Package org.springframework.security.config.annotation.web.builders

Class WebSecurity

java.lang.Object

org.springframework.security.config.annotation.AbstractSecurityBuilder<O>

org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>

org.springframework.security.config.annotation.web.builders.WebSecurity

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware, SecurityBuilder<jakarta.servlet.Filter>, org.springframework.web.context.ServletContextAware

public final class WebSecurity
extends AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>
implements SecurityBuilder<jakarta.servlet.Filter>, org.springframework.context.ApplicationContextAware, org.springframework.web.context.ServletContextAware

The WebSecurity is created by WebSecurityConfiguration to create the FilterChainProxy known as the Spring Security Filter Chain (springSecurityFilterChain). The springSecurityFilterChain is the Filter that the DelegatingFilterProxy delegates to.

Customizations to the WebSecurity can be made by creating a WebSecurityConfigurer or exposing a WebSecurityCustomizer bean.

Since:

3.2

See Also:

• EnableWebSecurity
• WebSecurityConfiguration

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	WebSecurity.IgnoredRequestConfigurer	Allows registering RequestMatcher instances that should be ignored by Spring Security.

Constructor Summary

Constructors

Constructor	Description
WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)	Deprecated, for removal: This API element is subject to removal in a future version.
WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)	Creates a new instance

Method Summary

Modifier and Type	Method	Description
WebSecurity	addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)	Adds builders to create SecurityFilterChain instances.
WebSecurity	debug(boolean debugEnabled)	Controls debugging support for Spring Security.
WebSecurity	expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)	Set the SecurityExpressionHandler to be used.
SecurityExpressionHandler<FilterInvocation>	getExpressionHandler()	Gets the SecurityExpressionHandler to be used.
WebInvocationPrivilegeEvaluator	getPrivilegeEvaluator()	Gets the WebInvocationPrivilegeEvaluator to be used.
WebSecurity	httpFirewall(HttpFirewall httpFirewall)	Allows customizing the HttpFirewall.
WebSecurity.IgnoredRequestConfigurer	ignoring()	Allows adding RequestMatcher instances that Spring Security should ignore.
protected jakarta.servlet.Filter	performBuild()	Subclasses must implement this method to build the object that is being returned.
WebSecurity	postBuildAction(Runnable postBuildAction)	Executes the Runnable immediately after the build takes place
WebSecurity	privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)	Set the WebInvocationPrivilegeEvaluator to be used.
WebSecurity	requestRejectedHandler(RequestRejectedHandler requestRejectedHandler)	Sets the handler to handle RequestRejectedException
void	setApplicationContext(org.springframework.context.ApplicationContext applicationContext)
void	setServletContext(jakarta.servlet.ServletContext servletContext)

Methods inherited from class org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder

apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObject, with

Methods inherited from class org.springframework.security.config.annotation.AbstractSecurityBuilder

build, getObject

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.security.config.annotation.SecurityBuilder

build

Constructor Details

WebSecurity

public WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)

Creates a new instance

Parameters:

objectPostProcessor - the ObjectPostProcessor to use

See Also:

• WebSecurityConfiguration

WebSecurity

@Deprecated(since="6.4",
            forRemoval=true)
public WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)

Deprecated, for removal: This API element is subject to removal in a future version.

Method Details

ignoring

public WebSecurity.IgnoredRequestConfigurer ignoring()

Allows adding RequestMatcher instances that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.

Example Usage:

 webSecurityBuilder.ignoring()
 // ignore all URLs that start with /resources/ or /static/
                .requestMatchers("/resources/**", "/static/**");
 

Alternatively this will accomplish the same result:

 webSecurityBuilder.ignoring()
 // ignore all URLs that start with /resources/ or /static/
                .requestMatchers("/resources/**").requestMatchers("/static/**");
 

Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples:

 webSecurityBuilder.ignoring()
 // ignore all URLs that start with /resources/
                .requestMatchers("/resources/**");
 webSecurityBuilder.ignoring()
 // ignore all URLs that start with /static/
                .requestMatchers("/static/**");
 // now both URLs that start with /resources/ and /static/ will be ignored
 

Returns:

the WebSecurity.IgnoredRequestConfigurer to use for registering request that should be ignored

httpFirewall

public WebSecurity httpFirewall(HttpFirewall httpFirewall)

Allows customizing the HttpFirewall. The default is StrictHttpFirewall.

Parameters:

httpFirewall - the custom HttpFirewall

Returns:

the WebSecurity for further customizations

debug

public WebSecurity debug(boolean debugEnabled)

Controls debugging support for Spring Security.

Parameters:

debugEnabled - if true, enables debug support with Spring Security. Default is false.

Returns:

the WebSecurity for further customization.

See Also:

• EnableWebSecurity.debug()

addSecurityFilterChainBuilder

public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)

Adds builders to create SecurityFilterChain instances.

Typically this method is invoked automatically within the framework from WebSecurityConfiguration#springSecurityFilterChain()

Parameters:

securityFilterChainBuilder - the builder to use to create the SecurityFilterChain instances

Returns:

the WebSecurity for further customizations

privilegeEvaluator

public WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)

Set the WebInvocationPrivilegeEvaluator to be used. If this is not specified, then a AuthorizationManagerWebInvocationPrivilegeEvaluator will be created based on the list of SecurityFilterChain.

Parameters:

privilegeEvaluator - the WebInvocationPrivilegeEvaluator to use

Returns:

the WebSecurity for further customizations

expressionHandler

public WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)

Set the SecurityExpressionHandler to be used. If this is not specified, then a DefaultWebSecurityExpressionHandler will be used.

Parameters:

expressionHandler - the SecurityExpressionHandler to use

Returns:

the WebSecurity for further customizations

getExpressionHandler

public SecurityExpressionHandler<FilterInvocation> getExpressionHandler()

Gets the SecurityExpressionHandler to be used.

Returns:

the SecurityExpressionHandler for further customizations

getPrivilegeEvaluator

public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()

Gets the WebInvocationPrivilegeEvaluator to be used.

Returns:

the WebInvocationPrivilegeEvaluator for further customizations

postBuildAction

public WebSecurity postBuildAction(Runnable postBuildAction)

Executes the Runnable immediately after the build takes place

Parameters:

postBuildAction -

Returns:

the WebSecurity for further customizations

requestRejectedHandler

public WebSecurity requestRejectedHandler(RequestRejectedHandler requestRejectedHandler)

Sets the handler to handle RequestRejectedException

Parameters:

requestRejectedHandler -

Returns:

the WebSecurity for further customizations

Since:

5.7

performBuild

protected jakarta.servlet.Filter performBuild()
                                       throws Exception

Description copied from class: AbstractConfiguredSecurityBuilder

Subclasses must implement this method to build the object that is being returned.

Specified by:

performBuild in class AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>

Returns:

the Object to be buit or null if the implementation allows it

Throws:

Exception

setApplicationContext

public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext)
                           throws org.springframework.beans.BeansException

Specified by:

setApplicationContext in interface org.springframework.context.ApplicationContextAware

Throws:

org.springframework.beans.BeansException

setServletContext

public void setServletContext(jakarta.servlet.ServletContext servletContext)

Specified by:

setServletContext in interface org.springframework.web.context.ServletContextAware