public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
HttpSecurity
is similar to Spring Security's XML <http> element in the
namespace configuration. It allows configuring web based security for specific http
requests. By default it will be applied to all requests, but can be restricted using
requestMatcher(RequestMatcher)
or other similar methods.
HttpSecurity
.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
EnableWebSecurity
Modifier and Type | Class and Description |
---|---|
class |
HttpSecurity.MvcMatchersRequestMatcherConfigurer
An extension to
HttpSecurity.RequestMatcherConfigurer that allows optionally configuring
the servlet path. |
class |
HttpSecurity.RequestMatcherConfigurer
Allows mapping HTTP requests that this
HttpSecurity will be used for |
Constructor and Description |
---|
HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor,
AuthenticationManagerBuilder authenticationBuilder,
java.util.Map<java.lang.Class<? extends java.lang.Object>,java.lang.Object> sharedObjects)
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
HttpSecurity |
addFilter(javax.servlet.Filter filter)
Adds a
Filter that must be an instance of or extend one of the Filters
provided within the Security framework. |
HttpSecurity |
addFilterAfter(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> afterFilter)
Allows adding a
Filter after one of the known Filter classes. |
HttpSecurity |
addFilterAt(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> atFilter)
Adds the Filter at the location of the specified Filter class.
|
HttpSecurity |
addFilterBefore(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
Allows adding a
Filter before one of the known Filter classes. |
AnonymousConfigurer<HttpSecurity> |
anonymous()
Allows configuring how an anonymous user is represented.
|
HttpSecurity |
antMatcher(java.lang.String antPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided ant pattern. |
HttpSecurity |
authenticationProvider(AuthenticationProvider authenticationProvider)
Allows adding an additional
AuthenticationProvider to be used |
ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry |
authorizeRequests()
Allows restricting access based upon the
HttpServletRequest using |
protected void |
beforeConfigure()
Invoked prior to invoking each
SecurityConfigurer.configure(SecurityBuilder) method. |
CorsConfigurer<HttpSecurity> |
cors()
Adds a
CorsFilter to be used. |
CsrfConfigurer<HttpSecurity> |
csrf()
Adds CSRF support.
|
ExceptionHandlingConfigurer<HttpSecurity> |
exceptionHandling()
Allows configuring exception handling.
|
FormLoginConfigurer<HttpSecurity> |
formLogin()
Specifies to support form based authentication.
|
HeadersConfigurer<HttpSecurity> |
headers()
Adds the Security headers to the response.
|
HttpBasicConfigurer<HttpSecurity> |
httpBasic()
Configures HTTP Basic authentication.
|
JeeConfigurer<HttpSecurity> |
jee()
Configures container based pre authentication.
|
LogoutConfigurer<HttpSecurity> |
logout()
Provides logout support.
|
HttpSecurity |
mvcMatcher(java.lang.String mvcPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided Spring MVC pattern. |
OAuth2LoginConfigurer<HttpSecurity> |
oauth2Login()
Configures authentication against an external OAuth 2.0 or OpenID Connect 1.0 Provider.
|
OpenIDLoginConfigurer<HttpSecurity> |
openidLogin()
Allows configuring OpenID based authentication.
|
protected DefaultSecurityFilterChain |
performBuild()
Subclasses must implement this method to build the object that is being returned.
|
PortMapperConfigurer<HttpSecurity> |
portMapper()
Allows configuring a
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class) . |
HttpSecurity |
regexMatcher(java.lang.String pattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided regex pattern. |
RememberMeConfigurer<HttpSecurity> |
rememberMe()
Allows configuring of Remember Me authentication.
|
RequestCacheConfigurer<HttpSecurity> |
requestCache()
Allows configuring the Request Cache.
