diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc index dc249e34d3..529f526eae 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc @@ -217,12 +217,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange() - .anyExchange().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .decoder(myCustomDecoder()); + .authorizeExchange(exchanges -> + exchanges + .anyExchange().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .decoder(myCustomDecoder()) + ) + ); return http.build(); } ---- @@ -425,12 +430,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`: @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange() - .anyExchange().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .jwtAuthenticationConverter(grantedAuthoritiesExtractor()); + .authorizeExchange(exchanges -> + exchanges + .anyExchange().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) + ) + ); return http.build(); } @@ -667,9 +677,10 @@ When use Opaque Token, this `SecurityWebFilterChain` looks like: @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange() - .anyExchange().authenticated() - .and() + .authorizeExchange(exchanges -> + exchanges + .anyExchange().authenticated() + ) .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken) return http.build(); } @@ -686,13 +697,18 @@ public class MyCustomSecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange() - .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyExchange().authenticated() - .and() - .oauth2ResourceServer() - .opaqueToken() - .introspector(myIntrospector()); + .authorizeExchange(exchanges -> + exchanges + .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyExchange().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .opaqueToken(opaqueToken -> + opaqueToken + .introspector(myIntrospector()) + ) + ); return http.build(); } } @@ -728,13 +744,18 @@ public class DirectlyConfiguredIntrospectionUri { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange() - .anyExchange().authenticated() - .and() - .oauth2ResourceServer() - .opaqueToken() - .introspectionUri("https://idp.example.com/introspect") - .introspectionClientCredentials("client", "secret"); + .authorizeExchange(exchanges -> + exchanges + .anyExchange().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .opaqueToken(opaqueToken -> + opaqueToken + .introspectionUri("https://idp.example.com/introspect") + .introspectionClientCredentials("client", "secret") + ) + ); return http.build(); } } @@ -754,12 +775,17 @@ public class DirectlyConfiguredIntrospector { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange() - .anyExchange().authenticated() - .and() - .oauth2ResourceServer() - .opaqueToken() - .introspector(myCustomIntrospector()); + .authorizeExchange(exchanges -> + exchanges + .anyExchange().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .opaqueToken(opaqueToken -> + opaqueToken + .introspector(myCustomIntrospector()) + ) + ); return http.build(); } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc index c0f58466a1..40a6003c67 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc @@ -140,9 +140,11 @@ or in Java configuration [source,java] ---- http - .authorizeRequests() - .antMatchers("/user/**").access("@webSecurity.check(authentication,request)") - ... + .authorizeRequests(authorizeRequests -> + authorizeRequests + .antMatchers("/user/**").access("@webSecurity.check(authentication,request)") + ... + ) ---- [[el-access-web-path-variables]] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc index bee1e52d99..d540827334 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc @@ -128,10 +128,11 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou ---- protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); } ---- @@ -145,13 +146,18 @@ Replacing this is as simple as exposing the bean within the application: public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .jwtAuthenticationConverter(myConverter()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwtAuthenticationConverter(myConverter()) + ) + ); } } ---- @@ -188,12 +194,17 @@ An authorization server's JWK Set Uri can be configured < + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwkSetUri("https://idp.example.com/.well-known/jwks.json") + ) + ); } } ---- @@ -211,12 +222,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .decoder(myCustomDecoder()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .decoder(myCustomDecoder()) + ) + ); } } ---- @@ -444,12 +460,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`: public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .jwt() - .jwtAuthenticationConverter(grantedAuthoritiesExtractor()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .jwt(jwt -> + jwt + .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) + ) + ); } } @@ -806,10 +827,11 @@ When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like: ---- protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); } ---- @@ -823,13 +845,18 @@ Replacing this is as simple as exposing the bean within the application: public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .opaqueToken() - .introspector(myIntrospector()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .opaqueToken(opaqueToken -> + opaqueToken + .introspector(myIntrospector()) + ) + ); } } ---- @@ -863,13 +890,18 @@ An authorization server's Introspection Uri can be configured < + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .opaqueToken(opaqueToken -> + opaqueToken + .introspectionUri("https://idp.example.com/introspect") + .introspectionClientCredentials("client", "secret") + ) + ); } } ---- @@ -887,12 +919,17 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .opaqueToken() - .introspector(myCustomIntrospector()); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .opaqueToken(opaqueToken -> + opaqueToken + .introspector(myCustomIntrospector()) + ) + ); } } ---- @@ -1182,11 +1219,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL: [source,java] ---- http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .authenticationManagerResolver(this.tokenAuthenticationManagerResolver); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .authenticationManagerResolver(this.tokenAuthenticationManagerResolver) + ); ---- [[oauth2resourceserver-multitenancy]] @@ -1248,11 +1288,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL: [source,java] ---- http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .authenticationManagerResolver(this.tenantAuthenticationManagerResolver); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .authenticationManagerResolver(this.tenantAuthenticationManagerResolver) + ); ---- ==== Resolving the Tenant By Claim @@ -1303,11 +1346,14 @@ public class TenantAuthenticationManagerResolver implements AuthenticationManage [source,java] ---- http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2ResourceServer() - .authenticationManagerResolver(this.tenantAuthenticationManagerResolver); + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .authenticationManagerResolver(this.tenantAuthenticationManagerResolver) + ); ---- ==== Parsing the Claim Only Once @@ -1451,8 +1497,10 @@ To achieve this, you can wire a `HeaderBearerTokenResolver` instance into the DS [source,java] ---- http - .oauth2ResourceServer() - .bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion")); + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion")) + ); ---- ==== Reading the Bearer Token from a Form Parameter @@ -1464,8 +1512,10 @@ Or, you may wish to read the token from a form parameter, which you can do by co DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver(); resolver.setAllowFormEncodedBodyParameter(true); http - .oauth2ResourceServer() - .bearerTokenResolver(resolver); + .oauth2ResourceServer(oauth2ResourceServer -> + oauth2ResourceServer + .bearerTokenResolver(resolver) + ); ---- === Bearer Token Propagation diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc index 71cfa96c55..0a7d504926 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc @@ -85,10 +85,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .saml2Login() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .saml2Login(withDefaults()) ; } } @@ -104,11 +105,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .saml2Login() - .relyingPartyRegistrationRepository(...) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .saml2Login(saml2Login -> + saml2Login + .relyingPartyRegistrationRepository(...) + ) ; } } @@ -258,11 +262,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { }; http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .saml2Login() - .addObjectPostProcessor(processor) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .saml2Login(saml2Login -> + saml2Login + .addObjectPostProcessor(processor) + ) ; } } @@ -284,11 +291,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { authProvider.setAuthoritiesMapper(AUTHORITIES_MAPPER); authProvider.setAuthoritiesExtractor(AUTHORITIES_EXTRACTOR); http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .saml2Login() - .authenticationManager(new ProviderManager(asList(authProvider))) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .saml2Login(saml2Login -> + saml2Login + .authenticationManager(new ProviderManager(asList(authProvider))) + ) ; } } @@ -309,11 +319,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...); http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .saml2Login() - .authenticationManager(authenticationManager) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) + .saml2Login(saml2Login -> + saml2Login + .authenticationManager(authenticationManager) + ) ; } }