Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use lambda DSL in all samples in documentation 

Issue: gh-7774
This commit is contained in:
Eleftheria Stein 2019-12-30 17:49:35 +01:00
parent 0295b51e78
commit f109388211
4 changed files with 225 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc
View File

@ -217,12 +217,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http http
.authorizeExchange() .authorizeExchange(exchanges ->
.anyExchange().authenticated() exchanges
.and() .anyExchange().authenticated()
.oauth2ResourceServer() )
.jwt() .oauth2ResourceServer(oauth2ResourceServer ->
.decoder(myCustomDecoder()); oauth2ResourceServer
.jwt(jwt ->
jwt
.decoder(myCustomDecoder())
)
);
return http.build(); return http.build();
} }
---- ----
@ -425,12 +430,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http http
.authorizeExchange() .authorizeExchange(exchanges ->
.anyExchange().authenticated() exchanges
.and() .anyExchange().authenticated()
.oauth2ResourceServer() )
.jwt() .oauth2ResourceServer(oauth2ResourceServer ->
.jwtAuthenticationConverter(grantedAuthoritiesExtractor()); oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
)
);
return http.build(); return http.build();
} }
@ -667,9 +677,10 @@ When use Opaque Token, this `SecurityWebFilterChain` looks like:
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http http
.authorizeExchange() .authorizeExchange(exchanges ->
.anyExchange().authenticated() exchanges
.and() .anyExchange().authenticated()
)
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken) .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)
return http.build(); return http.build();
} }
@ -686,13 +697,18 @@ public class MyCustomSecurityConfiguration {
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http http
.authorizeExchange() .authorizeExchange(exchanges ->
.pathMatchers("/messages/**").hasAuthority("SCOPE_message:read") exchanges
.anyExchange().authenticated() .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.and() .anyExchange().authenticated()
.oauth2ResourceServer() )
.opaqueToken() .oauth2ResourceServer(oauth2ResourceServer ->
.introspector(myIntrospector()); oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myIntrospector())
)
);
return http.build(); return http.build();
} }
} }
@ -728,13 +744,18 @@ public class DirectlyConfiguredIntrospectionUri {
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http http
.authorizeExchange() .authorizeExchange(exchanges ->
.anyExchange().authenticated() exchanges
.and() .anyExchange().authenticated()
.oauth2ResourceServer() )
.opaqueToken() .oauth2ResourceServer(oauth2ResourceServer ->
.introspectionUri("https://idp.example.com/introspect") oauth2ResourceServer
.introspectionClientCredentials("client", "secret"); .opaqueToken(opaqueToken ->
opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret")
)
);
return http.build(); return http.build();
} }
} }
@ -754,12 +775,17 @@ public class DirectlyConfiguredIntrospector {
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http http
.authorizeExchange() .authorizeExchange(exchanges ->
.anyExchange().authenticated() exchanges
.and() .anyExchange().authenticated()
.oauth2ResourceServer() )
.opaqueToken() .oauth2ResourceServer(oauth2ResourceServer ->
.introspector(myCustomIntrospector()); oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myCustomIntrospector())
)
);
return http.build(); return http.build();
} }
} }

8
docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc
View File

@ -140,9 +140,11 @@ or in Java configuration
[source,java] [source,java]
---- ----
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.antMatchers("/user/**").access("@webSecurity.check(authentication,request)") authorizeRequests
... .antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
...
)
---- ----
[[el-access-web-path-variables]] [[el-access-web-path-variables]]

