JAVA-29313 Upgrade spring-security-web-mvc-custom to spring-6 (#16152)
This commit is contained in:
parent
8cd148b5b0
commit
688005d0c5
@ -10,9 +10,9 @@
|
|||||||
|
|
||||||
<parent>
|
<parent>
|
||||||
<groupId>com.baeldung</groupId>
|
<groupId>com.baeldung</groupId>
|
||||||
<artifactId>parent-spring-5</artifactId>
|
<artifactId>parent-spring-6</artifactId>
|
||||||
<version>0.0.1-SNAPSHOT</version>
|
<version>0.0.1-SNAPSHOT</version>
|
||||||
<relativePath>../../parent-spring-5</relativePath>
|
<relativePath>../../parent-spring-6</relativePath>
|
||||||
</parent>
|
</parent>
|
||||||
|
|
||||||
<dependencies>
|
<dependencies>
|
||||||
@ -86,15 +86,15 @@
|
|||||||
</dependency>
|
</dependency>
|
||||||
<!-- web -->
|
<!-- web -->
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>javax.servlet</groupId>
|
<groupId>jakarta.servlet</groupId>
|
||||||
<artifactId>javax.servlet-api</artifactId>
|
<artifactId>jakarta.servlet-api</artifactId>
|
||||||
<version>${javax.servlet-api.version}</version>
|
<version>${jakarta.servlet-api.version}</version>
|
||||||
<scope>provided</scope>
|
<scope>provided</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>javax.servlet</groupId>
|
<groupId>jakarta.servlet.jsp.jstl</groupId>
|
||||||
<artifactId>jstl</artifactId>
|
<artifactId>jakarta.servlet.jsp.jstl-api</artifactId>
|
||||||
<version>${jstl.version}</version>
|
<version>${jakarta.jstl-api.version}</version>
|
||||||
<scope>runtime</scope>
|
<scope>runtime</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
<!-- util -->
|
<!-- util -->
|
||||||
@ -127,9 +127,9 @@
|
|||||||
<scope>test</scope>
|
<scope>test</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>javax.annotation</groupId>
|
<groupId>jakarta.annotation</groupId>
|
||||||
<artifactId>javax.annotation-api</artifactId>
|
<artifactId>jakarta.annotation-api</artifactId>
|
||||||
<version>${javax.annotation-api.version}</version>
|
<version>${jakarta.annotation-api.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
|
|
||||||
@ -173,7 +173,10 @@
|
|||||||
<properties>
|
<properties>
|
||||||
<!-- Maven plugins -->
|
<!-- Maven plugins -->
|
||||||
<cargo-maven2-plugin.version>1.6.1</cargo-maven2-plugin.version>
|
<cargo-maven2-plugin.version>1.6.1</cargo-maven2-plugin.version>
|
||||||
<javax.annotation-api.version>1.3.2</javax.annotation-api.version>
|
<jakarta.annotation-api.version>3.0.0-M1</jakarta.annotation-api.version>
|
||||||
|
<jakarta.servlet-api.version>6.1.0-M1</jakarta.servlet-api.version>
|
||||||
|
<jakarta.jstl-api.version>3.0.0</jakarta.jstl-api.version>
|
||||||
|
<spring-security.version>6.2.1</spring-security.version>
|
||||||
</properties>
|
</properties>
|
||||||
|
|
||||||
</project>
|
</project>
|
@ -5,9 +5,9 @@ import java.util.Collection;
|
|||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
import javax.servlet.http.HttpSession;
|
import jakarta.servlet.http.HttpSession;
|
||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
@ -7,7 +7,7 @@ import org.springframework.security.core.userdetails.UserDetails;
|
|||||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||||
import org.springframework.stereotype.Service;
|
import org.springframework.stereotype.Service;
|
||||||
|
|
||||||
import javax.annotation.PostConstruct;
|
import jakarta.annotation.PostConstruct;
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
@Service
|
@Service
|
||||||
|
@ -6,6 +6,7 @@ import org.springframework.security.authentication.AuthenticationManager;
|
|||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.core.userdetails.User;
|
import org.springframework.security.core.userdetails.User;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||||
@ -40,29 +41,20 @@ public class SecSecurityConfig {
|
|||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests()
|
http.authorizeHttpRequests(auth -> auth.requestMatchers("/anonymous*")
|
||||||
.antMatchers("/anonymous*")
|
|
||||||
.anonymous()
