public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
HttpSecurity
is similar to Spring Security's XML <http> element in the
namespace configuration. It allows configuring web based security for specific http
requests. By default it will be applied to all requests, but can be restricted using
requestMatcher(RequestMatcher)
or other similar methods.
HttpSecurity
.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
EnableWebSecurity
Modifier and Type | Class and Description |
---|---|
class |
HttpSecurity.MvcMatchersRequestMatcherConfigurer
An extension to
HttpSecurity.RequestMatcherConfigurer that allows optionally configuring
the servlet path. |
class |
HttpSecurity.RequestMatcherConfigurer
Allows mapping HTTP requests that this
HttpSecurity will be used for |
Constructor and Description |
---|
HttpSecurity(ObjectPostProcessor<Object> objectPostProcessor,
AuthenticationManagerBuilder authenticationBuilder,
Map<Class<? extends Object>,Object> sharedObjects)
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
HttpSecurity |
addFilter(javax.servlet.Filter filter)
Adds a
Filter that must be an instance of or extend one of the Filters
provided within the Security framework. |
HttpSecurity |
addFilterAfter(javax.servlet.Filter filter,
Class<? extends javax.servlet.Filter> afterFilter)
Allows adding a
Filter after one of the known Filter classes. |
HttpSecurity |
addFilterAt(javax.servlet.Filter filter,
Class<? extends javax.servlet.Filter> atFilter)
Adds the Filter at the location of the specified Filter class.
|
HttpSecurity |
addFilterBefore(javax.servlet.Filter filter,
Class<? extends javax.servlet.Filter> beforeFilter)
Allows adding a
Filter before one of the known Filter classes. |
AnonymousConfigurer<HttpSecurity> |
anonymous()
Allows configuring how an anonymous user is represented.
|
HttpSecurity |
antMatcher(String antPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided ant pattern. |
HttpSecurity |
authenticationProvider(AuthenticationProvider authenticationProvider)
Allows adding an additional
AuthenticationProvider to be used |
ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry |
authorizeRequests()
Allows restricting access based upon the
HttpServletRequest using |
protected void |
beforeConfigure()
Invoked prior to invoking each
SecurityConfigurer.configure(SecurityBuilder) method. |
CorsConfigurer<HttpSecurity> |
cors()
Adds a
CorsFilter to be used. |
CsrfConfigurer<HttpSecurity> |
csrf()
Adds CSRF support.
|
ExceptionHandlingConfigurer<HttpSecurity> |
exceptionHandling()
Allows configuring exception handling.
|
FormLoginConfigurer<HttpSecurity> |
formLogin()
Specifies to support form based authentication.
|
HeadersConfigurer<HttpSecurity> |
headers()
Adds the Security headers to the response.
|
HttpBasicConfigurer<HttpSecurity> |
httpBasic()
Configures HTTP Basic authentication.
|
JeeConfigurer<HttpSecurity> |
jee()
Configures container based pre authentication.
|
LogoutConfigurer<HttpSecurity> |
logout()
Provides logout support.
|
HttpSecurity |
mvcMatcher(String mvcPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided Spring MVC pattern. |
OpenIDLoginConfigurer<HttpSecurity> |
openidLogin()
Allows configuring OpenID based authentication.
|
protected DefaultSecurityFilterChain |
performBuild()
Subclasses must implement this method to build the object that is being returned.
|
PortMapperConfigurer<HttpSecurity> |
portMapper()
Allows configuring a
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class) . |
HttpSecurity |
regexMatcher(String pattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided regex pattern. |
RememberMeConfigurer<HttpSecurity> |
rememberMe()
Allows configuring of Remember Me authentication.
|
RequestCacheConfigurer<HttpSecurity> |
requestCache()
Allows configuring the Request Cache.
|
HttpSecurity |
requestMatcher(RequestMatcher requestMatcher)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided RequestMatcher . |
HttpSecurity.RequestMatcherConfigurer |
requestMatchers()
Allows specifying which
HttpServletRequest instances this
HttpSecurity will be invoked on. |
ChannelSecurityConfigurer.ChannelRequestMatcherRegistry |
requiresChannel()
Configures channel security.
|
SecurityContextConfigurer<HttpSecurity> |
securityContext()
Sets up management of the
SecurityContext on the
SecurityContextHolder between HttpServletRequest 's. |
ServletApiConfigurer<HttpSecurity> |
servletApi()
Integrates the
HttpServletRequest methods with the values found on the
SecurityContext . |
SessionManagementConfigurer<HttpSecurity> |
sessionManagement()
Allows configuring of Session Management.
