From 3253f44784248cd4e522541b433a671792850f40 Mon Sep 17 00:00:00 2001 From: Amit Pandey Date: Sat, 6 Jan 2024 21:42:08 +0530 Subject: [PATCH] Java-29290 :- Upgrade spring-security-core-2 to use Spring Boot 3 (#15491) * Made changes to upgrade to Spring Boot 3 from Boot 2 * JAVA-29290 :- Changed to use @Import for initializing the config. * JAVA-29290 :- Made changes to use authorizeHttpRequests as authorizeRequests is deprecated * Minor formatting fixes * JAVA-29290 : Formatting changes --- .../spring-security-core-2/pom.xml | 7 ++- .../CustomWebSecurityConfigurer.java | 3 +- .../dsl/ClientErrorLoggingConfigurer.java | 8 ++-- .../dsl/ClientErrorLoggingFilter.java | 17 ++++--- .../java/com/baeldung/dsl/SecurityConfig.java | 11 ++--- .../security/CustomAccessDeniedHandler.java | 9 ++-- .../CustomAuthenticationFailureHandler.java | 9 ++-- .../CustomAuthenticationSuccessHandler.java | 13 +++-- .../security/SecurityConfig.java | 43 ++++++++--------- .../CustomAuthenticationEntryPoint.java | 7 ++- .../security/CustomSecurityConfig.java | 19 ++++---- .../DelegatedAuthenticationEntryPoint.java | 11 ++--- .../security/DelegatedSecurityConfig.java | 17 +++---- .../HttpSecurityConfig.java | 20 ++++---- .../SecurityConfiguration.java | 19 ++++---- .../WebSecurityConfig.java | 47 ++++++++++--------- .../java/com/baeldung/xss/SecurityConf.java | 14 ++++-- .../SecurityConfigUnitTest.java | 8 ++++ 18 files changed, 137 insertions(+), 145 deletions(-) diff --git a/spring-security-modules/spring-security-core-2/pom.xml b/spring-security-modules/spring-security-core-2/pom.xml index 54aac0d9a7..ace629eef1 100644 --- a/spring-security-modules/spring-security-core-2/pom.xml +++ b/spring-security-modules/spring-security-core-2/pom.xml @@ -10,12 +10,13 @@ com.baeldung - spring-security-modules + parent-boot-3 0.0.1-SNAPSHOT + ../../parent-boot-3 - 5.8.4 + com.baeldung.authresolver.AuthResolverApplication @@ -55,12 +56,10 @@ org.springframework.security spring-security-web - ${spring.security.version} org.springframework.security spring-security-core - ${spring.security.version} diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/CustomWebSecurityConfigurer.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/CustomWebSecurityConfigurer.java index b2450546b0..5b8bdfc4ac 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/CustomWebSecurityConfigurer.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/CustomWebSecurityConfigurer.java @@ -1,7 +1,8 @@ package com.baeldung.authresolver; import java.util.Collections; -import javax.servlet.http.HttpServletRequest; + +import jakarta.servlet.http.HttpServletRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingConfigurer.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingConfigurer.java index 5a9479b664..da3e1314a9 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingConfigurer.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingConfigurer.java @@ -1,11 +1,11 @@ package com.baeldung.dsl; -import java.util.List; - import org.springframework.http.HttpStatus; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; +import org.springframework.security.web.access.intercept.AuthorizationFilter; + +import java.util.List; public class ClientErrorLoggingConfigurer extends AbstractHttpConfigurer { @@ -26,7 +26,7 @@ public class ClientErrorLoggingConfigurer extends AbstractHttpConfigurer auth + .requestMatchers("/admin*") .hasAnyRole("ADMIN") .anyRequest() - .authenticated() - .and() - .formLogin() - .and() + .authenticated()) + .formLogin(Customizer.withDefaults()) .apply(clientErrorLogging()); return http.build(); } diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAccessDeniedHandler.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAccessDeniedHandler.java index a3d6aca9be..22ddc68eef 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAccessDeniedHandler.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAccessDeniedHandler.java @@ -1,13 +1,12 @@ package com.baeldung.exceptionhandler.security; -import java.io.IOException; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; +import java.io.IOException; + public class CustomAccessDeniedHandler implements AccessDeniedHandler { @Override diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationFailureHandler.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationFailureHandler.java index 281f9d5289..5d44662a8a 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationFailureHandler.