public abstract class WebSecurityConfigurerAdapter extends Object implements WebSecurityConfigurer<WebSecurity>
WebSecurityConfigurer
instance. The implementation allows customization by overriding methods.EnableWebSecurity
Modifier | Constructor and Description |
---|---|
protected |
WebSecurityConfigurerAdapter()
Creates an instance with the default configuration enabled.
|
protected |
WebSecurityConfigurerAdapter(boolean disableDefaults)
Creates an instance which allows specifying if the default configuration
should be enabled.
|
protected WebSecurityConfigurerAdapter()
protected WebSecurityConfigurerAdapter(boolean disableDefaults)
disableDefaults
- true if the default configuration should be enabled, else
falseprotected void configure(AuthenticationManagerBuilder auth) throws Exception
authenticationManager()
to
attempt to obtain an AuthenticationManager
. If overridden, the
AuthenticationManagerBuilder
should be used to specify the
AuthenticationManager
.
The authenticationManagerBean()
method can be used to expose the
resulting AuthenticationManager
as a Bean. The
userDetailsServiceBean()
can be used to expose the last
populated UserDetailsService
that is created with the
AuthenticationManagerBuilder
as a Bean. The
UserDetailsService
will also automatically be populated on
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
for use with other
SecurityContextConfigurer
(i.e. RememberMeConfigurer )
For example, the following configuration could be used to register in
memory authentication that exposes an in memory
UserDetailsService
:
@Override protected void configure(AuthenticationManagerBuilder auth) { auth // enable in memory based authentication with a user named // "user" and "admin" .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } // Expose the UserDetailsService as a Bean @Bean @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); }
auth
- the AuthenticationManagerBuilder
to useException
protected final HttpSecurity getHttp() throws Exception
HttpSecurity
or returns the current instanceHttpSecurity
Exception
public AuthenticationManager authenticationManagerBean() throws Exception
AuthenticationManager
from
configure(AuthenticationManagerBuilder)
to be exposed as
a Bean. For example:
@Bean(name name="myAuthenticationManager") @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }
AuthenticationManager
Exception
protected AuthenticationManager authenticationManager() throws Exception
AuthenticationManager
to use. The default strategy is if
configure(AuthenticationManagerBuilder)
method is
overridden to use the AuthenticationManagerBuilder
that was passed in.
Otherwise, autowire the AuthenticationManager
by type.Exception
public UserDetailsService userDetailsServiceBean() throws Exception
UserDetailsService
created from
configure(AuthenticationManagerBuilder)
as a bean. In
general only the following override should be done of this method:
@Bean(name = "myUserDetailsService") // any or no name specified is allowed @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); }To change the instance returned, developers should change
userDetailsService()
insteadException
#userDetailsService()}
protected UserDetailsService userDetailsService()
UserDetailsService
from
userDetailsServiceBean()()
without interacting with the
ApplicationContext
. Developers should override this method when
changing the instance of userDetailsServiceBean()
.public void init(WebSecurity web) throws Exception
SecurityConfigurer
SecurityBuilder
. Here only shared state should be
created and modified, but not properties on the SecurityBuilder
used for building the object. This ensures that the
SecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared
objects when building.init
in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>
Exception
public void configure(WebSecurity web) throws Exception
WebSecurity
. For
example, if you wish to ignore certain requests.configure
in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>
Exception
protected void configure(HttpSecurity http) throws Exception
HttpSecurity
.
Typically subclasses should not invoke this method by calling super
as it may override their configuration. The default configuration is:
http .authorizeRequests() .anyRequest().authenticated().and() .formLogin().and() .httpBasic();
http
- the HttpSecurity
to modifyException
- if an error occurs@Autowired public void setApplicationContext(ApplicationContext context)
@Autowired(required=false) public void setTrustResolver(AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setContentNegotationStrategy(ContentNegotiationStrategy contentNegotiationStrategy)
@Autowired(required=false) public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)