Package org.springframework.security.config.annotation.web.builders

Class HttpSecurity

java.lang.Object
org.springframework.security.config.annotation.AbstractSecurityBuilder<O>
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
org.springframework.security.config.annotation.web.builders.HttpSecurity
All Implemented Interfaces:
SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using authorizeHttpRequests(Customizer) or other similar methods.

Example Usage

The most basic form based configuration can be seen below. The configuration will require that any URL that is requested will require a User with the role "ROLE_USER". It also defines an in memory authentication scheme with a user that has the username "user", the password "password", and the role "ROLE_USER". For additional examples, refer to the Java Doc of individual methods on HttpSecurity. 
 @Configuration
 @EnableWebSecurity
 public class FormLoginSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
Since:
3.2
See Also:

  • Constructor Details

  • Method Details

    • headers

      public HttpSecurity headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer)
      Adds the Security headers to the response. This is activated by default when using EnableWebSecurity.

      Example Configurations

      Accepting the default provided by EnableWebSecurity or only invoking headers(Customizer) without invoking additional methods on it, is the equivalent of: 
       @Configuration
 @EnableWebSecurity
 public class CsrfSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .headers((headers) ->
                                headers
                                        .contentTypeOptions(withDefaults())
                                        .xssProtection(withDefaults())
                                        .cacheControl(withDefaults())
                                        .httpStrictTransportSecurity(withDefaults())
                                        .frameOptions(withDefaults()
                        );
                return http.build();
        }
 }
      You can disable the headers using the following: 
       @Configuration
 @EnableWebSecurity
 public class CsrfSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .headers((headers) -> headers.disable());
                return http.build();
        }
 }
      You can enable only a few of the headers by first invoking HeadersConfigurer.defaultsDisabled() and then invoking the appropriate methods on the headers(Customizer) result. For example, the following will enable HeadersConfigurer.cacheControl(Customizer) and HeadersConfigurer.frameOptions(Customizer) only. 
       @Configuration
 @EnableWebSecurity
 public class CsrfSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .headers((headers) ->
                                headers
                                        .defaultsDisabled()
                                        .cacheControl(withDefaults())
                                        .frameOptions(withDefaults())
                        );
                return http.build();
        }
 }
      You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except HeadersConfigurer.frameOptions(Customizer). 
       @Configuration
 @EnableWebSecurity
 public class CsrfSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
        http
                .headers((headers) ->
                        headers
                                .frameOptions((frameOptions) -> frameOptions.disable())
                );
                return http.build();
        }
 }
      Parameters:
      headersCustomizer - the Customizer to provide more options for the HeadersConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • cors

      public HttpSecurity cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer)
      Adds a CorsFilter to be used. If a bean by the name of corsFilter is provided, that CorsFilter is used. Else if corsConfigurationSource is defined, then that CorsConfiguration is used. You can enable CORS using: 
       @Configuration
 @EnableWebSecurity
 public class CorsSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .cors(withDefaults());
                return http.build();
        }
 }
      Parameters:
      corsCustomizer - the Customizer to provide more options for the CorsConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • sessionManagement

      public HttpSecurity sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer)
      Allows configuring of Session Management.

      Example Configuration

      The following configuration demonstrates how to enforce that only a single instance of a user is authenticated at a time. If a user authenticates with the username "user" without logging out and an attempt to authenticate with "user" is made the first session will be forcibly terminated and sent to the "/login?expired" URL. 
       @Configuration
 @EnableWebSecurity
 public class SessionManagementSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .anyRequest().hasRole("USER")
                        )
                        .formLogin((formLogin) ->
                                formLogin
                                        .permitAll()
                        )
                        .sessionManagement((sessionManagement) ->
                                sessionManagement
                                        .sessionConcurrency((sessionConcurrency) ->
                                                sessionConcurrency
                                                        .maximumSessions(1)
                                                        .expiredUrl("/login?expired")
                                        )
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      When using SessionManagementConfigurer.maximumSessions(int), do not forget to configure HttpSessionEventPublisher for the application to ensure that expired sessions are cleaned up. In a web.xml this can be configured using the following: 
       <listener>
      <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
 </listener>
      Alternatively, AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher() could return true.
      Parameters:
      sessionManagementCustomizer - the Customizer to provide more options for the SessionManagementConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • portMapper

      public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer)
      Allows configuring a PortMapper that is available from AbstractConfiguredSecurityBuilder.getSharedObject(Class). Other provided SecurityConfigurer objects use this configured PortMapper as a default PortMapper when redirecting from HTTP to HTTPS or from HTTPS to HTTP (for example when used in combination with requiresChannel(Customizer) )}. By default Spring Security uses a PortMapperImpl which maps the HTTP port 8080 to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.