|
HttpSecurity |
requestMatcher(RequestMatcher requestMatcher)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided RequestMatcher . |
HttpSecurity.RequestMatcherConfigurer |
requestMatchers()
Allows specifying which
HttpServletRequest instances this
HttpSecurity will be invoked on. |
ChannelSecurityConfigurer.ChannelRequestMatcherRegistry |
requiresChannel()
Configures channel security.
|
SecurityContextConfigurer<HttpSecurity> |
securityContext()
Sets up management of the
SecurityContext on the
SecurityContextHolder between HttpServletRequest 's. |
ServletApiConfigurer<HttpSecurity> |
servletApi()
Integrates the
HttpServletRequest methods with the values found on the
SecurityContext . |
SessionManagementConfigurer<HttpSecurity> |
sessionManagement()
Allows configuring of Session Management.
|
<C> void |
setSharedObject(java.lang.Class<C> sharedType,
C object)
Sets an object that is shared by multiple
SecurityConfigurer . |
HttpSecurity |
userDetailsService(UserDetailsService userDetailsService)
Allows adding an additional
UserDetailsService to be used |
X509Configurer<HttpSecurity> |
x509()
Configures X509 based pre authentication.
|
apply, apply, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers
build, getObject
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getConfigurer, getSharedObject, removeConfigurer
build
public HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, java.util.Map<java.lang.Class<? extends java.lang.Object>,java.lang.Object> sharedObjects)
objectPostProcessor
- the ObjectPostProcessor
that should be usedauthenticationBuilder
- the AuthenticationManagerBuilder
to use for
additional updatessharedObjects
- the shared Objects to initialize the HttpSecurity
withWebSecurityConfiguration
public OpenIDLoginConfigurer<HttpSecurity> openidLogin() throws java.lang.Exception
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().openidLogin() .permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() // the username must match the OpenID of the user you are // logging in with .withUser( "https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU") .password("password").roles("USER"); } }A more advanced example demonstrating using attribute exchange and providing a custom AuthenticationUserDetailsService that will make any user that authenticates a valid user.
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests() .antMatchers("/**") .hasRole("USER") .and() .openidLogin() .loginPage("/login") .permitAll() .authenticationUserDetailsService( new AutoProvisioningUserDetailsService()) .attributeExchange("https://www.google.com/.*").attribute("email") .type("http://axschema.org/contact/email").required(true).and() .attribute("firstname").type("http://axschema.org/namePerson/first") .required(true).and().attribute("lastname") .type("http://axschema.org/namePerson/last").required(true).and().and() .attributeExchange(".*yahoo.com.*").attribute("email") .type("http://schema.openid.net/contact/email").required(true).and() .attribute("fullname").type("http://axschema.org/namePerson") .required(true).and().and().attributeExchange(".*myopenid.com.*") .attribute("email").type("http://schema.openid.net/contact/email") .required(true).and().attribute("fullname") .type("http://schema.openid.net/namePerson").required(true); } } public class AutoProvisioningUserDetailsService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> { public UserDetails loadUserDetails(OpenIDAuthenticationToken token) throws UsernameNotFoundException { return new User(token.getName(), "NOTUSED", AuthorityUtils.createAuthorityList("ROLE_USER")); } }
OpenIDLoginConfigurer
for further customizations.java.lang.Exception
OpenIDLoginConfigurer
public HeadersConfigurer<HttpSecurity> headers() throws java.lang.Exception
WebSecurityConfigurerAdapter
's default constructor. Accepting the
default provided by WebSecurityConfigurerAdapter
or only invoking
headers()
without invoking additional methods on it, is the equivalent of:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .contentTypeOptions() .and() .xssProtection() .and() .cacheControl() .and() .httpStrictTransportSecurity() .and() .frameOptions() .and() ...; } }You can disable the headers using the following:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }You can enable only a few of the headers by first invoking
HeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on the headers()
result.