|
<C> void |
setSharedObject(Class<C> sharedType,
C object)
Sets an object that is shared by multiple
SecurityConfigurer . |
HttpSecurity |
userDetailsService(UserDetailsService userDetailsService)
Allows adding an additional
UserDetailsService to be used |
X509Configurer<HttpSecurity> |
x509()
Configures X509 based pre authentication.
|
apply, apply, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers
build, getObject
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getConfigurer, getSharedObject, removeConfigurer
build
public HttpSecurity(ObjectPostProcessor<Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, Map<Class<? extends Object>,Object> sharedObjects)
objectPostProcessor
- the ObjectPostProcessor
that should be usedauthenticationBuilder
- the AuthenticationManagerBuilder
to use for
additional updatessharedObjects
- the shared Objects to initialize the HttpSecurity
withWebSecurityConfiguration
public OpenIDLoginConfigurer<HttpSecurity> openidLogin() throws Exception
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().openidLogin() .permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() // the username must match the OpenID of the user you are // logging in with .withUser( "https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU") .password("password").roles("USER"); } }A more advanced example demonstrating using attribute exchange and providing a custom AuthenticationUserDetailsService that will make any user that authenticates a valid user.
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests() .antMatchers("/**") .hasRole("USER") .and() .openidLogin() .loginPage("/login") .permitAll() .authenticationUserDetailsService( new AutoProvisioningUserDetailsService()) .attributeExchange("https://www.google.com/.*").attribute("email") .type("https://axschema.org/contact/email").required(true).and() .attribute("firstname").type("https://axschema.org/namePerson/first") .required(true).and().attribute("lastname") .type("https://axschema.org/namePerson/last").required(true).and().and() .attributeExchange(".*yahoo.com.*").attribute("email") .type("https://schema.openid.net/contact/email").required(true).and() .attribute("fullname").type("https://axschema.org/namePerson") .required(true).and().and().attributeExchange(".*myopenid.com.*") .attribute("email").type("https://schema.openid.net/contact/email") .required(true).and().attribute("fullname") .type("https://schema.openid.net/namePerson").required(true); } } public class AutoProvisioningUserDetailsService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> { public UserDetails loadUserDetails(OpenIDAuthenticationToken token) throws UsernameNotFoundException { return new User(token.getName(), "NOTUSED", AuthorityUtils.createAuthorityList("ROLE_USER")); } }
OpenIDLoginConfigurer
for further customizations.Exception
OpenIDLoginConfigurer
public HeadersConfigurer<HttpSecurity> headers() throws Exception
WebSecurityConfigurerAdapter
's default constructor. Accepting the
default provided by WebSecurityConfigurerAdapter
or only invoking
headers()
without invoking additional methods on it, is the equivalent of:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .contentTypeOptions() .and() .xssProtection() .and() .cacheControl() .and() .httpStrictTransportSecurity() .and() .frameOptions() .and() ...; } }You can disable the headers using the following:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }You can enable only a few of the headers by first invoking
HeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on the headers()
result.
For example, the following will enable HeadersConfigurer.cacheControl()
and
HeadersConfigurer.frameOptions()
only.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .defaultsDisabled() .cacheControl() .and() .frameOptions() .and() ...; } }You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except
HeadersConfigurer.frameOptions()
.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .frameOptions() .disable() .and() ...; } }
Exception
HeadersConfigurer
public CorsConfigurer<HttpSecurity> cors() throws Exception
CorsFilter
to be used. If a bean by the name of corsFilter is
provided, that CorsFilter
is used. Else if corsConfigurationSource is
defined, then that CorsConfiguration
is used. Otherwise, if Spring MVC is
on the classpath a HandlerMappingIntrospector
is used.CorsConfigurer
for customizationsException
public SessionManagementConfigurer<HttpSecurity> sessionManagement() throws Exception
@Configuration @EnableWebSecurity public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin() .permitAll().and().sessionManagement().maximumSessions(1) .expiredUrl("/login?expired"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }When using
SessionManagementConfigurer.maximumSessions(int)
, do not forget
to configure HttpSessionEventPublisher
for the application to ensure that
expired sessions are cleaned up.
In a web.xml this can be configured using the following:
<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>Alternatively,
AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.SessionManagementConfigurer
for further customizationsException
public PortMapperConfigurer<HttpSecurity> portMapper() throws Exception
PortMapper
that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
. Other provided
SecurityConfigurer
objects use this configured PortMapper
as a
default PortMapper
when redirecting from HTTP to HTTPS or from HTTPS to
HTTP (for example when used in combination with requiresChannel()
. By
default Spring Security uses a PortMapperImpl
which maps the HTTP port 8080
to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
@Configuration @EnableWebSecurity public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example portMapper() configuration .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
PortMapperConfigurer
for further customizationsException
requiresChannel()
public JeeConfigurer<HttpSecurity> jee() throws Exception
HttpServletRequest
and if the user is in the role "ROLE_USER" or
"ROLE_ADMIN" will add that to the resulting Authentication
.