194
docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc
View File

@ -128,10 +128,11 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou
---- ----
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) )
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
} }
---- ----
@ -145,13 +146,18 @@ Replacing this is as simple as exposing the bean within the application:
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") authorizeRequests
.anyRequest().authenticated() .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.jwt() .oauth2ResourceServer(oauth2ResourceServer ->
.jwtAuthenticationConverter(myConverter()); oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(myConverter())
)
);
} }
} }
---- ----
@ -188,12 +194,17 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.jwt() .oauth2ResourceServer(oauth2ResourceServer ->
.jwkSetUri("https://idp.example.com/.well-known/jwks.json"); oauth2ResourceServer
.jwt(jwt ->
jwt
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
)
);
} }
} }
---- ----
@ -211,12 +222,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.jwt() .oauth2ResourceServer(oauth2ResourceServer ->
.decoder(myCustomDecoder()); oauth2ResourceServer
.jwt(jwt ->
jwt
.decoder(myCustomDecoder())
)
);
} }
} }
---- ----
@ -444,12 +460,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.jwt() .oauth2ResourceServer(oauth2ResourceServer ->
.jwtAuthenticationConverter(grantedAuthoritiesExtractor()); oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
)
);
} }
} }
@ -806,10 +827,11 @@ When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like:
---- ----
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken) )
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
} }
---- ----
@ -823,13 +845,18 @@ Replacing this is as simple as exposing the bean within the application:
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") authorizeRequests
.anyRequest().authenticated() .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.opaqueToken() .oauth2ResourceServer(oauth2ResourceServer ->
.introspector(myIntrospector()); oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myIntrospector())
)
);
} }
} }
---- ----
@ -863,13 +890,18 @@ An authorization server's Introspection Uri can be configured <<oauth2resourcese
public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.opaqueToken() .oauth2ResourceServer(oauth2ResourceServer ->
.introspectionUri("https://idp.example.com/introspect") oauth2ResourceServer
.introspectionClientCredentials("client", "secret"); .opaqueToken(opaqueToken ->
opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret")
)
);
} }
} }
---- ----
@ -887,12 +919,17 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete
public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter { public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) { protected void configure(HttpSecurity http) {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.opaqueToken() .oauth2ResourceServer(oauth2ResourceServer ->
.introspector(myCustomIntrospector()); oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myCustomIntrospector())
)
);
} }
} }
---- ----
@ -1182,11 +1219,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL:
[source,java] [source,java]
---- ----
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver); .oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver)
);
---- ----
[[oauth2resourceserver-multitenancy]] [[oauth2resourceserver-multitenancy]]
@ -1248,11 +1288,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL:
[source,java] [source,java]
---- ----
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver); .oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver)
);
---- ----
==== Resolving the Tenant By Claim ==== Resolving the Tenant By Claim
@ -1303,11 +1346,14 @@ public class TenantAuthenticationManagerResolver implements AuthenticationManage
[source,java] [source,java]
---- ----
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.oauth2ResourceServer() )
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver); .oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver)
);
---- ----
==== Parsing the Claim Only Once ==== Parsing the Claim Only Once
@ -1451,8 +1497,10 @@ To achieve this, you can wire a `HeaderBearerTokenResolver` instance into the DS
[source,java] [source,java]
---- ----
http http
.oauth2ResourceServer() .oauth2ResourceServer(oauth2ResourceServer ->
.bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion")); oauth2ResourceServer
.bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"))
);
---- ----
==== Reading the Bearer Token from a Form Parameter ==== Reading the Bearer Token from a Form Parameter
@ -1464,8 +1512,10 @@ Or, you may wish to read the token from a form parameter, which you can do by co
DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver(); DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true); resolver.setAllowFormEncodedBodyParameter(true);
http http
.oauth2ResourceServer() .oauth2ResourceServer(oauth2ResourceServer ->
.bearerTokenResolver(resolver); oauth2ResourceServer
.bearerTokenResolver(resolver)
);
---- ----
=== Bearer Token Propagation === Bearer Token Propagation

61
docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
View File

@ -85,10 +85,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.saml2Login() )
.saml2Login(withDefaults())
; ;
} }
} }
@ -104,11 +105,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.saml2Login() )
.relyingPartyRegistrationRepository(...) .saml2Login(saml2Login ->
saml2Login
.relyingPartyRegistrationRepository(...)
)
; ;
} }
} }
@ -258,11 +262,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
}; };
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.saml2Login() )
.addObjectPostProcessor(processor) .saml2Login(saml2Login ->
saml2Login
.addObjectPostProcessor(processor)
)
; ;
} }
} }
@ -284,11 +291,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
authProvider.setAuthoritiesMapper(AUTHORITIES_MAPPER); authProvider.setAuthoritiesMapper(AUTHORITIES_MAPPER);
authProvider.setAuthoritiesExtractor(AUTHORITIES_EXTRACTOR); authProvider.setAuthoritiesExtractor(AUTHORITIES_EXTRACTOR);
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.saml2Login() )
.authenticationManager(new ProviderManager(asList(authProvider))) .saml2Login(saml2Login ->
saml2Login
.authenticationManager(new ProviderManager(asList(authProvider)))
)
; ;
} }
} }
@ -309,11 +319,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...); AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...);
http http
.authorizeRequests() .authorizeRequests(authorizeRequests ->
.anyRequest().authenticated() authorizeRequests
.and() .anyRequest().authenticated()
.saml2Login() )
.authenticationManager(authenticationManager) .saml2Login(saml2Login ->
saml2Login
.authenticationManager(authenticationManager)
)
; ;
} }
} }