      Example Configuration

      The following configuration will ensure that redirects within Spring Security from HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 to the HTTPS port of 443. 
       @Configuration
 @EnableWebSecurity
 public class PortMapperSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .requiresChannel((requiresChannel) ->
                                requiresChannel
                                        .anyRequest().requiresSecure()
                        )
                        .portMapper((portMapper) ->
                                portMapper
                                        .http(9090).mapsTo(9443)
                                        .http(80).mapsTo(443)
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      portMapperCustomizer - the Customizer to provide more options for the PortMapperConfigurer
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • jee

      public HttpSecurity jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer)
      Configures container based pre authentication. In this case, authentication is managed by the Servlet Container.

      Example Configuration

      The following configuration will use the principal found on the HttpServletRequest and if the user is in the role "ROLE_USER" or "ROLE_ADMIN" will add that to the resulting Authentication. 
       @Configuration
 @EnableWebSecurity
 public class JeeSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .jee((jee) ->
                                jee
                                        .mappableRoles("USER", "ADMIN")
                        );
                return http.build();
        }
 }
      Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like: 
       <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
         <form-login-page>/login</form-login-page>
         <form-error-page>/login?error</form-error-page>
     </form-login-config>
 </login-config>

 <security-role>
     <role-name>ROLE_USER</role-name>
 </security-role>
 <security-constraint>
     <web-resource-collection>
     <web-resource-name>Public</web-resource-name>
         <description>Matches unconstrained pages</description>
         <url-pattern>/login</url-pattern>
         <url-pattern>/logout</url-pattern>
         <url-pattern>/resources/*</url-pattern>
     </web-resource-collection>
 </security-constraint>
 <security-constraint>
     <web-resource-collection>
         <web-resource-name>Secured Areas</web-resource-name>
         <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
         <role-name>ROLE_USER</role-name>
     </auth-constraint>
 </security-constraint>
      Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
      Parameters:
      jeeCustomizer - the Customizer to provide more options for the JeeConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • x509

      public HttpSecurity x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer)
      Configures X509 based pre authentication.

      Example Configuration

      The following configuration will attempt to extract the username from the X509 certificate. Remember that the Servlet Container will need to be configured to request client certificates in order for this to work. 
       @Configuration
 @EnableWebSecurity
 public class X509SecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .x509(withDefaults());
                return http.build();
        }
 }
      Parameters:
      x509Customizer - the Customizer to provide more options for the X509Configurer
      Returns:
      the HttpSecurity for further customizations @

    • rememberMe

      public HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer)
      Allows configuring of Remember Me authentication.

      Example Configuration

      The following configuration demonstrates how to allow token based remember me authentication. Upon authenticating if the HTTP parameter named "remember-me" exists, then the user will be remembered even after their HttpSession expires. 
       @Configuration
 @EnableWebSecurity
 public class RememberMeSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults())
                        .rememberMe(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      rememberMeCustomizer - the Customizer to provide more options for the RememberMeConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • authorizeHttpRequests

      public HttpSecurity authorizeHttpRequests(Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer)
      Allows restricting access based upon the HttpServletRequest using RequestMatcher implementations (i.e. via URL patterns).

      Example Configurations

      The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user". 
       @Configuration
 @EnableWebSecurity
 public class AuthorizeUrlsSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                UserDetails admin = User.withDefaultPasswordEncoder()
                        .username("admin")
                        .password("password")
                        .roles("ADMIN", "USER")
                        .build();
                return new InMemoryUserDetailsManager(user, admin);
        }
 }
      We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access. 
       @Configuration
 @EnableWebSecurity
 public class AuthorizeUrlsSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                        .requestMatchers("/admin/**").hasRole("ADMIN")
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                UserDetails admin = User.withDefaultPasswordEncoder()
                        .username("admin")
                        .password("password")
                        .roles("ADMIN", "USER")
                        .build();
                return new InMemoryUserDetailsManager(user, admin);
        }
 }
      Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping: 
       @Configuration
 @EnableWebSecurity
 public class AuthorizeUrlsSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                        .requestMatchers("/**").hasRole("USER")
                                        .requestMatchers("/admin/**").hasRole("ADMIN")
                        );
                return http.build();
        }
 }
      Parameters:
      authorizeHttpRequestsCustomizer - the Customizer to provide more options for the AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry
      Returns:
      the HttpSecurity for further customizations
      Since:
      5.5