For example, the following will enable HeadersConfigurer.cacheControl()
and
HeadersConfigurer.frameOptions()
only.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .defaultsDisabled() .cacheControl() .and() .frameOptions() .and() ...; } }You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except
HeadersConfigurer.frameOptions()
.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .frameOptions() .disable() .and() ...; } }
java.lang.Exception
HeadersConfigurer
public CorsConfigurer<HttpSecurity> cors() throws java.lang.Exception
CorsFilter
to be used. If a bean by the name of corsFilter is
provided, that CorsFilter
is used. Else if corsConfigurationSource is
defined, then that CorsConfiguration
is used. Otherwise, if Spring MVC is
on the classpath a HandlerMappingIntrospector
is used.CorsConfigurer
for customizationsjava.lang.Exception
public SessionManagementConfigurer<HttpSecurity> sessionManagement() throws java.lang.Exception
@Configuration @EnableWebSecurity public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin() .permitAll().and().sessionManagement().maximumSessions(1) .expiredUrl("/login?expired"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }When using
SessionManagementConfigurer.maximumSessions(int)
, do not forget
to configure HttpSessionEventPublisher
for the application to ensure that
expired sessions are cleaned up.
In a web.xml this can be configured using the following:
<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>Alternatively,
AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.SessionManagementConfigurer
for further customizationsjava.lang.Exception
public PortMapperConfigurer<HttpSecurity> portMapper() throws java.lang.Exception
PortMapper
that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
. Other provided
SecurityConfigurer
objects use this configured PortMapper
as a
default PortMapper
when redirecting from HTTP to HTTPS or from HTTPS to
HTTP (for example when used in combination with requiresChannel()
. By
default Spring Security uses a PortMapperImpl
which maps the HTTP port 8080
to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
@Configuration @EnableWebSecurity public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example portMapper() configuration .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
PortMapperConfigurer
for further customizationsjava.lang.Exception
requiresChannel()
public JeeConfigurer<HttpSecurity> jee() throws java.lang.Exception
HttpServletRequest
and if the user is in the role "ROLE_USER" or
"ROLE_ADMIN" will add that to the resulting Authentication
.
@Configuration @EnableWebSecurity public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example jee() configuration .jee().mappableRoles("ROLE_USER", "ROLE_ADMIN"); } }Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint>Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
JeeConfigurer
for further customizationsjava.lang.Exception
public X509Configurer<HttpSecurity> x509() throws java.lang.Exception
@Configuration @EnableWebSecurity public class X509SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example x509() configuration .x509(); } }
X509Configurer
for further customizationsjava.lang.Exception
public RememberMeConfigurer<HttpSecurity> rememberMe() throws java.lang.Exception
HttpSession
expires.
@Configuration @EnableWebSecurity public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example Remember Me Configuration .rememberMe(); } }
RememberMeConfigurer
for further customizationsjava.lang.Exception
public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests() throws java.lang.Exception
HttpServletRequest
using
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("adminr").password("password").roles("ADMIN", "USER"); } }We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("adminr").password("password").roles("ADMIN", "USER"); } }Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**") .hasRole("ADMIN")
java.lang.Exception
requestMatcher(RequestMatcher)
public RequestCacheConfigurer<HttpSecurity> requestCache() throws java.lang.Exception
WebSecurityConfigurerAdapter
.RequestCacheConfigurer
for further customizationsjava.lang.Exception
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws java.lang.Exception
WebSecurityConfigurerAdapter
.ExceptionHandlingConfigurer
for further customizationsjava.lang.Exception
public SecurityContextConfigurer<HttpSecurity> securityContext() throws java.lang.Exception
SecurityContext
on the
SecurityContextHolder
between HttpServletRequest
's. This is
automatically applied when using WebSecurityConfigurerAdapter
.SecurityContextConfigurer
for further customizationsjava.lang.Exception
public ServletApiConfigurer<HttpSecurity> servletApi() throws java.lang.Exception
HttpServletRequest
methods with the values found on the
SecurityContext
. This is automatically applied when using
WebSecurityConfigurerAdapter
.ServletApiConfigurer
for further customizationsjava.lang.Exception
public CsrfConfigurer<HttpSecurity> csrf() throws java.lang.Exception
WebSecurityConfigurerAdapter
's default constructor. You can disable it
using:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() ...; } }
ServletApiConfigurer
for further customizationsjava.lang.Exception
public LogoutConfigurer<HttpSecurity> logout() throws java.lang.Exception
WebSecurityConfigurerAdapter
. The default is that accessing the URL
"/logout" will log the user out by invalidating the HTTP Session, cleaning up any
rememberMe()
authentication that was configured, clearing the
SecurityContextHolder
, and then redirect to "/login?success".