|
.anonymous()
|
||||||
.antMatchers("/login*")
|
.requestMatchers("/login*")
|
||||||
.permitAll()
|
.permitAll()
|
||||||
.anyRequest()
|
.anyRequest()
|
||||||
.authenticated()
|
.authenticated())
|
||||||
.and()
|
.formLogin(formLogin -> formLogin.loginPage("/login.html")
|
||||||
.formLogin()
|
.loginProcessingUrl("/login")
|
||||||
.loginPage("/login.html")
|
.successHandler(myAuthenticationSuccessHandler())
|
||||||
.loginProcessingUrl("/login")
|
.failureUrl("/login.html?error=true"))
|
||||||
.successHandler(myAuthenticationSuccessHandler())
|
.rememberMe(rememberMe -> rememberMe.key("uniqueAndSecret")
|
||||||
.failureUrl("/login.html?error=true")
|
.tokenValiditySeconds(86400))
|
||||||
.and()
|
.logout(logout -> logout.deleteCookies("JSESSIONID"))
|
||||||
.logout()
|
.csrf(AbstractHttpConfigurer::disable);
|
||||||
.deleteCookies("JSESSIONID")
|
|
||||||
.and()
|
|
||||||
.rememberMe()
|
|
||||||
.key("uniqueAndSecret")
|
|
||||||
.tokenValiditySeconds(86400)
|
|
||||||
.and()
|
|
||||||
.csrf()
|
|
||||||
.disable();
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
|||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import com.baeldung.web.dto.Foo;
|
import com.baeldung.web.dto.Foo;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
@ -1,10 +1,5 @@
|
|||||||
package com.baeldung.web.controller;
|
package com.baeldung.web.controller;
|
||||||
|
|
||||||
import javax.annotation.Resource;
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
|
||||||
import javax.servlet.http.HttpSession;
|
|
||||||
|
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
@ -15,6 +10,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
|||||||
import org.springframework.web.bind.annotation.RequestMethod;
|
import org.springframework.web.bind.annotation.RequestMethod;
|
||||||
import org.springframework.web.bind.annotation.RequestParam;
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
|
|
||||||
|
import jakarta.annotation.Resource;
|
||||||
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
|
import jakarta.servlet.http.HttpSession;
|
||||||
|
|
||||||
@Controller
|
@Controller
|
||||||
@RequestMapping(value = "/custom")
|
@RequestMapping(value = "/custom")
|
||||||
public class LoginController {
|
public class LoginController {
|
||||||
|
@ -2,8 +2,8 @@ package com.baeldung.web.interceptor;
|
|||||||
|
|
||||||
import java.util.Enumeration;
|
import java.util.Enumeration;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
package com.baeldung.web.interceptor;
|
package com.baeldung.web.interceptor;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
import javax.servlet.http.HttpSession;
|
import jakarta.servlet.http.HttpSession;
|
||||||
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
package com.baeldung.web.interceptor;
|
package com.baeldung.web.interceptor;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
import javax.servlet.http.HttpSession;
|
import jakarta.servlet.http.HttpSession;
|
||||||
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -3,7 +3,7 @@ package com.baeldung.security.csrf;
|
|||||||
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
||||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
|
||||||
|
|
||||||
import javax.servlet.Filter;
|
import jakarta.servlet.Filter;
|
||||||
|
|
||||||
import com.baeldung.web.dto.Foo;
|
import com.baeldung.web.dto.Foo;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
@ -3,11 +3,13 @@ package com.baeldung.security.spring;
|
|||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
import org.springframework.security.config.Customizer;
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
||||||
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.core.userdetails.User;
|
import org.springframework.security.core.userdetails.User;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||||
@ -15,7 +17,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
@EnableMethodSecurity
