@Order(value=100) public abstract class WebSecurityConfigurerAdapter extends Object implements WebSecurityConfigurer<WebSecurity>
WebSecurityConfigurer
instance.
The implementation allows customization by overriding methods.EnableWebSecurity
Modifier | Constructor and Description |
---|---|
protected |
WebSecurityConfigurerAdapter()
Creates an instance with the default configuration enabled.
|
protected |
WebSecurityConfigurerAdapter(boolean disableDefaults)
Creates an instance which allows specifying if the default configuration should be
enabled.
|
protected WebSecurityConfigurerAdapter()
protected WebSecurityConfigurerAdapter(boolean disableDefaults)
disableDefaults
- true if the default configuration should be enabled, else
falseprotected void configure(AuthenticationManagerBuilder auth) throws Exception
authenticationManager()
to attempt
to obtain an AuthenticationManager
. If overridden, the
AuthenticationManagerBuilder
should be used to specify the
AuthenticationManager
.
The authenticationManagerBean()
method can be used to expose the resulting
AuthenticationManager
as a Bean. The userDetailsServiceBean()
can
be used to expose the last populated UserDetailsService
that is created
with the AuthenticationManagerBuilder
as a Bean. The
UserDetailsService
will also automatically be populated on
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
for use with other
SecurityContextConfigurer
(i.e. RememberMeConfigurer )
For example, the following configuration could be used to register in memory
authentication that exposes an in memory UserDetailsService
:
@Override protected void configure(AuthenticationManagerBuilder auth) { auth // enable in memory based authentication with a user named // "user" and "admin" .inMemoryAuthentication().withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } // Expose the UserDetailsService as a Bean @Bean @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); }
auth
- the AuthenticationManagerBuilder
to useException
protected final HttpSecurity getHttp() throws Exception
HttpSecurity
or returns the current instance
] * @return the HttpSecurity
Exception
public AuthenticationManager authenticationManagerBean() throws Exception
AuthenticationManager
from
configure(AuthenticationManagerBuilder)
to be exposed as a Bean. For
example:
@Bean(name name="myAuthenticationManager") @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }
AuthenticationManager
Exception
protected AuthenticationManager authenticationManager() throws Exception
AuthenticationManager
to use. The default strategy is if
configure(AuthenticationManagerBuilder)
method is overridden to use the
AuthenticationManagerBuilder
that was passed in. Otherwise, autowire the
AuthenticationManager
by type.Exception
public UserDetailsService userDetailsServiceBean() throws Exception
UserDetailsService
created from
configure(AuthenticationManagerBuilder)
as a bean. In general only the
following override should be done of this method:
@Bean(name = "myUserDetailsService") // any or no name specified is allowed @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); }To change the instance returned, developers should change
userDetailsService()
insteadException
userDetailsService()
protected UserDetailsService userDetailsService()
UserDetailsService
from
userDetailsServiceBean()
without interacting with the
ApplicationContext
. Developers should override this method when changing
the instance of userDetailsServiceBean()
.public void init(WebSecurity web) throws Exception
SecurityConfigurer
SecurityBuilder
. Here only shared state should be created
and modified, but not properties on the SecurityBuilder
used for building
the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder)
method uses
the correct shared objects when building.init
in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>
Exception
public void configure(WebSecurity web) throws Exception
WebSecurity
. For example, if you wish to
ignore certain requests.configure
in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>
Exception
protected void configure(HttpSecurity http) throws Exception
HttpSecurity
. Typically subclasses
should not invoke this method by calling super as it may override their
configuration. The default configuration is:
http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
http
- the HttpSecurity
to modifyException
- if an error occurs@Autowired public void setApplicationContext(ApplicationContext context)
@Autowired(required=false) public void setTrustResolver(AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setContentNegotationStrategy(ContentNegotiationStrategy contentNegotiationStrategy)
@Autowired public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)
@Autowired public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)