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationFailureHandler.java @@ -1,13 +1,12 @@ package com.baeldung.exceptionhandler.security; -import java.io.IOException; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.authentication.AuthenticationFailureHandler; +import java.io.IOException; + public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler { @Override diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationSuccessHandler.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationSuccessHandler.java index 62cbdf8873..9991c47647 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationSuccessHandler.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/CustomAuthenticationSuccessHandler.java @@ -1,17 +1,16 @@ package com.baeldung.exceptionhandler.security; -import java.io.IOException; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; +import java.io.IOException; + public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Override diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/SecurityConfig.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/SecurityConfig.java index 8cb855a365..0a861868c4 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/SecurityConfig.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/exceptionhandler/security/SecurityConfig.java @@ -1,8 +1,10 @@ package com.baeldung.exceptionhandler.security; import org.springframework.context.annotation.Bean; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; @@ -41,30 +43,23 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.csrf() - .disable() - .httpBasic() - .disable() - .authorizeRequests() - .antMatchers("/login") - .permitAll() - .antMatchers("/customError") - .permitAll() - .antMatchers("/access-denied") - .permitAll() - .antMatchers("/secured") - .hasRole("ADMIN") - .anyRequest() - .authenticated() - .and() - .formLogin() - .failureHandler(authenticationFailureHandler()) - .successHandler(authenticationSuccessHandler()) - .and() - .exceptionHandling() - .accessDeniedHandler(accessDeniedHandler()) - .and() - .logout(); + http.csrf(AbstractHttpConfigurer::disable) + .httpBasic(AbstractHttpConfigurer::disable) + .authorizeHttpRequests(auth -> auth + .requestMatchers("/login") + .permitAll() + .requestMatchers("/customError") + .permitAll() + .requestMatchers("/access-denied") + .permitAll() + .requestMatchers("/secured") + .hasRole("ADMIN") + .anyRequest() + .authenticated()) + .formLogin(form -> form.failureHandler(authenticationFailureHandler()) + .successHandler(authenticationSuccessHandler())) + .exceptionHandling(ex -> ex.accessDeniedHandler(accessDeniedHandler())) + .logout(Customizer.withDefaults()); return http.build(); } diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomAuthenticationEntryPoint.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomAuthenticationEntryPoint.java index 39e6d87c2a..95e642bfd0 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomAuthenticationEntryPoint.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomAuthenticationEntryPoint.java @@ -3,10 +3,9 @@ package com.baeldung.global.exceptionhandler.security; import java.io.IOException; import java.io.OutputStream; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.security.core.AuthenticationException; diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomSecurityConfig.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomSecurityConfig.java index 7f84b08144..91cd63e7a4 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomSecurityConfig.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/CustomSecurityConfig.java @@ -4,6 +4,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.userdetails.User; @@ -34,17 +35,13 @@ public class CustomSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.requestMatchers() - .antMatchers("/login") - .and() - .authorizeRequests() - .anyRequest() - .hasRole("ADMIN") - .and() - .httpBasic() - .and() - .exceptionHandling() - .authenticationEntryPoint(authEntryPoint); + http.authorizeHttpRequests(auth -> auth + .requestMatchers("/login") + .authenticated() + .anyRequest() + .hasRole("ADMIN")) + .httpBasic(basic -> basic.authenticationEntryPoint(authEntryPoint)) + .exceptionHandling(Customizer.withDefaults()); return http.build(); } diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedAuthenticationEntryPoint.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedAuthenticationEntryPoint.java index d34ddfcdf3..1d02f86e6d 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedAuthenticationEntryPoint.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedAuthenticationEntryPoint.java @@ -1,11 +1,8 @@ package com.baeldung.global.exceptionhandler.security; -import java.io.IOException; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.security.core.AuthenticationException; @@ -13,6 +10,8 @@ import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.stereotype.Component; import org.springframework.web.servlet.HandlerExceptionResolver; +import java.io.IOException; + @Component("delegatedAuthenticationEntryPoint") public class DelegatedAuthenticationEntryPoint implements AuthenticationEntryPoint { diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedSecurityConfig.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedSecurityConfig.java index 032ce82925..398def3ac4 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedSecurityConfig.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/global/exceptionhandler/security/DelegatedSecurityConfig.java @@ -5,6 +5,7 @@ import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.userdetails.User; @@ -24,17 +25,11 @@ public class DelegatedSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.requestMatchers() - .antMatchers("/login-handler") - .and() - .authorizeRequests() - .anyRequest() - .hasRole("ADMIN") - .and() - .httpBasic() - .and() - .exceptionHandling() - .authenticationEntryPoint(authEntryPoint); + http.authorizeHttpRequests(auth -> auth + .requestMatchers("/login-handler") + .hasRole("ADMIN")) + .httpBasic(basic -> basic.authenticationEntryPoint(authEntryPoint)) + .exceptionHandling(Customizer.withDefaults()); return http.build(); } diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/HttpSecurityConfig.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/HttpSecurityConfig.java index 414f782907..027b92d12b 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/HttpSecurityConfig.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/HttpSecurityConfig.java @@ -2,8 +2,10 @@ package com.baeldung.httpsecurityvswebsecurity; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; import org.springframework.security.web.SecurityFilterChain; @Configuration @@ -13,18 +15,12 @@ public class HttpSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // Given: HttpSecurity configured - - http.authorizeRequests() - .antMatchers("/public/**").permitAll() - .antMatchers("/admin/**").hasRole("ADMIN") - .anyRequest().authenticated() - .and() - .formLogin() - .loginPage("/login") - .permitAll() - .and() - .logout() - .permitAll(); + http.authorizeHttpRequests(auth -> auth + .requestMatchers("/public/**").permitAll() + .requestMatchers("/admin/**").hasRole("ADMIN") + .anyRequest().authenticated()) + .formLogin(form -> form.loginPage("/login").permitAll()) + .logout(LogoutConfigurer::permitAll); // When: Accessing specific URLs // Then: Access is granted based on defined rules diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/SecurityConfiguration.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/SecurityConfiguration.java index 5c0853e6f3..a48f3d3665 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/SecurityConfiguration.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/SecurityConfiguration.java @@ -26,7 +26,7 @@ public class SecurityConfiguration { @Bean public HttpFirewall allowHttpMethod() { - List allowedMethods = new ArrayList(); + List allowedMethods = new ArrayList<>(); allowedMethods.add("GET"); allowedMethods.add("POST"); StrictHttpFirewall firewall = new StrictHttpFirewall(); @@ -41,7 +41,7 @@ public class SecurityConfiguration { @Bean public WebSecurityCustomizer ignoringCustomizer() { - return (web) -> web.ignoring().antMatchers("/resources/**", "/static/**"); + return (web) -> web.ignoring().requestMatchers("/resources/**", "/static/**"); } @Bean @@ -65,13 +65,14 @@ public class SecurityConfiguration { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests((authorize) -> authorize.antMatchers("/admin/**") - .hasRole("ADMIN") - .anyRequest() - .permitAll()) - .httpBasic(withDefaults()) - .formLogin(withDefaults()) - .csrf(AbstractHttpConfigurer::disable); + http.authorizeHttpRequests((authorize) -> + authorize.requestMatchers("/admin/**") + .hasRole("ADMIN") + .anyRequest() + .permitAll()) + .httpBasic(withDefaults()) + .formLogin(withDefaults()) + .csrf(AbstractHttpConfigurer::disable); return http.build(); } diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/WebSecurityConfig.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/WebSecurityConfig.java index ec50069ba5..1c6bbf837d 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/WebSecurityConfig.