|
||||||
public class ManualSecurityConfig {
|
public class ManualSecurityConfig {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@ -34,7 +36,7 @@ public class ManualSecurityConfig {
|
|||||||
@Bean
|
@Bean
|
||||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||||
return (web) -> web.ignoring()
|
return (web) -> web.ignoring()
|
||||||
.antMatchers("/resources/**");
|
.requestMatchers("/resources/**");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@ -45,20 +47,13 @@ public class ManualSecurityConfig {
|
|||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests()
|
http.csrf(AbstractHttpConfigurer::disable)
|
||||||
.mvcMatchers("/custom/login")
|
.httpBasic(Customizer.withDefaults())
|
||||||
.permitAll()
|
.headers(headers -> headers.cacheControl((cacheControl) -> cacheControl.disable()))
|
||||||
.anyRequest()
|
.authorizeHttpRequests(auth -> auth.requestMatchers("/custom/login")
|
||||||
.authenticated()
|
.permitAll()
|
||||||
.and()
|
.anyRequest()
|
||||||
.httpBasic()
|
.authenticated());
|
||||||
.and()
|
|
||||||
.headers()
|
|
||||||
.cacheControl()
|
|
||||||
.disable()
|
|
||||||
.and()
|
|
||||||
.csrf()
|
|
||||||
.disable();
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@ package com.baeldung.security.spring;
|
|||||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
|
||||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||||
|
|
||||||
import javax.servlet.http.HttpSession;
|
import jakarta.servlet.http.HttpSession;
|
||||||
|
|
||||||
import com.baeldung.spring.MvcConfig;
|
import com.baeldung.spring.MvcConfig;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
@ -3,11 +3,14 @@ package com.baeldung.security.spring;
|
|||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
import org.springframework.security.config.Customizer;
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||||
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
||||||
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.core.userdetails.User;
|
import org.springframework.security.core.userdetails.User;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||||
@ -15,7 +18,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
@EnableMethodSecurity
|
||||||
public class SecurityWithCsrfConfig {
|
public class SecurityWithCsrfConfig {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@ -40,22 +43,17 @@ public class SecurityWithCsrfConfig {
|
|||||||
@Bean
|
@Bean
|
||||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||||
return (web) -> web.ignoring()
|
return (web) -> web.ignoring()
|
||||||
.antMatchers("/resources/**");
|
.requestMatchers("/resources/**");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests()
|
http.httpBasic(Customizer.withDefaults())
|
||||||
.antMatchers("/auth/admin/*")
|
.headers(headers -> headers.cacheControl((cacheControl) -> cacheControl.disable()))
|
||||||
.hasAnyRole("ROLE_ADMIN")
|
.authorizeHttpRequests(auth -> auth.requestMatchers("/auth/admin/*")
|
||||||
.anyRequest()
|
.hasAnyRole("ADMIN")
|
||||||
.authenticated()
|
.anyRequest()
|
||||||
.and()
|
.authenticated());
|
||||||
.httpBasic()
|
|
||||||
.and()
|
|
||||||
.headers()
|
|
||||||
.cacheControl()
|
|
||||||
.disable();
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3,8 +3,9 @@ package com.baeldung.security.spring;
|
|||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
import org.springframework.security.config.Customizer;
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
||||||
@ -16,7 +17,7 @@ import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
|
|||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
@EnableMethodSecurity
|
||||||
public class SecurityWithCsrfCookieConfig {
|
public class SecurityWithCsrfCookieConfig {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@ -41,26 +42,19 @@ public class SecurityWithCsrfCookieConfig {
|
|||||||
@Bean
|
@Bean
|
||||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||||
