117 lines
3.4 KiB
Plaintext
117 lines
3.4 KiB
Plaintext
= Configuration Migrations
|
|
|
|
The following steps relate to changes around how to configure `HttpSecurity`, `WebSecurity` and related components.
|
|
|
|
== Use the Lambda DSL
|
|
|
|
The Lambda DSL is present in Spring Security since version 5.2, and it allows HTTP security to be configured using lambdas.
|
|
|
|
The prior configuration style will not be valid in Spring Security 7 where the usage of the Lambda DSL will be required.
|
|
|
|
You may have seen this style of configuration in the Spring Security documentation or samples.
|
|
Let us take a look at how a lambda configuration of HTTP security compares to the previous configuration style.
|
|
|
|
====
|
|
[source,java]
|
|
.Configuration using lambdas
|
|
----
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
.authorizeHttpRequests(authorize -> authorize
|
|
.requestMatchers("/blog/**").permitAll()
|
|
.anyRequest().authenticated()
|
|
)
|
|
.formLogin(formLogin -> formLogin
|
|
.loginPage("/login")
|
|
.permitAll()
|
|
)
|
|
.rememberMe(Customizer.withDefaults());
|
|
|
|
return http.build();
|
|
}
|
|
}
|
|
----
|
|
====
|
|
|
|
====
|
|
[source,java]
|
|
.Equivalent configuration without using lambdas
|
|
----
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
.authorizeHttpRequests()
|
|
.requestMatchers("/blog/**").permitAll()
|
|
.anyRequest().authenticated()
|
|
.and()
|
|
.formLogin()
|
|
.loginPage("/login")
|
|
.permitAll()
|
|
.and()
|
|
.rememberMe();
|
|
|
|
return http.build();
|
|
}
|
|
}
|
|
----
|
|
====
|
|
|
|
=== Lambda DSL Configuration Tips
|
|
|
|
When comparing the two samples above, you will notice some key differences:
|
|
|
|
- In the Lambda DSL there is no need to chain configuration options using the `.and()` method.
|
|
The `HttpSecurity` instance is automatically returned for further configuration after the call to the lambda method.
|
|
|
|
- `Customizer.withDefaults()` enables a security feature using the defaults provided by Spring Security.
|
|
This is a shortcut for the lambda expression `it -> {}`.
|
|
|
|
=== WebFlux Security
|
|
|
|
You may also configure WebFlux security using lambdas in a similar manner.
|
|
Below is an example configuration using lambdas.
|
|
|
|
====
|
|
[source,java]
|
|
.WebFlux configuration using lambdas
|
|
----
|
|
@Configuration
|
|
@EnableWebFluxSecurity
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
http
|
|
.authorizeExchange(exchanges -> exchanges
|
|
.pathMatchers("/blog/**").permitAll()
|
|
.anyExchange().authenticated()
|
|
)
|
|
.httpBasic(Customizer.withDefaults())
|
|
.formLogin(formLogin -> formLogin
|
|
.loginPage("/login")
|
|
);
|
|
|
|
return http.build();
|
|
}
|
|
|
|
}
|
|
----
|
|
====
|
|
|
|
=== Goals of the Lambda DSL
|
|
|
|
The Lambda DSL was created to accomplish to following goals:
|
|
|
|
- Automatic indentation makes the configuration more readable.
|
|
- The is no need to chain configuration options using `.and()`
|
|
- The Spring Security DSL has a similar configuration style to other Spring DSLs such as Spring Integration and Spring Cloud Gateway.
|