    • requestCache

      public HttpSecurity requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer)
      Allows configuring the Request Cache. For example, a protected page (/protected) may be requested prior to authentication. The application will redirect the user to a login page. After authentication, Spring Security will redirect the user to the originally requested protected page (/protected). This is automatically applied when using EnableWebSecurity.

      Example Custom Configuration

      The following example demonstrates how to disable request caching. 
       @Configuration
 @EnableWebSecurity
 public class RequestCacheDisabledSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .requestCache((requestCache) ->
                                requestCache.disable()
                        );
                return http.build();
        }
 }
      Parameters:
      requestCacheCustomizer - the Customizer to provide more options for the RequestCacheConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • exceptionHandling

      public HttpSecurity exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer)
      Allows configuring exception handling. This is automatically applied when using EnableWebSecurity.

      Example Custom Configuration

      The following customization will ensure that users who are denied access are forwarded to the page "/errors/access-denied". 
       @Configuration
 @EnableWebSecurity
 public class ExceptionHandlingSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        // sample exception handling customization
                        .exceptionHandling((exceptionHandling) ->
                                exceptionHandling
                                        .accessDeniedPage("/errors/access-denied")
                        );
                return http.build();
        }
 }
      Parameters:
      exceptionHandlingCustomizer - the Customizer to provide more options for the ExceptionHandlingConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • securityContext

      public HttpSecurity securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer)
      Sets up management of the SecurityContext on the SecurityContextHolder between HttpServletRequest's. This is automatically applied when using EnableWebSecurity. The following customization specifies the shared SecurityContextRepository 
       @Configuration
 @EnableWebSecurity
 public class SecurityContextSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .securityContext((securityContext) ->
                                securityContext
                                        .securityContextRepository(SCR)
                        );
                return http.build();
        }
 }
      Parameters:
      securityContextCustomizer - the Customizer to provide more options for the SecurityContextConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • servletApi

      public HttpSecurity servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer)
      Integrates the HttpServletRequest methods with the values found on the SecurityContext. This is automatically applied when using EnableWebSecurity. You can disable it using: 
       @Configuration
 @EnableWebSecurity
 public class ServletApiSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .servletApi((servletApi) ->
                                servletApi.disable()
                        );
                return http.build();
        }
 }
      Parameters:
      servletApiCustomizer - the Customizer to provide more options for the ServletApiConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • csrf

      public HttpSecurity csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer)
      Enables CSRF protection. This is activated by default when using EnableWebSecurity. You can disable it using: 
       @Configuration
 @EnableWebSecurity
 public class CsrfSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .csrf((csrf) -> csrf.disable());
                return http.build();
        }
 }
      Parameters:
      csrfCustomizer - the Customizer to provide more options for the CsrfConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • logout

      public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer)
      Provides logout support. This is automatically applied when using EnableWebSecurity. The default is that accessing the URL "/logout" will log the user out by invalidating the HTTP Session, cleaning up any rememberMe(Customizer) authentication that was configured, clearing the SecurityContextHolder, and then redirect to "/login?success".

      Example Custom Configuration

      The following customization to log out when the URL "/custom-logout" is invoked. Log out will remove the cookie named "remove", not invalidate the HttpSession, clear the SecurityContextHolder, and upon completion redirect to "/logout-success". 
       @Configuration
 @EnableWebSecurity
 public class LogoutSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults())
                        // sample logout customization
                        .logout((logout) ->
                                logout.deleteCookies("remove")
                                        .invalidateHttpSession(false)
                                        .logoutUrl("/custom-logout")
                                        .logoutSuccessUrl("/logout-success")
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      logoutCustomizer - the Customizer to provide more options for the LogoutConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • anonymous

      public HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer)
      Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction with EnableWebSecurity. By default anonymous users will be represented with an AnonymousAuthenticationToken and contain the role "ROLE_ANONYMOUS".