return (web) -> web.ignoring()
|
return (web) -> web.ignoring()
|
||||||
.antMatchers("/resources/**");
|
.requestMatchers("/resources/**");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests()
|
// Stateless API CSRF configuration
|
||||||
.antMatchers("/auth/admin/*")
|
http.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
|
||||||
.hasAnyRole("ROLE_ADMIN")
|
.httpBasic(Customizer.withDefaults())
|
||||||
.anyRequest()
|
.headers(headers -> headers.cacheControl((cacheControl) -> cacheControl.disable()))
|
||||||
.authenticated()
|
.authorizeHttpRequests(auth -> auth.requestMatchers("/auth/admin/*")
|
||||||
.and()
|
.hasAnyRole("ADMIN")
|
||||||
.httpBasic()
|
.anyRequest()
|
||||||
.and()
|
.authenticated());
|
||||||
.headers()
|
|
||||||
.cacheControl()
|
|
||||||
.disable()
|
|
||||||
// Stateless API CSRF configuration
|
|
||||||
.and()
|
|
||||||
.csrf()
|
|
||||||
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3,11 +3,13 @@ package com.baeldung.security.spring;
|
|||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
import org.springframework.security.config.Customizer;
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
||||||
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.core.userdetails.User;
|
import org.springframework.security.core.userdetails.User;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||||
@ -15,7 +17,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
@EnableMethodSecurity
|
||||||
public class SecurityWithoutCsrfConfig {
|
public class SecurityWithoutCsrfConfig {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@ -28,11 +30,11 @@ public class SecurityWithoutCsrfConfig {
|
|||||||
public InMemoryUserDetailsManager userDetailsService() {
|
public InMemoryUserDetailsManager userDetailsService() {
|
||||||
UserDetails user = User.withUsername("user1")
|
UserDetails user = User.withUsername("user1")
|
||||||
.password("user1Pass")
|
.password("user1Pass")
|
||||||
.authorities("ROLE_USER")
|
.authorities("USER")
|
||||||
.build();
|
.build();
|
||||||
UserDetails admin = User.withUsername("admin")
|
UserDetails admin = User.withUsername("admin")
|
||||||
.password("adminPass")
|
.password("adminPass")
|
||||||
.authorities("ROLE_ADMIN")
|
.authorities("ADMIN")
|
||||||
.build();
|
.build();
|
||||||
return new InMemoryUserDetailsManager(user, admin);
|
return new InMemoryUserDetailsManager(user, admin);
|
||||||
}
|
}
|
||||||
@ -40,25 +42,18 @@ public class SecurityWithoutCsrfConfig {
|
|||||||
@Bean
|
@Bean
|
||||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||||
return (web) -> web.ignoring()
|
return (web) -> web.ignoring()
|
||||||
.antMatchers("/resources/**");
|
.requestMatchers("/resources/**");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests()
|
http.csrf(AbstractHttpConfigurer::disable)
|
||||||
.antMatchers("/auth/admin/*")
|
.httpBasic(Customizer.withDefaults())
|
||||||
.hasAnyRole("ROLE_ADMIN")
|
.headers(headers -> headers.cacheControl((cacheControl) -> cacheControl.disable()))
|
||||||
.anyRequest()
|
.authorizeHttpRequests(auth -> auth.requestMatchers("/auth/admin/*")
|
||||||
.authenticated()
|
.hasAnyRole("ADMIN")
|
||||||
.and()
|
.anyRequest()
|
||||||
.httpBasic()
|
.authenticated());
|
||||||
.and()
|
|
||||||
.headers()
|
|
||||||
.cacheControl()
|
|
||||||
.disable()
|
|
||||||
.and()
|
|
||||||
.csrf()
|
|
||||||
.disable();
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@ package com.baeldung.web.interceptor;
|
|||||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||||
|
|
||||||
import javax.servlet.http.HttpSession;
|
import jakarta.servlet.http.HttpSession;
|
||||||
|
|
||||||
import com.baeldung.security.spring.SecurityWithoutCsrfConfig;
|
import com.baeldung.security.spring.SecurityWithoutCsrfConfig;
|
||||||
import com.baeldung.spring.MvcConfig;
|
import com.baeldung.spring.MvcConfig;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user