org.springframework.security.config.annotation.web.builders
Class WebSecurity

java.lang.Object
  org.springframework.security.config.annotation.AbstractSecurityBuilder<O>
      org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>
          org.springframework.security.config.annotation.web.builders.WebSecurity

All Implemented Interfaces:

SecurityBuilder<javax.servlet.Filter>

public final class WebSecurity
extends AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>
implements SecurityBuilder<javax.servlet.Filter>

The WebSecurity is created by WebSecurityConfiguration to create the FilterChainProxy known as the Spring Security Filter Chain (springSecurityFilterChain). The springSecurityFilterChain is the Filter that the DelegatingFilterProxy delegates to.

Customizations to the WebSecurity can be made by creating a WebSecurityConfigurer or more likely by overriding WebSecurityConfigurerAdapter.

Since:

3.2

See Also:

EnableWebSecurity, WebSecurityConfiguration

Nested Class Summary

class

WebSecurity.IgnoredRequestConfigurer Allows registering RequestMatcher instances that should be ignored by Spring Security.

Constructor Summary

WebSecurity()
Creates a new instance

Method Summary

WebSecurity	addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) Adds builders to create SecurityFilterChain instances.
WebSecurity	debug(boolean debugEnabled) Controls debugging support for Spring Security.
WebSecurity	expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler) Set the SecurityExpressionHandler to be used.
SecurityExpressionHandler<FilterInvocation>	getExpressionHandler() Gets the SecurityExpressionHandler to be used.
WebInvocationPrivilegeEvaluator	getPrivilegeEvaluator() Gets the WebInvocationPrivilegeEvaluator to be used.
WebSecurity	httpFirewall(HttpFirewall httpFirewall) Allows customizing the HttpFirewall.
WebSecurity.IgnoredRequestConfigurer	ignoring() Allows adding RequestMatcher instances that should that Spring Security should ignore.
protected javax.servlet.Filter	performBuild() Subclasses must implement this method to build the object that is being returned.
WebSecurity	postBuildAction(Runnable postBuildAction) Executes the Runnable immediately after the build takes place
WebSecurity	privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator) Set the WebInvocationPrivilegeEvaluator to be used.
WebSecurity	securityInterceptor(FilterSecurityInterceptor securityInterceptor) Sets the FilterSecurityInterceptor.

Methods inherited from class org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder

apply, apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObject

Methods inherited from class org.springframework.security.config.annotation.AbstractSecurityBuilder

build, getObject

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.security.config.annotation.SecurityBuilder

build

Constructor Detail

WebSecurity

public WebSecurity()

Creates a new instance

See Also:

WebSecurityConfiguration

Method Detail

ignoring

public WebSecurity.IgnoredRequestConfigurer ignoring()

Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.

Example Usage:

 webSecurityBuilder
     .ignoring()
         // ignore all URLs that start with /resources/ or /static/
         .antMatchers("/resources/**", "/static/**");
 

Alternatively this will accomplish the same result:

 webSecurityBuilder
     .ignoring()
         // ignore all URLs that start with /resources/ or /static/
         .antMatchers("/resources/**")
         .antMatchers("/static/**");
 

Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples: Alternatively this will accomplish the same result:

 webSecurityBuilder
     .ignoring()
         // ignore all URLs that start with /resources/
         .antMatchers("/resources/**");
 webSecurityBuilder
     .ignoring()
         // ignore all URLs that start with /static/
         .antMatchers("/static/**");
 // now both URLs that start with /resources/ and /static/ will be ignored
 

Returns:

the WebSecurity.IgnoredRequestConfigurer to use for registering request that should be ignored

httpFirewall

public WebSecurity httpFirewall(HttpFirewall httpFirewall)

Allows customizing the HttpFirewall. The default is DefaultHttpFirewall.

Parameters:

httpFirewall - the custom HttpFirewall

Returns:

the WebSecurity for further customizations

debug

public WebSecurity debug(boolean debugEnabled)

Controls debugging support for Spring Security.

Parameters:

debugEnabled - if true, enables debug support with Spring Security. Default is false.

Returns:

the WebSecurity for further customization.

See Also:

EnableWebSecurity.debug()

addSecurityFilterChainBuilder

public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)

Adds builders to create SecurityFilterChain instances.

Typically this method is invoked automatically within the framework from WebSecurityConfigurerAdapter.init(WebSecurity)

Parameters:

securityFilterChainBuilder - the builder to use to create the SecurityFilterChain instances

Returns:

the WebSecurity for further customizations

privilegeEvaluator

public WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)

Set the WebInvocationPrivilegeEvaluator to be used. If this is null, then a DefaultWebInvocationPrivilegeEvaluator will be created when securityInterceptor(FilterSecurityInterceptor) is non null.

Parameters:

privilegeEvaluator - the WebInvocationPrivilegeEvaluator to use

Returns:

the WebSecurity for further customizations

expressionHandler

public WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)

Set the SecurityExpressionHandler to be used. If this is null, then a DefaultWebSecurityExpressionHandler will be used.

Parameters:

expressionHandler - the SecurityExpressionHandler to use

Returns:

the WebSecurity for further customizations

getExpressionHandler

public SecurityExpressionHandler<FilterInvocation> getExpressionHandler()

Gets the SecurityExpressionHandler to be used.

Returns:

getPrivilegeEvaluator

public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()

Gets the WebInvocationPrivilegeEvaluator to be used.

Returns:

securityInterceptor

public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor)

Sets the FilterSecurityInterceptor. This is typically invoked by WebSecurityConfigurerAdapter.

Parameters:

securityInterceptor - the FilterSecurityInterceptor to use

Returns:

the WebSecurity for further customizations

postBuildAction

public WebSecurity postBuildAction(Runnable postBuildAction)

Executes the Runnable immediately after the build takes place

Parameters:

postBuildAction -

Returns:

the WebSecurity for further customizations

performBuild

protected javax.servlet.Filter performBuild()
                                     throws Exception

Description copied from class: AbstractConfiguredSecurityBuilder

Subclasses must implement this method to build the object that is being returned.

Specified by:

performBuild in class AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>

Returns:

Throws:

Exception