      Example Configuration

      The following configuration demonstrates how to specify that anonymous users should contain the role "ROLE_ANON" instead. 
       @Configuration
 @EnableWebSecurity
 public class AnonymousSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults())
                        // sample anonymous customization
                        .anonymous((anonymous) ->
                                anonymous
                                        .authorities("ROLE_ANON")
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      The following demonstrates how to represent anonymous users as null. Note that this can cause NullPointerException in code that assumes anonymous authentication is enabled. 
       @Configuration
 @EnableWebSecurity
 public class AnonymousSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults())
                        // sample anonymous customization
                        .anonymous((anonymous) ->
                                anonymous.disable()
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      anonymousCustomizer - the Customizer to provide more options for the AnonymousConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • formLogin

      public HttpSecurity formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer)
      Specifies to support form based authentication. If FormLoginConfigurer.loginPage(String) is not specified a default login page will be generated.

      Example Configurations

      The most basic configuration defaults to automatically generating a login page at the URL "/login", redirecting to "/login?error" for authentication failure. The details of the login page can be found on FormLoginConfigurer.loginPage(String) 
       @Configuration
 @EnableWebSecurity
 public class FormLoginSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      The configuration below demonstrates customizing the defaults. 
       @Configuration
 @EnableWebSecurity
 public class FormLoginSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin((formLogin) ->
                                formLogin
                                        .usernameParameter("username")
                                        .passwordParameter("password")
                                        .loginPage("/authentication/login")
                                        .failureUrl("/authentication/login?failed")
                                        .loginProcessingUrl("/authentication/login/process")
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      formLoginCustomizer - the Customizer to provide more options for the FormLoginConfigurer
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • saml2Login

      public HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer)
      Configures authentication support using an SAML 2.0 Service Provider.

      The "authentication flow" is implemented using the Web Browser SSO Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core,Profiles and Bindings specifications.

      As a prerequisite to using this feature, is that you have a SAML v2.0 Identity Provider to provide an assertion. The representation of the Service Provider, the relying party, and the remote Identity Provider, the asserting party is contained within RelyingPartyRegistration.

      RelyingPartyRegistration(s) are composed within a RelyingPartyRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via saml2Login().relyingPartyRegistrationRepository(..).

      The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the identity providers with a link that is capable of initiating the "authentication flow".

      Example Configuration

      The following example shows the minimal configuration required, using SimpleSamlPhp as the Authentication Provider. 
       @Configuration
 @EnableWebSecurity
 public class Saml2LoginSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .anyRequest().authenticated()
                        )
                        .saml2Login(withDefaults());
                return http.build();
        }

        @Bean
        public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
        }

        private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
                //remote IDP entity ID
                String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php";
                //remote WebSSO Endpoint - Where to Send AuthNRequests to
                String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php";
                //local registration ID
                String registrationId = "simplesamlphp";
                //local entity ID - autogenerated based on URL
                String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
                //local signing (and decryption key)
                Saml2X509Credential signingCredential = getSigningCredential();
                //IDP certificate for verification of incoming messages
                Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
                return RelyingPartyRegistration.withRegistrationId(registrationId)
                                .remoteIdpEntityId(idpEntityId)
                                .idpWebSsoUrl(webSsoEndpoint)
                                .credential(signingCredential)
                                .credential(idpVerificationCertificate)
                                .localEntityIdTemplate(localEntityIdTemplate)
                                .build();
        }
 }

      Parameters:
      saml2LoginCustomizer - the Customizer to provide more options for the Saml2LoginConfigurer
      Returns:
      the HttpSecurity for further customizations
      Since:
      5.2

    • saml2Logout

      public HttpSecurity saml2Logout(Customizer<Saml2LogoutConfigurer<HttpSecurity>> saml2LogoutCustomizer)
      Configures logout support for an SAML 2.0 Relying Party.

      Implements the Single Logout Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core, Profiles and Bindings specifications.

      As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting Party to sent a logout request to. The representation of the relying party and the asserting party is contained within RelyingPartyRegistration.

      RelyingPartyRegistration(s) are composed within a RelyingPartyRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via saml2Login(Customizer).

      The default configuration provides an auto-generated logout endpoint at "/logout" and redirects to /login?logout when logout completes.

