Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use lambda DSL in all samples in documentation 

Issue: gh-7774
This commit is contained in:
Eleftheria Stein 2019-12-30 17:49:35 +01:00
parent 0295b51e78
commit f109388211
4 changed files with 225 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc
View File

@ -217,12 +217,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.authorizeExchange(exchanges ->
exchanges
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.decoder(myCustomDecoder());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.decoder(myCustomDecoder())
)
);
return http.build();
}
----
@ -425,12 +430,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.authorizeExchange(exchanges ->
exchanges
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(grantedAuthoritiesExtractor());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
)
);
return http.build();
}
@ -667,9 +677,10 @@ When use Opaque Token, this `SecurityWebFilterChain` looks like:
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.authorizeExchange(exchanges ->
exchanges
.anyExchange().authenticated()
.and()
)
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)
return http.build();
}
@ -686,13 +697,18 @@ public class MyCustomSecurityConfiguration {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.authorizeExchange(exchanges ->
exchanges
.pathMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.opaqueToken()
.introspector(myIntrospector());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myIntrospector())
)
);
return http.build();
}
}
@ -728,13 +744,18 @@ public class DirectlyConfiguredIntrospectionUri {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.authorizeExchange(exchanges ->
exchanges
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.opaqueToken()
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret");
.introspectionClientCredentials("client", "secret")
)
);
return http.build();
}
}
@ -754,12 +775,17 @@ public class DirectlyConfiguredIntrospector {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.authorizeExchange(exchanges ->
exchanges
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.opaqueToken()
.introspector(myCustomIntrospector());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myCustomIntrospector())
)
);
return http.build();
}
}

4
docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc
View File

@ -140,9 +140,11 @@ or in Java configuration
[source,java]
----
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
...
)
----
[[el-access-web-path-variables]]

164
docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc
View File

@ -128,10 +128,11 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou
----
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
----
@ -145,13 +146,18 @@ Replacing this is as simple as exposing the bean within the application:
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(myConverter());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(myConverter())
)
);
}
}
----
@ -188,12 +194,17 @@ An authorization server's JWK Set Uri can be configured <<oauth2resourceserver-j
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwkSetUri("https://idp.example.com/.well-known/jwks.json");
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
)
);
}
}
----
@ -211,12 +222,17 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.decoder(myCustomDecoder());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.decoder(myCustomDecoder())
)
);
}
}
----
@ -444,12 +460,17 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(grantedAuthoritiesExtractor());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
)
);
}
}
@ -806,10 +827,11 @@ When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like:
----
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken)
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
}
----
@ -823,13 +845,18 @@ Replacing this is as simple as exposing the bean within the application:
public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.opaqueToken()
.introspector(myIntrospector());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myIntrospector())
)
);
}
}
----
@ -863,13 +890,18 @@ An authorization server's Introspection Uri can be configured <<oauth2resourcese
public class DirectlyConfiguredIntrospectionUri extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.opaqueToken()
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret");
.introspectionClientCredentials("client", "secret")
)
);
}
}
----
@ -887,12 +919,17 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete
public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.opaqueToken()
.introspector(myCustomIntrospector());
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.opaqueToken(opaqueToken ->
opaqueToken
.introspector(myCustomIntrospector())
)
);
}
}
----
@ -1182,11 +1219,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL:
[source,java]
----
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver);
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver)
);
----
[[oauth2resourceserver-multitenancy]]
@ -1248,11 +1288,14 @@ And then specify this `AuthenticationManagerResolver` in the DSL:
[source,java]
----
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver);
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver)
);
----
==== Resolving the Tenant By Claim
@ -1303,11 +1346,14 @@ public class TenantAuthenticationManagerResolver implements AuthenticationManage
[source,java]
----
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver);
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver)
);
----
==== Parsing the Claim Only Once
@ -1451,8 +1497,10 @@ To achieve this, you can wire a `HeaderBearerTokenResolver` instance into the DS
[source,java]
----
http
.oauth2ResourceServer()
.bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"));
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"))
);
----
==== Reading the Bearer Token from a Form Parameter
@ -1464,8 +1512,10 @@ Or, you may wish to read the token from a form parameter, which you can do by co
DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true);
http
.oauth2ResourceServer()
.bearerTokenResolver(resolver);
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.bearerTokenResolver(resolver)
);
----
=== Bearer Token Propagation

43
docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
View File

@ -85,10 +85,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.saml2Login()
)
.saml2Login(withDefaults())
;
}
}
@ -104,11 +105,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.saml2Login()
)
.saml2Login(saml2Login ->
saml2Login
.relyingPartyRegistrationRepository(...)
)
;
}
}
@ -258,11 +262,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
};
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.saml2Login()
)
.saml2Login(saml2Login ->
saml2Login
.addObjectPostProcessor(processor)
)
;
}
}
@ -284,11 +291,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
authProvider.setAuthoritiesMapper(AUTHORITIES_MAPPER);
authProvider.setAuthoritiesExtractor(AUTHORITIES_EXTRACTOR);
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.saml2Login()
)
.saml2Login(saml2Login ->
saml2Login
.authenticationManager(new ProviderManager(asList(authProvider)))
)
;
}
}
@ -309,11 +319,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...);
http
.authorizeRequests()
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
.and()
.saml2Login()
)
.saml2Login(saml2Login ->
saml2Login
.authenticationManager(authenticationManager)
)
;
}
}