@Configuration @EnableWebSecurity public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example jee() configuration .jee().mappableRoles("ROLE_USER", "ROLE_ADMIN"); } }Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint>Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
JeeConfigurer
for further customizationsException
public X509Configurer<HttpSecurity> x509() throws Exception
@Configuration @EnableWebSecurity public class X509SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example x509() configuration .x509(); } }
X509Configurer
for further customizationsException
public RememberMeConfigurer<HttpSecurity> rememberMe() throws Exception
HttpSession
expires.
@Configuration @EnableWebSecurity public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example Remember Me Configuration .rememberMe(); } }
RememberMeConfigurer
for further customizationsException
public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests() throws Exception
HttpServletRequest
using
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("adminr").password("password").roles("ADMIN", "USER"); } }We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("adminr").password("password").roles("ADMIN", "USER"); } }Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**") .hasRole("ADMIN")
Exception
requestMatcher(RequestMatcher)
public RequestCacheConfigurer<HttpSecurity> requestCache() throws Exception
WebSecurityConfigurerAdapter
.RequestCacheConfigurer
for further customizationsException
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws Exception
WebSecurityConfigurerAdapter
.ExceptionHandlingConfigurer
for further customizationsException
public SecurityContextConfigurer<HttpSecurity> securityContext() throws Exception
SecurityContext
on the
SecurityContextHolder
between HttpServletRequest
's. This is
automatically applied when using WebSecurityConfigurerAdapter
.SecurityContextConfigurer
for further customizationsException
public ServletApiConfigurer<HttpSecurity> servletApi() throws Exception
HttpServletRequest
methods with the values found on the
SecurityContext
. This is automatically applied when using
WebSecurityConfigurerAdapter
.ServletApiConfigurer
for further customizationsException
public CsrfConfigurer<HttpSecurity> csrf() throws Exception
WebSecurityConfigurerAdapter
's default constructor. You can disable it
using:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() ...; } }
ServletApiConfigurer
for further customizationsException
public LogoutConfigurer<HttpSecurity> logout() throws Exception
WebSecurityConfigurerAdapter
. The default is that accessing the URL
"/logout" will log the user out by invalidating the HTTP Session, cleaning up any
rememberMe()
authentication that was configured, clearing the
SecurityContextHolder
, and then redirect to "/login?success".
@Configuration @EnableWebSecurity public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample logout customization .logout().deleteCookies("remove").invalidateHttpSession(false) .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
Exception
public AnonymousConfigurer<HttpSecurity> anonymous() throws Exception
WebSecurityConfigurerAdapter
. By
default anonymous users will be represented with an
AnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".
@Configuration @EnableWebSecurity public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample anonymous customization .anonymous().authorities("ROLE_ANON"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }The following demonstrates how to represent anonymous users as null. Note that this can cause
NullPointerException
in code that assumes anonymous
authentication is enabled.
@Configuration @EnableWebSecurity public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample anonymous customization .anonymous().disabled(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
Exception
public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception
FormLoginConfigurer.loginPage(String)
is not specified a default login page
will be generated.
FormLoginConfigurer.loginPage(String)
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }The configuration below demonstrates customizing the defaults.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .usernameParameter("username") // default is username .passwordParameter("password") // default is password .loginPage("/authentication/login") // default is /login with an HTTP get .failureUrl("/authentication/login?failed") // default is /login?error .loginProcessingUrl("/authentication/login/process"); // default is /login // with an HTTP // post } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
Exception
FormLoginConfigurer.loginPage(String)
public ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel() throws Exception
@Configuration @EnableWebSecurity public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and().requiresChannel().anyRequest().requiresSecure(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
ChannelSecurityConfigurer
for further customizationsException
public HttpBasicConfigurer<HttpSecurity> httpBasic() throws Exception
HttpBasicConfigurer.realmName(String)
.