      Example Configuration

      The following example shows the minimal configuration required, using a hypothetical asserting party. 
              @EnableWebSecurity
        @Configuration
        public class Saml2LogoutSecurityConfig {
                @Bean
                public SecurityFilterChain web(HttpSecurity http)  {
                        http
                                .authorizeHttpRequests((authorize) -> authorize
                                        .anyRequest().authenticated()
                                )
                                .saml2Login(withDefaults())
                                .saml2Logout(withDefaults());
                        return http.build();
                }

                @Bean
                public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                        RelyingPartyRegistration registration = RelyingPartyRegistrations
                                        .withMetadataLocation("https://ap.example.org/metadata")
                                        .registrationId("simple")
                                        .build();
                        return new InMemoryRelyingPartyRegistrationRepository(registration);
                }
        }

      Returns:
      the HttpSecurity for further customizations
      Since:
      5.6

    • saml2Metadata

      public HttpSecurity saml2Metadata(Customizer<Saml2MetadataConfigurer<HttpSecurity>> saml2MetadataConfigurer)
      Configures a SAML 2.0 metadata endpoint that presents relying party configurations in an <md:EntityDescriptor> payload.

      By default, the endpoints are /saml2/metadata and /saml2/metadata/{registrationId} though note that also /saml2/service-provider-metadata/{registrationId} is recognized for backward compatibility purposes.

      Example Configuration

      The following example shows the minimal configuration required, using a hypothetical asserting party. 
              @EnableWebSecurity
        @Configuration
        public class Saml2LogoutSecurityConfig {
                @Bean
                public SecurityFilterChain web(HttpSecurity http)  {
                        http
                                .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
                                .saml2Metadata(Customizer.withDefaults());
                        return http.build();
                }

                @Bean
                public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                        RelyingPartyRegistration registration = RelyingPartyRegistrations
                                        .withMetadataLocation("https://ap.example.org/metadata")
                                        .registrationId("simple")
                                        .build();
                        return new InMemoryRelyingPartyRegistrationRepository(registration);
                }
        }
      Parameters:
      saml2MetadataConfigurer - the Customizer to provide more options for the Saml2MetadataConfigurer
      Returns:
      the HttpSecurity for further customizations
      Since:
      6.1

    • oauth2Login

      public HttpSecurity oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer)
      Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.

      The "authentication flow" is implemented using the Authorization Code Grant, as specified in the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0 specification.

      As a prerequisite to using this feature, you must register a client with a provider. The client registration information may than be used for configuring a ClientRegistration using a ClientRegistration.Builder.

      ClientRegistration(s) are composed within a ClientRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via oauth2Login().clientRegistrationRepository(..).

      The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the clients with a link that is capable of initiating the "authentication flow".

      Example Configuration

      The following example shows the minimal configuration required, using Google as the Authentication Provider. 
       @Configuration
 @EnableWebSecurity
 public class OAuth2LoginSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .anyRequest().authenticated()
                        )
                        .oauth2Login(withDefaults());
                return http.build();
        }

        @Bean
        public ClientRegistrationRepository clientRegistrationRepository() {
                return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
        }

        private ClientRegistration googleClientRegistration() {
                return ClientRegistration.withRegistrationId("google")
                        .clientId("google-client-id")
                        .clientSecret("google-client-secret")
                        .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                        .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                        .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                        .scope("openid", "profile", "email", "address", "phone")
                        .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
                        .tokenUri("https://www.googleapis.com/oauth2/v4/token")
                        .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
                        .userNameAttributeName(IdTokenClaimNames.SUB)
                        .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
                        .clientName("Google")
                        .build();
        }
 }

      For more advanced configuration, see OAuth2LoginConfigurer for available options to customize the defaults.

      Parameters:
      oauth2LoginCustomizer - the Customizer to provide more options for the OAuth2LoginConfigurer
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • oidcLogout

      public OidcLogoutConfigurer<HttpSecurity> oidcLogout()

    • oidcLogout

      public HttpSecurity oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcLogoutCustomizer)

    • oauth2Client

      public HttpSecurity oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer)
      Configures OAuth 2.0 Client support.

      Example Configuration

      The following example demonstrates how to enable OAuth 2.0 Client support for all endpoints. 
       @Configuration
 @EnableWebSecurity
 public class OAuth2ClientSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .anyRequest().authenticated()
                        )
                        .oauth2Client(withDefaults());
                return http.build();
        }
 }
      Parameters:
      oauth2ClientCustomizer - the Customizer to provide more options for the OAuth2ClientConfigurer
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • oauth2ResourceServer

      public HttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer)
      Configures OAuth 2.0 Resource Server support.

