public final class WebSecurity extends AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity> implements SecurityBuilder<javax.servlet.Filter>, ApplicationContextAware
The WebSecurity
is created by WebSecurityConfiguration
to create the
FilterChainProxy
known as the Spring Security Filter Chain
(springSecurityFilterChain). The springSecurityFilterChain is the Filter
that
the DelegatingFilterProxy
delegates to.
Customizations to the WebSecurity
can be made by creating a
WebSecurityConfigurer
or more likely by overriding
WebSecurityConfigurerAdapter
.
EnableWebSecurity
,
WebSecurityConfiguration
Modifier and Type | Class and Description |
---|---|
class |
WebSecurity.IgnoredRequestConfigurer
Allows registering
RequestMatcher instances that should be ignored by
Spring Security. |
class |
WebSecurity.MvcMatchersIgnoredRequestConfigurer
An
WebSecurity.IgnoredRequestConfigurer that allows optionally configuring the
MvcRequestMatcher.setMethod(HttpMethod) |
Constructor and Description |
---|
WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)
Creates a new instance
|
apply, apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObject
build, getObject
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
build
public WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)
objectPostProcessor
- the ObjectPostProcessor
to useWebSecurityConfiguration
public WebSecurity.IgnoredRequestConfigurer ignoring()
Allows adding RequestMatcher
instances that should that Spring Security
should ignore. Web Security provided by Spring Security (including the
SecurityContext
) will not be available on HttpServletRequest
that
match. Typically the requests that are registered should be that of only static
resources. For requests that are dynamic, consider mapping the request to allow all
users instead.
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**", "/static/**");Alternatively this will accomplish the same result:
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**").antMatchers("/static/**");Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples:
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ .antMatchers("/resources/**"); webSecurityBuilder.ignoring() // ignore all URLs that start with /static/ .antMatchers("/static/**"); // now both URLs that start with /resources/ and /static/ will be ignored
WebSecurity.IgnoredRequestConfigurer
to use for registering request that
should be ignoredpublic WebSecurity httpFirewall(HttpFirewall httpFirewall)
HttpFirewall
. The default is
DefaultHttpFirewall
.httpFirewall
- the custom HttpFirewall
WebSecurity
for further customizationspublic WebSecurity debug(boolean debugEnabled)
debugEnabled
- if true, enables debug support with Spring Security. Default is
false.WebSecurity
for further customization.EnableWebSecurity.debug()
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create SecurityFilterChain
instances.
Typically this method is invoked automatically within the framework from
WebSecurityConfigurerAdapter.init(WebSecurity)
securityFilterChainBuilder
- the builder to use to create the
SecurityFilterChain
instancesWebSecurity
for further customizationspublic WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)
WebInvocationPrivilegeEvaluator
to be used. If this is null, then a
DefaultWebInvocationPrivilegeEvaluator
will be created when
securityInterceptor(FilterSecurityInterceptor)
is non null.privilegeEvaluator
- the WebInvocationPrivilegeEvaluator
to useWebSecurity
for further customizationspublic WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)
SecurityExpressionHandler
to be used. If this is null, then a
DefaultWebSecurityExpressionHandler
will be used.expressionHandler
- the SecurityExpressionHandler
to useWebSecurity
for further customizationspublic SecurityExpressionHandler<FilterInvocation> getExpressionHandler()
SecurityExpressionHandler
to be used.public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()
WebInvocationPrivilegeEvaluator
to be used.public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor)
FilterSecurityInterceptor
. This is typically invoked by
WebSecurityConfigurerAdapter
.securityInterceptor
- the FilterSecurityInterceptor
to useWebSecurity
for further customizationspublic WebSecurity postBuildAction(Runnable postBuildAction)
postBuildAction
- WebSecurity
for further customizationsprotected javax.servlet.Filter performBuild() throws Exception
AbstractConfiguredSecurityBuilder
performBuild
in class AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>
Exception
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
setApplicationContext
in interface ApplicationContextAware
BeansException