@Configuration @EnableWebSecurity public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
HttpBasicConfigurer
for further customizationsException
public <C> void setSharedObject(Class<C> sharedType, C object)
AbstractConfiguredSecurityBuilder
SecurityConfigurer
.setSharedObject
in interface HttpSecurityBuilder<HttpSecurity>
setSharedObject
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
sharedType
- the Class to key the shared object by.object
- the Object to storeprotected void beforeConfigure() throws Exception
AbstractConfiguredSecurityBuilder
SecurityConfigurer.configure(SecurityBuilder)
method. Subclasses may
override this method to hook into the lifecycle without using a
SecurityConfigurer
.beforeConfigure
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
Exception
protected DefaultSecurityFilterChain performBuild() throws Exception
AbstractConfiguredSecurityBuilder
performBuild
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
Exception
public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider)
HttpSecurityBuilder
AuthenticationProvider
to be usedauthenticationProvider
in interface HttpSecurityBuilder<HttpSecurity>
authenticationProvider
- the AuthenticationProvider
to be addedHttpSecurity
for further customizationspublic HttpSecurity userDetailsService(UserDetailsService userDetailsService) throws Exception
HttpSecurityBuilder
UserDetailsService
to be useduserDetailsService
in interface HttpSecurityBuilder<HttpSecurity>
userDetailsService
- the UserDetailsService
to be addedHttpSecurity
for further customizationsException
public HttpSecurity addFilterAfter(javax.servlet.Filter filter, Class<? extends javax.servlet.Filter> afterFilter)
HttpSecurityBuilder
Filter
after one of the known Filter
classes. The
known Filter
instances are either a Filter
listed in
HttpSecurityBuilder.addFilter(Filter)
or a Filter
that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class)
or HttpSecurityBuilder.addFilterBefore(Filter, Class)
.addFilterAfter
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to register after the type afterFilter
afterFilter
- the Class of the known Filter
.HttpSecurity
for further customizationspublic HttpSecurity addFilterBefore(javax.servlet.Filter filter, Class<? extends javax.servlet.Filter> beforeFilter)
HttpSecurityBuilder
Filter
before one of the known Filter
classes. The
known Filter
instances are either a Filter
listed in
HttpSecurityBuilder.addFilter(Filter)
or a Filter
that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class)
or HttpSecurityBuilder.addFilterBefore(Filter, Class)
.addFilterBefore
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to register before the type beforeFilter
beforeFilter
- the Class of the known Filter
.HttpSecurity
for further customizationspublic HttpSecurity addFilter(javax.servlet.Filter filter)
HttpSecurityBuilder
Filter
that must be an instance of or extend one of the Filters
provided within the Security framework. The method ensures that the ordering of the
Filters is automatically taken care of.
The ordering of the Filters is:
ChannelProcessingFilter
ConcurrentSessionFilter
SecurityContextPersistenceFilter
LogoutFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
OpenIDAuthenticationFilter
DefaultLoginPageGeneratingFilter
ConcurrentSessionFilter
DigestAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter
addFilter
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to addHttpSecurity
for further customizationspublic HttpSecurity addFilterAt(javax.servlet.Filter filter, Class<? extends javax.servlet.Filter> atFilter)
UsernamePasswordAuthenticationFilter
, you can invoke:
addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
filter
- the Filter to registeratFilter
- the location of another Filter
that is already registered
(i.e. known) with Spring Security.HttpSecurity
for further customizationspublic HttpSecurity.RequestMatcherConfigurer requestMatchers()
HttpServletRequest
instances this
HttpSecurity
will be invoked on. This method allows for easily invoking the
HttpSecurity
for multiple different RequestMatcher
instances. If
only a single RequestMatcher
is necessary consider using mvcMatcher(String)
,
antMatcher(String)
, regexMatcher(String)
, or
requestMatcher(RequestMatcher)
.
Invoking requestMatchers()
will not override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
HttpSecurity
for URLs that begin
with "/api/" or "/oauth/".
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**", "/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }The configuration below is the same as the previous configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**") .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }The configuration below is also the same as the above configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**") .and() .requestMatchers() .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }
HttpSecurity.RequestMatcherConfigurer
for further customizationspublic HttpSecurity requestMatcher(RequestMatcher requestMatcher)
HttpSecurity
to only be invoked when matching the
provided RequestMatcher
. If more advanced configuration is necessary,
consider using requestMatchers()
.
Invoking requestMatcher(RequestMatcher)
will override previous invocations
of requestMatchers()
, mvcMatcher(String)
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
requestMatcher
- the RequestMatcher
to use (i.e. new
AntPathRequestMatcher("/admin/**","GET") )HttpSecurity
for further customizationsrequestMatchers()
,
antMatcher(String)
,
regexMatcher(String)
public HttpSecurity antMatcher(String antPattern)
HttpSecurity
to only be invoked when matching the
provided ant pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking antMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
antPattern
- the Ant Pattern to match on (i.e. "/admin/**")HttpSecurity
for further customizationsAntPathRequestMatcher
public HttpSecurity mvcMatcher(String mvcPattern)
HttpSecurity
to only be invoked when matching the
provided Spring MVC pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking mvcMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
mvcPattern
- the Spring MVC Pattern to match on (i.e. "/admin/**")HttpSecurity
for further customizationsMvcRequestMatcher
public HttpSecurity regexMatcher(String pattern)
HttpSecurity
to only be invoked when matching the
provided regex pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking regexMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
pattern
- the Regular Expression to match on (i.e. "/admin/.+")HttpSecurity
for further customizationsRegexRequestMatcher