      Example Configuration

      The following example demonstrates how to configure a custom JWT authentication converter. 
       @Configuration
 @EnableWebSecurity
 public class OAuth2ResourceServerSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .anyRequest().authenticated()
                        )
                        .oauth2ResourceServer((oauth2ResourceServer) ->
                                oauth2ResourceServer
                                        .jwt((jwt) ->
                                                jwt
                                                        .decoder(jwtDecoder())
                                        )
                        );
                return http.build();
        }

        @Bean
        public JwtDecoder jwtDecoder() {
                return NimbusJwtDecoder.withPublicKey(this.key).build();
        }
 }
      Parameters:
      oauth2ResourceServerCustomizer - the Customizer to provide more options for the OAuth2ResourceServerConfigurer
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • oauth2AuthorizationServer

      public HttpSecurity oauth2AuthorizationServer(Customizer<OAuth2AuthorizationServerConfigurer> oauth2AuthorizationServerCustomizer)
      Configures OAuth 2.1 Authorization Server support.
      Parameters:
      oauth2AuthorizationServerCustomizer - the Customizer providing access to the OAuth2AuthorizationServerConfigurer for further customizations
      Returns:
      the HttpSecurity for further customizations
      Since:
      7.0
      See Also:

    • oneTimeTokenLogin

      public HttpSecurity oneTimeTokenLogin(Customizer<OneTimeTokenLoginConfigurer<HttpSecurity>> oneTimeTokenLoginConfigurerCustomizer)
      Configures One-Time Token Login Support.

      Example Configuration

       @Configuration
 @EnableWebSecurity
 public class SecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                        .anyRequest().authenticated()
                        )
                        .oneTimeTokenLogin(Customizer.withDefaults());
                return http.build();
        }

        @Bean
        public OneTimeTokenGenerationSuccessHandler oneTimeTokenGenerationSuccessHandler() {
                return new MyMagicLinkOneTimeTokenGenerationSuccessHandler();
        }

 }
      Parameters:
      oneTimeTokenLoginConfigurerCustomizer - the Customizer to provide more options for the OneTimeTokenLoginConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • requiresChannel

      @Deprecated public HttpSecurity requiresChannel(Customizer<ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry> requiresChannelCustomizer)
      Deprecated.
      Use redirectToHttps(org.springframework.security.config.Customizer<org.springframework.security.config.annotation.web.configurers.HttpsRedirectConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>>)
      Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.

      Example Configuration

      The example below demonstrates how to require HTTPs for every request. Only requiring HTTPS for some requests is supported, but not recommended since an application that allows for HTTP introduces many security vulnerabilities. For one such example, read about Firesheep. 
       @Configuration
 @EnableWebSecurity
 public class ChannelSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .formLogin(withDefaults())
                        .requiresChannel((requiresChannel) ->
                                requiresChannel
                                        .anyRequest().requiresSecure()
                        );
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      requiresChannelCustomizer - the Customizer to provide more options for the ChannelSecurityConfigurer.ChannelRequestMatcherRegistry
      Returns:
      the HttpSecurity for further customizations

    • redirectToHttps

      public HttpSecurity redirectToHttps(Customizer<HttpsRedirectConfigurer<HttpSecurity>> httpsRedirectConfigurerCustomizer)
      Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.

      Example Configuration

      The example below demonstrates how to require HTTPS for every request. Only requiring HTTPS for some requests is supported, for example if you need to differentiate between local and production deployments. 
       @Configuration
 @EnableWebSecurity
 public class RequireHttpsConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                anyRequest().authenticated()
                        )
                        .formLogin(withDefaults())
                        .redirectToHttps(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      httpsRedirectConfigurerCustomizer - the Customizer to provide more options for the HttpsRedirectConfigurer
      Returns:
      the HttpSecurity for further customizations

    • httpBasic

      public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer)
      Configures HTTP Basic authentication.

      Example Configuration

      The example below demonstrates how to configure HTTP Basic authentication for an application. The default realm is "Realm", but can be customized using HttpBasicConfigurer.realmName(String). 
       @Configuration
 @EnableWebSecurity
 public class HttpBasicSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests((authorizeHttpRequests) ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .httpBasic(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      httpBasicCustomizer - the Customizer to provide more options for the HttpBasicConfigurer
      Returns:
      the HttpSecurity for further customizations @

    • passwordManagement

      public HttpSecurity passwordManagement(Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer)
      Adds support for the password management.