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/httpsecurityvswebsecurity/WebSecurityConfig.java @@ -2,6 +2,7 @@ package com.baeldung.httpsecurityvswebsecurity; import org.springframework.context.annotation.Bean; import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.beans.factory.annotation.Autowired; @@ -14,35 +15,37 @@ import org.springframework.security.web.SecurityFilterChain; @Configuration public class WebSecurityConfig { - @Autowired - private UserDetailsService userDetailsService; + @Autowired + private UserDetailsService userDetailsService; - @Bean - public BCryptPasswordEncoder bCryptPasswordEncoder() { - return new BCryptPasswordEncoder(); - } + @Bean + public BCryptPasswordEncoder bCryptPasswordEncoder() { + return new BCryptPasswordEncoder(); + } - @Bean - public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class); - authenticationManagerBuilder.userDetailsService(userDetailsService); - AuthenticationManager authenticationManager = authenticationManagerBuilder.build(); + AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject( + AuthenticationManagerBuilder.class); + authenticationManagerBuilder.userDetailsService(userDetailsService); + AuthenticationManager authenticationManager = authenticationManagerBuilder.build(); + http.setSharedObject(AuthenticationManager.class, authenticationManager); - http.authorizeRequests() - .antMatchers("/") + http.authorizeHttpRequests(auth -> auth + .requestMatchers("/") .permitAll() .anyRequest() - .authenticated() - .and() - .formLogin().and() - .authenticationManager(authenticationManager) - .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); + .authenticated()) + .formLogin(Customizer.withDefaults()) + .sessionManagement((session) -> session + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) + ); - return http.build(); - } + return http.build(); + } - protected void configure(HttpSecurity http) throws Exception { + protected void configure(HttpSecurity http) throws Exception { - } + } } diff --git a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/SecurityConf.java b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/SecurityConf.java index 498d09194c..d6e812722b 100644 --- a/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/SecurityConf.java +++ b/spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/SecurityConf.java @@ -2,9 +2,11 @@ package com.baeldung.xss; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter; @Configuration public class SecurityConf { @@ -13,15 +15,17 @@ public class SecurityConf { public WebSecurityCustomizer webSecurityCustomizer() { // Ignoring here is only for this example. Normally people would apply their own authentication/authorization policies return (web) -> web.ignoring() - .antMatchers("/**"); + .requestMatchers("/**"); } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.headers() - .xssProtection() - .and() - .contentSecurityPolicy("script-src 'self'"); + http.headers(headers -> + headers.xssProtection( + xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK) + ).contentSecurityPolicy( + cps -> cps.policyDirectives("script-src 'self'") + )); return http.build(); } } diff --git a/spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/exceptionhandler/SecurityConfigUnitTest.java b/spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/exceptionhandler/SecurityConfigUnitTest.java index ad35d575a5..49aaf836ed 100644 --- a/spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/exceptionhandler/SecurityConfigUnitTest.java +++ b/spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/exceptionhandler/SecurityConfigUnitTest.java @@ -5,10 +5,17 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import com.baeldung.exceptionhandler.security.CustomAccessDeniedHandler; +import com.baeldung.exceptionhandler.security.CustomAuthenticationFailureHandler; +import com.baeldung.global.exceptionhandler.controller.LoginController; +import com.baeldung.global.exceptionhandler.security.CustomAuthenticationEntryPoint; +import com.baeldung.global.exceptionhandler.security.DelegatedAuthenticationEntryPoint; import org.junit.jupiter.api.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.ImportAutoConfiguration; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.context.annotation.Import; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringRunner; import org.springframework.test.web.servlet.MockMvc; @@ -17,6 +24,7 @@ import com.baeldung.exceptionhandler.security.SecurityConfig; @RunWith(SpringRunner.class) @WebMvcTest(SecurityConfig.class) +@Import(SecurityConfig.class) class SecurityConfigUnitTest { @Autowired private MockMvc mvc;