@Configuration @EnableWebSecurity public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample logout customization .logout().deleteCookies("remove").invalidateHttpSession(false) .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
java.lang.Exception
public AnonymousConfigurer<HttpSecurity> anonymous() throws java.lang.Exception
WebSecurityConfigurerAdapter
. By
default anonymous users will be represented with an
AnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".
@Configuration @EnableWebSecurity public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample anonymous customization .anonymous().authorities("ROLE_ANON"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }The following demonstrates how to represent anonymous users as null. Note that this can cause
NullPointerException
in code that assumes anonymous
authentication is enabled.
@Configuration @EnableWebSecurity public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample anonymous customization .anonymous().disabled(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
java.lang.Exception
public FormLoginConfigurer<HttpSecurity> formLogin() throws java.lang.Exception
FormLoginConfigurer.loginPage(String)
is not specified a default login page
will be generated.
FormLoginConfigurer.loginPage(String)
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }The configuration below demonstrates customizing the defaults.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .usernameParameter("username") // default is username .passwordParameter("password") // default is password .loginPage("/authentication/login") // default is /login with an HTTP get .failureUrl("/authentication/login?failed") // default is /login?error .loginProcessingUrl("/authentication/login/process"); // default is /login // with an HTTP // post } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
java.lang.Exception
FormLoginConfigurer.loginPage(String)
public OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws java.lang.Exception
ClientRegistration
.
Properties specific to a Client include: client_id, client_secret, scope, redirect_uri, etc.
There are also properties specific to the Provider, for example,
Authorization Endpoint URI, Token Endpoint URI, UserInfo Endpoint URI, etc.
ClientRegistration
(s) are composed within a
ClientRegistrationRepository
.
An instance of ClientRegistrationRepository
is required
and may be supplied via the ApplicationContext
or configured using
OAuth2LoginConfigurer.clients(org.springframework.security.oauth2.client.registration.ClientRegistrationRepository)
.
"/login"
and
redirects to "/login?error"
when an authentication error occurs.
The login page will display each of the clients (composed within the
ClientRegistrationRepository
)
with an anchor link to "/oauth2/authorization/code/{clientAlias}"
.
Clicking through the link will initiate the "Authorization Request" flow
redirecting the end-user's user-agent to the Authorization Endpoint of the Provider.
Assuming the Resource Owner (end-user) grants the Client access, the Authorization Server
will redirect the end-user's user-agent to the Redirection Endpoint containing the Authorization Code
- the Redirection Endpoint is automatically configured for the application and
defaults to "/oauth2/authorize/code/{clientAlias}"
.
At this point in the "authentication flow", the configured
AuthorizationGrantTokenExchanger
will exchange the Authorization Code for an Access Token and then use it to access the protected resource
at the UserInfo Endpoint (via OAuth2UserService
)
in order to retrieve the details of the Resource Owner (end-user) and establish the "authenticated" session.
"/login"
and redirecting to "/login?error"
when an authentication error occurs or redirecting to
"/"
when an authenticated session is established.
@EnableWebSecurity public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); } @Bean public ClientRegistrationRepository clientRegistrationRepository() { // ClientRegistrationRepositoryImpl must be composed of at least one ClientRegistration instance return new ClientRegistrationRepositoryImpl(); } }The following shows the configuration options available for customizing the defaults.