      Example Configuration

      The example below demonstrates how to configure password management for an application. The default change password page is "/change-password", but can be customized using PasswordManagementConfigurer.changePasswordPage(String). 
       @Configuration
 @EnableWebSecurity
 public class PasswordManagementSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .authorizeHttpRequests(authorizeHttpRequests ->
                                authorizeHttpRequests
                                        .requestMatchers("/**").hasRole("USER")
                        )
                        .passwordManagement(passwordManagement ->
                                passwordManagement
                                        .changePasswordPage("/custom-change-password-page")
                        );
                return http.build();
        }
 }
      Parameters:
      passwordManagementCustomizer - the Customizer to provide more options for the PasswordManagementConfigurer
      Returns:
      the HttpSecurity for further customizations
      Since:
      5.6

    • authenticationManager

      public HttpSecurity authenticationManager(AuthenticationManager authenticationManager)
      Configure the default AuthenticationManager.
      Parameters:
      authenticationManager - the AuthenticationManager to use
      Returns:
      the HttpSecurity for further customizations
      Since:
      5.6

    • setSharedObject

      public <C> void setSharedObject(Class<C> sharedType, C object)
      Description copied from class: AbstractConfiguredSecurityBuilder
      Sets an object that is shared by multiple SecurityConfigurer.
      Specified by:
      setSharedObject in interface HttpSecurityBuilder<HttpSecurity>
      Overrides:
      setSharedObject in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
      Parameters:
      sharedType - the Class to key the shared object by.
      object - the Object to store

    • beforeConfigure

      protected void beforeConfigure()
      Description copied from class: AbstractConfiguredSecurityBuilder
      Invoked prior to invoking each SecurityConfigurer.configure(SecurityBuilder) method. Subclasses may override this method to hook into the lifecycle without using a SecurityConfigurer.
      Overrides:
      beforeConfigure in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>

    • performBuild

      protected DefaultSecurityFilterChain performBuild()
      Description copied from class: AbstractConfiguredSecurityBuilder
      Subclasses must implement this method to build the object that is being returned.
      Specified by:
      performBuild in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
      Returns:
      the Object to be buit or null if the implementation allows it

    • authenticationProvider

      public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider)
      Description copied from interface: HttpSecurityBuilder
      Allows adding an additional AuthenticationProvider to be used
      Specified by:
      authenticationProvider in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      authenticationProvider - the AuthenticationProvider to be added
      Returns:
      the HttpSecurity for further customizations

    • userDetailsService

      public HttpSecurity userDetailsService(UserDetailsService userDetailsService)
      Description copied from interface: HttpSecurityBuilder
      Allows adding an additional UserDetailsService to be used
      Specified by:
      userDetailsService in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      userDetailsService - the UserDetailsService to be added
      Returns:
      the HttpSecurity for further customizations

    • addFilterAfter

      public HttpSecurity addFilterAfter(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> afterFilter)
      Description copied from interface: HttpSecurityBuilder
      Allows adding a Filter after one of the known Filter classes. The known Filter instances are either a Filter listed in HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class).
      Specified by:
      addFilterAfter in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      filter - the Filter to register after the type afterFilter
      afterFilter - the Class of the known Filter.
      Returns:
      the HttpSecurity for further customizations

    • addFilterBefore

      public HttpSecurity addFilterBefore(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> beforeFilter)
      Description copied from interface: HttpSecurityBuilder
      Allows adding a Filter before one of the known Filter classes. The known Filter instances are either a Filter listed in HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class).
      Specified by:
      addFilterBefore in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      filter - the Filter to register before the type beforeFilter
      beforeFilter - the Class of the known Filter.
      Returns:
      the HttpSecurity for further customizations

    • addFilter

      public HttpSecurity addFilter(jakarta.servlet.Filter filter)
      Description copied from interface: HttpSecurityBuilder
      Adds a Filter that must be an instance of or extend one of the Filters provided within the Security framework. The method ensures that the ordering of the Filters is automatically taken care of. The ordering of the Filters is:
      Specified by:
      addFilter in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      filter - the Filter to add
      Returns:
      the HttpSecurity for further customizations

