From 4e46f6626a105401bf6aeadb21914963dc288d21 Mon Sep 17 00:00:00 2001 From: timis1 <12120641+timis1@users.noreply.github.com> Date: Mon, 15 Jan 2024 22:13:28 +0200 Subject: [PATCH] JAVA-29307 Upgrade spring-security-web-boot-4 (#15631) * JAVA-29307 Upgrade spring-security-web-boot-4 * JAVA-29307 Changes after review --------- Co-authored-by: timis1 --- .../spring-security-web-boot-4/pom.xml | 7 +++- .../configuration/AuthenticationFilter.java | 12 +++--- .../configuration/AuthenticationService.java | 3 +- .../configuration/SecurityConfig.java | 20 ++++----- .../configuration/SecurityConfig.java | 12 ++---- .../configuration/SecurityConfig.java | 41 ++++++++----------- 6 files changed, 43 insertions(+), 52 deletions(-) diff --git a/spring-security-modules/spring-security-web-boot-4/pom.xml b/spring-security-modules/spring-security-web-boot-4/pom.xml index b5bfc55a9f..86061b9b2b 100644 --- a/spring-security-modules/spring-security-web-boot-4/pom.xml +++ b/spring-security-modules/spring-security-web-boot-4/pom.xml @@ -11,7 +11,8 @@ com.baeldung - spring-security-modules + parent-boot-3 + ../../parent-boot-3 0.0.1-SNAPSHOT @@ -36,4 +37,8 @@ + + com.baeldung.enablemethodsecurity.EnableMethodSecurityApplication + + \ No newline at end of file diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java index aa4badcfb0..c9ac4e9186 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java @@ -4,12 +4,12 @@ import org.springframework.http.MediaType; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.web.filter.GenericFilterBean; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java index c788f7cdd8..6816fc6ec8 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java @@ -3,7 +3,8 @@ package com.baeldung.apikeyauthentication.configuration; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; -import javax.servlet.http.HttpServletRequest; + +import jakarta.servlet.http.HttpServletRequest; public class AuthenticationService { diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/SecurityConfig.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/SecurityConfig.java index 0ce58d1bf8..d7a0cd5b28 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/SecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/SecurityConfig.java @@ -2,8 +2,10 @@ package com.baeldung.apikeyauthentication.configuration; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -14,19 +16,11 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.csrf() - .disable() - .authorizeRequests() - .antMatchers("/**") - .authenticated() - .and() - .httpBasic() - .and() - .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS) - .and() - .addFilterBefore(new AuthenticationFilter(), - UsernamePasswordAuthenticationFilter.class); + http.csrf(AbstractHttpConfigurer::disable) + .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.requestMatchers("/**").authenticated()) + .httpBasic(Customizer.withDefaults()) + .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .addFilterBefore(new AuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); return http.build(); } diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/enablemethodsecurity/configuration/SecurityConfig.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/enablemethodsecurity/configuration/SecurityConfig.java index a2549c9122..4764e3d565 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/enablemethodsecurity/configuration/SecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/enablemethodsecurity/configuration/SecurityConfig.java @@ -15,6 +15,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @@ -55,14 +56,9 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.csrf() - .disable() - .authorizeRequests() - .anyRequest() - .authenticated() - .and() - .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + http.csrf(AbstractHttpConfigurer::disable) + .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.anyRequest().authenticated()) + .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); return http.build(); } diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/securityfilterchain/configuration/SecurityConfig.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/securityfilterchain/configuration/SecurityConfig.java index 5a8f4c1c02..9e8fb49247 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/securityfilterchain/configuration/SecurityConfig.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/securityfilterchain/configuration/SecurityConfig.java @@ -2,16 +2,20 @@ package com.baeldung.securityfilterchain.configuration; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; -import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; +@Configuration @EnableWebSecurity -@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true) +@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true) public class SecurityConfig { @Value("${spring.security.debug:false}") @@ -19,32 +23,23 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.csrf() - .disable() - .authorizeRequests() - .antMatchers(HttpMethod.DELETE) - .hasRole("ADMIN") - .antMatchers("/admin/**") - .hasAnyRole("ADMIN") - .antMatchers("/user/**") - .hasAnyRole("USER", "ADMIN") - .antMatchers("/login/**") - .permitAll() - .anyRequest() - .authenticated() - .and() - .httpBasic() - .and() - .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + http.csrf(AbstractHttpConfigurer::disable) + .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> + authorizationManagerRequestMatcherRegistry.requestMatchers(HttpMethod.DELETE).hasRole("ADMIN") + .requestMatchers("/admin/**").hasAnyRole("ADMIN") + .requestMatchers("/user/**").hasAnyRole("USER", "ADMIN") + .requestMatchers("/login/**").permitAll() + .anyRequest().authenticated()) + .httpBasic(Customizer.withDefaults()) + .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); return http.build(); } @Bean public WebSecurityCustomizer webSecurityCustomizer() { - return (web) -> web.debug(securityDebug) - .ignoring() - .antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico"); + return web -> web.debug(securityDebug) + .ignoring() + .requestMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico"); } }