@EnableWebSecurity public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login() .clients(this.clientRegistrationRepository()) .authorizationRequestBuilder(this.authorizationRequestBuilder()) .authorizationCodeTokenExchanger(this.authorizationCodeTokenExchanger()) .userInfoEndpoint() .userInfoService(this.userInfoService()) .userInfoEndpoint() // Provide a mapping between a Converter implementation and a UserInfo Endpoint URI .userInfoTypeConverter(this.userInfoConverter(), new URI("https://www.googleapis.com/oauth2/v3/userinfo")); } @Bean public ClientRegistrationRepository clientRegistrationRepository() { // ClientRegistrationRepositoryImpl must be composed of at least one ClientRegistration instance return new ClientRegistrationRepositoryImpl(); } @Bean public AuthorizationRequestUriBuilder authorizationRequestBuilder() { // Custom URI builder for the "Authorization Request" return new AuthorizationRequestUriBuilderImpl(); } @Bean public AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger() { // Custom implementation that exchanges an "Authorization Code Grant" for an "Access Token" return new AuthorizationCodeTokenExchangerImpl(); } @Bean public OAuth2UserService userInfoService() { // Custom implementation that retrieves the details of the authenticated user at the "UserInfo Endpoint" return new OAuth2UserServiceImpl(); } @Bean public Converter<ClientHttpResponse, UserInfo> userInfoConverter() { // Default converter implementation for UserInfo return new org.springframework.security.oauth2.client.user.converter.UserInfoConverter(); } }
OAuth2LoginConfigurer
for further customizationsjava.lang.Exception
ClientRegistration
,
ClientRegistrationRepository
,
AuthorizationRequestUriBuilder
,
AuthorizationGrantTokenExchanger
,
OAuth2UserService
public ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel() throws java.lang.Exception
@Configuration @EnableWebSecurity public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and().requiresChannel().anyRequest().requiresSecure(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
ChannelSecurityConfigurer
for further customizationsjava.lang.Exception
public HttpBasicConfigurer<HttpSecurity> httpBasic() throws java.lang.Exception
HttpBasicConfigurer.realmName(String)
.
@Configuration @EnableWebSecurity public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
HttpBasicConfigurer
for further customizationsjava.lang.Exception
public <C> void setSharedObject(java.lang.Class<C> sharedType, C object)
AbstractConfiguredSecurityBuilder
SecurityConfigurer
.setSharedObject
in interface HttpSecurityBuilder<HttpSecurity>
setSharedObject
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
sharedType
- the Class to key the shared object by.object
- the Object to storeprotected void beforeConfigure() throws java.lang.Exception
AbstractConfiguredSecurityBuilder
SecurityConfigurer.configure(SecurityBuilder)
method. Subclasses may
override this method to hook into the lifecycle without using a
SecurityConfigurer
.beforeConfigure
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
java.lang.Exception
protected DefaultSecurityFilterChain performBuild() throws java.lang.Exception
AbstractConfiguredSecurityBuilder
performBuild
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
java.lang.Exception
public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider)
HttpSecurityBuilder
AuthenticationProvider
to be usedauthenticationProvider
in interface HttpSecurityBuilder<HttpSecurity>
authenticationProvider
- the AuthenticationProvider
to be addedHttpSecurity
for further customizationspublic HttpSecurity userDetailsService(UserDetailsService userDetailsService) throws java.lang.Exception
HttpSecurityBuilder
UserDetailsService
to be useduserDetailsService
in interface HttpSecurityBuilder<HttpSecurity>
userDetailsService
- the UserDetailsService
to be addedHttpSecurity
for further customizationsjava.lang.Exception
public HttpSecurity addFilterAfter(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> afterFilter)
HttpSecurityBuilder
Filter
after one of the known Filter
classes. The
known Filter
instances are either a Filter
listed in
HttpSecurityBuilder.addFilter(Filter)
or a Filter
that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class)
or HttpSecurityBuilder.addFilterBefore(Filter, Class)
.addFilterAfter
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to register after the type afterFilter
afterFilter
- the Class of the known Filter
.HttpSecurity
for further customizationspublic HttpSecurity addFilterBefore(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
HttpSecurityBuilder
Filter
before one of the known Filter
classes. The
known Filter
instances are either a Filter
listed in
HttpSecurityBuilder.addFilter(Filter)
or a Filter
that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class)
or HttpSecurityBuilder.addFilterBefore(Filter, Class)
.addFilterBefore
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to register before the type beforeFilter
beforeFilter
- the Class of the known Filter
.HttpSecurity
for further customizationspublic HttpSecurity addFilter(javax.servlet.Filter filter)
HttpSecurityBuilder
Filter
that must be an instance of or extend one of the Filters
provided within the Security framework. The method ensures that the ordering of the
Filters is automatically taken care of.