    • addFilterAt

      public HttpSecurity addFilterAt(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> atFilter)
      Adds the Filter at the location of the specified Filter class. For example, if you want the filter CustomFilter to be registered in the same position as UsernamePasswordAuthenticationFilter, you can invoke: 
       addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
      Registration of multiple Filters in the same location means their ordering is not deterministic. More concretely, registering multiple Filters in the same location does not override existing Filters. Instead, do not register Filters you do not want to use.
      Parameters:
      filter - the Filter to register
      atFilter - the location of another Filter that is already registered (i.e. known) with Spring Security.
      Returns:
      the HttpSecurity for further customizations

    • securityMatchers

      public HttpSecurity securityMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer)
      Allows specifying which HttpServletRequest instances this HttpSecurity will be invoked on. This method allows for easily invoking the HttpSecurity for multiple different RequestMatcher instances. If only a single RequestMatcher is necessary consider using securityMatcher(String...), or securityMatcher(RequestMatcher).

      Invoking securityMatchers(Customizer) will not override previous invocations of #securityMatchers()}, securityMatchers(Customizer) securityMatcher(String...) and securityMatcher(RequestMatcher)

      Example Configurations

      The following configuration enables the HttpSecurity for URLs that begin with "/api/" or "/oauth/". 
       @Configuration
 @EnableWebSecurity
 public class RequestMatchersSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .securityMatchers((matchers) -> matchers
                                .requestMatchers("/api/**", "/oauth/**")
                        )
                        .authorizeHttpRequests((authorize) -> authorize
                                .anyRequest().hasRole("USER")
                        )
                        .httpBasic(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      The configuration below is the same as the previous configuration. 
       @Configuration
 @EnableWebSecurity
 public class RequestMatchersSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .securityMatchers((matchers) -> matchers
                                .requestMatchers("/api/**")
                                .requestMatchers("/oauth/**")
                        )
                        .authorizeHttpRequests((authorize) -> authorize
                                .anyRequest().hasRole("USER")
                        )
                        .httpBasic(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      The configuration below is also the same as the above configuration. 
       @Configuration
 @EnableWebSecurity
 public class RequestMatchersSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        .securityMatchers((matchers) -> matchers
                                .requestMatchers("/api/**")
                        )
                        .securityMatchers((matchers) -> matchers
                                .requestMatchers("/oauth/**")
                        )
                        .authorizeHttpRequests((authorize) -> authorize
                                .anyRequest().hasRole("USER")
                        )
                        .httpBasic(withDefaults());
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
      Parameters:
      requestMatcherCustomizer - the Customizer to provide more options for the HttpSecurity.RequestMatcherConfigurer
      Returns:
      the HttpSecurity for further customizations

    • securityMatcher

      public HttpSecurity securityMatcher(RequestMatcher requestMatcher)
      Allows configuring the HttpSecurity to only be invoked when matching the provided RequestMatcher. If more advanced configuration is necessary, consider using securityMatchers(Customizer) ()}.

      Invoking securityMatcher(RequestMatcher) will override previous invocations of securityMatcher(RequestMatcher), securityMatcher(String...), securityMatchers(Customizer) and #securityMatchers()

      Parameters:
      requestMatcher - the RequestMatcher to use, for example, PathPatternRequestMatcher.pathPattern(HttpMethod.GET, "/admin/**")
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • securityMatcher

      public HttpSecurity securityMatcher(String... patterns)
      Allows configuring the HttpSecurity to only be invoked when matching the provided set of patterns. See PathPattern for matching rules

      Invoking securityMatcher(String...) will override previous invocations of securityMatcher(String...) (String)}}, securityMatcher(RequestMatcher) ()}, securityMatchers(Customizer) (String)} and #securityMatchers() (String)}.

      Parameters:
      patterns - the pattern to match on (i.e. "/admin/**")
      Returns:
      the HttpSecurity for further customizations
      See Also:

    • webAuthn

      public HttpSecurity webAuthn(Customizer<WebAuthnConfigurer<HttpSecurity>> webAuthn)
      Specifies webAuthn/passkeys based authentication. 
              @Bean
        SecurityFilterChain securityFilterChain(HttpSecurity http)  {
                http
                        // ...
                        .webAuthn((webAuthn) -> webAuthn
                                .rpId("example.com")
                                .allowedOrigins("https://example.com")
                        );
                return http.build();
        }
      Parameters:
      webAuthn - the customizer to apply
      Returns:
      the HttpSecurity for further customizations @