126 lines
4.6 KiB
Plaintext
126 lines
4.6 KiB
Plaintext
= Configuration Migrations
|
|
|
|
The following steps relate to changes around how to configure `HttpSecurity`, `WebSecurity` and related components.
|
|
|
|
== Use the Lambda DSL
|
|
|
|
The Lambda DSL is present in Spring Security since version 5.2, and it allows HTTP security to be configured using lambdas.
|
|
|
|
You may have seen this style of configuration in the Spring Security documentation or samples.
|
|
Let us take a look at how a lambda configuration of HTTP security compares to the previous configuration style.
|
|
|
|
[source,java]
|
|
.Configuration using lambdas
|
|
----
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
.authorizeHttpRequests(authorize -> authorize
|
|
.requestMatchers("/blog/**").permitAll()
|
|
.anyRequest().authenticated()
|
|
)
|
|
.formLogin(formLogin -> formLogin
|
|
.loginPage("/login")
|
|
.permitAll()
|
|
)
|
|
.rememberMe(Customizer.withDefaults());
|
|
|
|
return http.build();
|
|
}
|
|
}
|
|
----
|
|
|
|
[source,java]
|
|
.Equivalent configuration without using lambdas
|
|
----
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
.authorizeHttpRequests()
|
|
.requestMatchers("/blog/**").permitAll()
|
|
.anyRequest().authenticated()
|
|
.and()
|
|
.formLogin()
|
|
.loginPage("/login")
|
|
.permitAll()
|
|
.and()
|
|
.rememberMe();
|
|
|
|
return http.build();
|
|
}
|
|
}
|
|
----
|
|
|
|
The Lambda DSL is the preferred way to configure Spring Security, the prior configuration style will not be valid in Spring Security 7 where the usage of the Lambda DSL will be required.
|
|
This has been done mainly for a couple of reasons:
|
|
|
|
- The previous way it was not clear what object was getting configured without knowing what the return type was.
|
|
The deeper the nesting the more confusing it became.
|
|
Even experienced users would think that their configuration was doing one thing when in fact, it was doing something else.
|
|
|
|
- Consistency.
|
|
Many code bases switched between the two styles which caused inconsistencies that made understanding the configuration difficult and often led to misconfigurations.
|
|
|
|
=== Lambda DSL Configuration Tips
|
|
|
|
When comparing the two samples above, you will notice some key differences:
|
|
|
|
- In the Lambda DSL there is no need to chain configuration options using the `.and()` method.
|
|
The `HttpSecurity` instance is automatically returned for further configuration after the call to the lambda method.
|
|
|
|
- `Customizer.withDefaults()` enables a security feature using the defaults provided by Spring Security.
|
|
This is a shortcut for the lambda expression `it -> {}`.
|
|
|
|
=== WebFlux Security
|
|
|
|
You may also configure WebFlux security using lambdas in a similar manner.
|
|
Below is an example configuration using lambdas.
|
|
|
|
[source,java]
|
|
.WebFlux configuration using lambdas
|
|
----
|
|
@Configuration
|
|
@EnableWebFluxSecurity
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
http
|
|
.authorizeExchange(exchanges -> exchanges
|
|
.pathMatchers("/blog/**").permitAll()
|
|
.anyExchange().authenticated()
|
|
)
|
|
.httpBasic(Customizer.withDefaults())
|
|
.formLogin(formLogin -> formLogin
|
|
.loginPage("/login")
|
|
);
|
|
|
|
return http.build();
|
|
}
|
|
|
|
}
|
|
----
|
|
|
|
=== Goals of the Lambda DSL
|
|
|
|
The Lambda DSL was created to accomplish to following goals:
|
|
|
|
- Automatic indentation makes the configuration more readable.
|
|
- There is no need to chain configuration options using `.and()`
|
|
- The Spring Security DSL has a similar configuration style to other Spring DSLs such as Spring Integration and Spring Cloud Gateway.
|
|
|
|
== Use `.with()` instead of `.apply()` for Custom DSLs
|
|
|
|
In versions prior to 6.2, if you had a xref:servlet/configuration/java.adoc#jc-custom-dsls[custom DSL], you would apply it to the `HttpSecurity` using the `HttpSecurity#apply(...)` method.
|
|
However, starting from version 6.2, this method is deprecated and will be removed in 7.0 because it will no longer be possible to chain configurations using `.and()` once `.and()` is removed (see https://github.com/spring-projects/spring-security/issues/13067).
|
|
Instead, it is recommended to use the new `.with(...)` method.
|
|
For more information about how to use `.with(...)` please refer to the xref:servlet/configuration/java.adoc#jc-custom-dsls[Custom DSLs section].
|