The ordering of the Filters is:
ChannelProcessingFilter
ConcurrentSessionFilter
SecurityContextPersistenceFilter
LogoutFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
OpenIDAuthenticationFilter
DefaultLoginPageGeneratingFilter
ConcurrentSessionFilter
DigestAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter
addFilter
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to addHttpSecurity
for further customizationspublic HttpSecurity addFilterAt(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> atFilter)
UsernamePasswordAuthenticationFilter
, you can invoke:
addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
filter
- the Filter to registeratFilter
- the location of another Filter
that is already registered
(i.e. known) with Spring Security.HttpSecurity
for further customizationspublic HttpSecurity.RequestMatcherConfigurer requestMatchers()
HttpServletRequest
instances this
HttpSecurity
will be invoked on. This method allows for easily invoking the
HttpSecurity
for multiple different RequestMatcher
instances. If
only a single RequestMatcher
is necessary consider using mvcMatcher(String)
,
antMatcher(String)
, regexMatcher(String)
, or
requestMatcher(RequestMatcher)
.
Invoking requestMatchers()
will not override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
HttpSecurity
for URLs that begin
with "/api/" or "/oauth/".
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**", "/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }The configuration below is the same as the previous configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**") .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }The configuration below is also the same as the above configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**") .and() .requestMatchers() .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }
HttpSecurity.RequestMatcherConfigurer
for further customizationspublic HttpSecurity requestMatcher(RequestMatcher requestMatcher)
HttpSecurity
to only be invoked when matching the
provided RequestMatcher
. If more advanced configuration is necessary,
consider using requestMatchers()
.
Invoking requestMatcher(RequestMatcher)
will override previous invocations
of requestMatchers()
, mvcMatcher(String)
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
requestMatcher
- the RequestMatcher
to use (i.e. new
AntPathRequestMatcher("/admin/**","GET") )HttpSecurity
for further customizationsrequestMatchers()
,
antMatcher(String)
,
regexMatcher(String)
public HttpSecurity antMatcher(java.lang.String antPattern)
HttpSecurity
to only be invoked when matching the
provided ant pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking antMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
antPattern
- the Ant Pattern to match on (i.e. "/admin/**")HttpSecurity
for further customizationsAntPathRequestMatcher
public HttpSecurity mvcMatcher(java.lang.String mvcPattern)
HttpSecurity
to only be invoked when matching the
provided Spring MVC pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking mvcMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
mvcPattern
- the Spring MVC Pattern to match on (i.e. "/admin/**")HttpSecurity
for further customizationsMvcRequestMatcher
public HttpSecurity regexMatcher(java.lang.String pattern)
HttpSecurity
to only be invoked when matching the
provided regex pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking regexMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
pattern
- the Regular Expression to match on (i.e. "/admin/.+")HttpSecurity
for further customizationsRegexRequestMatcher