For the latest stable version, please use Spring Security 6.2.4!

Kotlin Configuration

Spring Security provides a sample application to demonstrate the use of Spring Security Kotlin Configuration.

HttpSecurity

How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know we want to support form-based authentication? There is a configuration class (called SecurityFilterChain) that is being invoked behind the scenes. It is configured with the following default implementation:

import org.springframework.security.config.annotation.web.invoke

@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
   http {
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
       formLogin { }
       httpBasic { }
    }
    return http.build()
}
Make sure that import the invoke function in your class, sometimes the IDE will not auto-import it causing compilation issues.

The default configuration (shown in the preceding listing):

  • Ensures that any request to our application requires the user to be authenticated

  • Lets users authenticate with form-based login

  • Lets users authenticate with HTTP Basic authentication

Note that this configuration is parallels the XML namespace configuration:

<http>
	<intercept-url pattern="/**" access="authenticated"/>
	<form-login />
	<http-basic />
</http>

Multiple HttpSecurity Instances

We can configure multiple HttpSecurity instances, just as we can have multiple <http> blocks. The key is to register multiple SecurityFilterChain @Beans. The following example has a different configuration for URL’s that start with /api/:

@Configuration
import org.springframework.security.config.annotation.web.invoke

@EnableWebSecurity
class MultiHttpSecurityConfig {
    @Bean                                                            (1)
    public fun userDetailsService(): UserDetailsService {
        val users: User.UserBuilder = User.withDefaultPasswordEncoder()
        val manager = InMemoryUserDetailsManager()
        manager.createUser(users.username("user").password("password").roles("USER").build())
        manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())
        return manager
    }

    @Order(1)                                                        (2)
    @Bean
    open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            securityMatcher("/api/**")                               (3)
            authorizeRequests {
                authorize(anyRequest, hasRole("ADMIN"))
            }
            httpBasic { }
        }
        return http.build()
    }

    @Bean                                                            (4)
    open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            authorizeRequests {
                authorize(anyRequest, authenticated)
            }
            formLogin { }
        }
        return http.build()
    }
}
1 Configure Authentication as usual.
2 Create an instance of SecurityFilterChain that contains @Order to specify which SecurityFilterChain should be considered first.
3 The http.antMatcher states that this HttpSecurity is applicable only to URLs that start with /api/
4 Create another instance of SecurityFilterChain. If the URL does not start with /api/, this configuration is used. This configuration is considered after apiFilterChain, since it has an @Order value after 1 (no @Order defaults to last).