|
||||
|
||||
[[oauth2resourceserver-multitenancy]]
|
||||
|
@ -1248,11 +1288,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL:
|
|||
[source,java]
|
||||
----
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver);
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver)
|
||||
);
|
||||
----
|
||||
|
||||
==== Resolving the Tenant By Claim
|
||||
|
@ -1303,11 +1346,14 @@ public class TenantAuthenticationManagerResolver implements AuthenticationManage
|
|||
[source,java]
|
||||
----
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver);
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver)
|
||||
);
|
||||
----
|
||||
|
||||
==== Parsing the Claim Only Once
|
||||
|
@ -1451,8 +1497,10 @@ To achieve this, you can wire a `HeaderBearerTokenResolver` instance into the DS
|
|||
[source,java]
|
||||
----
|
||||
http
|
||||
.oauth2ResourceServer()
|
||||
.bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"));
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"))
|
||||
);
|
||||
----
|
||||
|
||||
==== Reading the Bearer Token from a Form Parameter
|
||||
|
@ -1464,8 +1512,10 @@ Or, you may wish to read the token from a form parameter, which you can do by co
|
|||
DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
|
||||
resolver.setAllowFormEncodedBodyParameter(true);
|
||||
http
|
||||
.oauth2ResourceServer()
|
||||
.bearerTokenResolver(resolver);
|
||||
.oauth2ResourceServer(oauth2ResourceServer ->
|
||||
oauth2ResourceServer
|
||||
.bearerTokenResolver(resolver)
|
||||
);
|
||||
----
|
||||
|
||||
=== Bearer Token Propagation
|
||||
|
|
|
@ -85,10 +85,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.saml2Login()
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.saml2Login(withDefaults())
|
||||
;
|
||||
}
|
||||
}
|
||||
|
@ -104,11 +105,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.saml2Login()
|
||||
.relyingPartyRegistrationRepository(...)
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.saml2Login(saml2Login ->
|
||||
saml2Login
|
||||
.relyingPartyRegistrationRepository(...)
|
||||
)
|
||||
;
|
||||
}
|
||||
}
|
||||
|
@ -258,11 +262,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
};
|
||||
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.saml2Login()
|
||||
.addObjectPostProcessor(processor)
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.saml2Login(saml2Login ->
|
||||
saml2Login
|
||||
.addObjectPostProcessor(processor)
|
||||
)
|
||||
;
|
||||
}
|
||||
}
|
||||
|
@ -284,11 +291,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
authProvider.setAuthoritiesMapper(AUTHORITIES_MAPPER);
|
||||
authProvider.setAuthoritiesExtractor(AUTHORITIES_EXTRACTOR);
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.saml2Login()
|
||||
.authenticationManager(new ProviderManager(asList(authProvider)))
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.saml2Login(saml2Login ->
|
||||
saml2Login
|
||||
.authenticationManager(new ProviderManager(asList(authProvider)))
|
||||
)
|
||||
;
|
||||
}
|
||||
}
|
||||
|
@ -309,11 +319,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
protected void configure(HttpSecurity http) throws Exception {
|
||||
AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...);
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.saml2Login()
|
||||
.authenticationManager(authenticationManager)
|
||||
.authorizeRequests(authorizeRequests ->
|
||||
authorizeRequests
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.saml2Login(saml2Login ->
|
||||
saml2Login
|
||||
.authenticationManager(authenticationManager)
|
||||
)
|
||||
;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue