public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
HttpSecurity
is similar to Spring Security's XML <http> element in the
namespace configuration. It allows configuring web based security for specific http
requests. By default it will be applied to all requests, but can be restricted using
requestMatcher(RequestMatcher)
or other similar methods.
HttpSecurity
.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
EnableWebSecurity
Modifier and Type | Class and Description |
---|---|
class |
HttpSecurity.MvcMatchersRequestMatcherConfigurer
An extension to
HttpSecurity.RequestMatcherConfigurer that allows optionally configuring
the servlet path. |
class |
HttpSecurity.RequestMatcherConfigurer
Allows mapping HTTP requests that this
HttpSecurity will be used for |
Constructor and Description |
---|
HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor,
AuthenticationManagerBuilder authenticationBuilder,
java.util.Map<java.lang.Class<?>,java.lang.Object> sharedObjects)
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
HttpSecurity |
addFilter(javax.servlet.Filter filter)
Adds a
Filter that must be an instance of or extend one of the Filters
provided within the Security framework. |
HttpSecurity |
addFilterAfter(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> afterFilter)
Allows adding a
Filter after one of the known Filter classes. |
HttpSecurity |
addFilterAt(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> atFilter)
Adds the Filter at the location of the specified Filter class.
|
HttpSecurity |
addFilterBefore(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
Allows adding a
Filter before one of the known Filter classes. |
AnonymousConfigurer<HttpSecurity> |
anonymous()
Allows configuring how an anonymous user is represented.
|
HttpSecurity |
anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer)
Allows configuring how an anonymous user is represented.
|
HttpSecurity |
antMatcher(java.lang.String antPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided ant pattern. |
HttpSecurity |
authenticationProvider(AuthenticationProvider authenticationProvider)
Allows adding an additional
AuthenticationProvider to be used |
ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry |
authorizeRequests()
Allows restricting access based upon the
HttpServletRequest using
RequestMatcher implementations (i.e. |
HttpSecurity |
authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
Allows restricting access based upon the
HttpServletRequest using
RequestMatcher implementations (i.e. |
protected void |
beforeConfigure()
Invoked prior to invoking each
SecurityConfigurer.configure(SecurityBuilder) method. |
CorsConfigurer<HttpSecurity> |
cors()
Adds a
CorsFilter to be used. |
HttpSecurity |
cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer)
Adds a
CorsFilter to be used. |
CsrfConfigurer<HttpSecurity> |
csrf()
Adds CSRF support.
|
HttpSecurity |
csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer)
Adds CSRF support.
|
ExceptionHandlingConfigurer<HttpSecurity> |
exceptionHandling()
Allows configuring exception handling.
|
HttpSecurity |
exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer)
Allows configuring exception handling.
|
FormLoginConfigurer<HttpSecurity> |
formLogin()
Specifies to support form based authentication.
|
HttpSecurity |
formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer)
Specifies to support form based authentication.
|
HeadersConfigurer<HttpSecurity> |
headers()
Adds the Security headers to the response.
|
HttpSecurity |
headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer)
Adds the Security headers to the response.
|
HttpBasicConfigurer<HttpSecurity> |
httpBasic()
Configures HTTP Basic authentication.
|
HttpSecurity |
httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer)
Configures HTTP Basic authentication.
|
JeeConfigurer<HttpSecurity> |
jee()
Configures container based pre authentication.
|
HttpSecurity |
jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer)
Configures container based pre authentication.
|
LogoutConfigurer<HttpSecurity> |
logout()
Provides logout support.
|
HttpSecurity |
logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer)
Provides logout support.
|
HttpSecurity |
mvcMatcher(java.lang.String mvcPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided Spring MVC pattern. |
OAuth2ClientConfigurer<HttpSecurity> |
oauth2Client()
Configures OAuth 2.0 Client support.
|
HttpSecurity |
oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer)
Configures OAuth 2.0 Client support.
|
OAuth2LoginConfigurer<HttpSecurity> |
oauth2Login()
Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
|
HttpSecurity |
oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer)
Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
|
OAuth2ResourceServerConfigurer<HttpSecurity> |
oauth2ResourceServer()
Configures OAuth 2.0 Resource Server support.
|
HttpSecurity |
oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer)
Configures OAuth 2.0 Resource Server support.
|
OpenIDLoginConfigurer<HttpSecurity> |
openidLogin()
Allows configuring OpenID based authentication.
|
HttpSecurity |
openidLogin(Customizer<OpenIDLoginConfigurer<HttpSecurity>> openidLoginCustomizer)
Allows configuring OpenID based authentication.
|
protected DefaultSecurityFilterChain |
performBuild()
Subclasses must implement this method to build the object that is being returned.
|
PortMapperConfigurer<HttpSecurity> |
portMapper()
Allows configuring a
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class) . |
HttpSecurity |
portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer)
Allows configuring a
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class) . |
HttpSecurity |
regexMatcher(java.lang.String pattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided regex pattern. |
RememberMeConfigurer<HttpSecurity> |
rememberMe()
Allows configuring of Remember Me authentication.
|
HttpSecurity |
rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer)
Allows configuring of Remember Me authentication.
|
RequestCacheConfigurer<HttpSecurity> |
requestCache()
Allows configuring the Request Cache.
|
HttpSecurity |
requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer)
Allows configuring the Request Cache.
|
HttpSecurity |
requestMatcher(RequestMatcher requestMatcher)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided RequestMatcher . |
HttpSecurity.RequestMatcherConfigurer |
requestMatchers()
Allows specifying which
HttpServletRequest instances this
HttpSecurity will be invoked on. |
HttpSecurity |
requestMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer)
Allows specifying which
HttpServletRequest instances this
HttpSecurity will be invoked on. |
ChannelSecurityConfigurer.ChannelRequestMatcherRegistry |
requiresChannel()
Configures channel security.
|
HttpSecurity |
requiresChannel(Customizer<ChannelSecurityConfigurer.ChannelRequestMatcherRegistry> requiresChannelCustomizer)
Configures channel security.
|
Saml2LoginConfigurer<HttpSecurity> |
saml2Login()
Configures authentication support using an SAML 2.0 Service Provider.
|
HttpSecurity |
saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer)
Configures authentication support using an SAML 2.0 Service Provider.
|
SecurityContextConfigurer<HttpSecurity> |
securityContext()
Sets up management of the
SecurityContext on the
SecurityContextHolder between HttpServletRequest 's. |
HttpSecurity |
securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer)
Sets up management of the
SecurityContext on the
SecurityContextHolder between HttpServletRequest 's. |
ServletApiConfigurer<HttpSecurity> |
servletApi()
Integrates the
HttpServletRequest methods with the values found on the
SecurityContext . |
HttpSecurity |
servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer)
Integrates the
HttpServletRequest methods with the values found on the
SecurityContext . |
SessionManagementConfigurer<HttpSecurity> |
sessionManagement()
Allows configuring of Session Management.
|
HttpSecurity |
sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer)
Allows configuring of Session Management.
|
<C> void |
setSharedObject(java.lang.Class<C> sharedType,
C object)
Sets an object that is shared by multiple
SecurityConfigurer . |
HttpSecurity |
userDetailsService(UserDetailsService userDetailsService)
Allows adding an additional
UserDetailsService to be used |
X509Configurer<HttpSecurity> |
x509()
Configures X509 based pre authentication.
|
HttpSecurity |
x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer)
Configures X509 based pre authentication.
|
apply, apply, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers
build, getObject
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getConfigurer, getSharedObject, removeConfigurer
build
public HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, java.util.Map<java.lang.Class<?>,java.lang.Object> sharedObjects)
objectPostProcessor
- the ObjectPostProcessor
that should be usedauthenticationBuilder
- the AuthenticationManagerBuilder
to use for
additional updatessharedObjects
- the shared Objects to initialize the HttpSecurity
withWebSecurityConfiguration
public OpenIDLoginConfigurer<HttpSecurity> openidLogin() throws java.lang.Exception
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().openidLogin() .permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() // the username must match the OpenID of the user you are // logging in with .withUser( "https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU") .password("password").roles("USER"); } }A more advanced example demonstrating using attribute exchange and providing a custom AuthenticationUserDetailsService that will make any user that authenticates a valid user.
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests() .antMatchers("/**") .hasRole("USER") .and() .openidLogin() .loginPage("/login") .permitAll() .authenticationUserDetailsService( new AutoProvisioningUserDetailsService()) .attributeExchange("https://www.google.com/.*").attribute("email") .type("https://axschema.org/contact/email").required(true).and() .attribute("firstname").type("https://axschema.org/namePerson/first") .required(true).and().attribute("lastname") .type("https://axschema.org/namePerson/last").required(true).and().and() .attributeExchange(".*yahoo.com.*").attribute("email") .type("https://schema.openid.net/contact/email").required(true).and() .attribute("fullname").type("https://axschema.org/namePerson") .required(true).and().and().attributeExchange(".*myopenid.com.*") .attribute("email").type("https://schema.openid.net/contact/email") .required(true).and().attribute("fullname") .type("https://schema.openid.net/namePerson").required(true); } } public class AutoProvisioningUserDetailsService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> { public UserDetails loadUserDetails(OpenIDAuthenticationToken token) throws UsernameNotFoundException { return new User(token.getName(), "NOTUSED", AuthorityUtils.createAuthorityList("ROLE_USER")); } }
OpenIDLoginConfigurer
for further customizations.java.lang.Exception
OpenIDLoginConfigurer
public HttpSecurity openidLogin(Customizer<OpenIDLoginConfigurer<HttpSecurity>> openidLoginCustomizer) throws java.lang.Exception
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .openidLogin(openidLogin -> openidLogin .permitAll() ); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() // the username must match the OpenID of the user you are // logging in with .withUser( "https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU") .password("password").roles("USER"); } }A more advanced example demonstrating using attribute exchange and providing a custom AuthenticationUserDetailsService that will make any user that authenticates a valid user.
@Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .openidLogin(openidLogin -> openidLogin .loginPage("/login") .permitAll() .authenticationUserDetailsService( new AutoProvisioningUserDetailsService()) .attributeExchange(googleExchange -> googleExchange .identifierPattern("https://www.google.com/.*") .attribute(emailAttribute -> emailAttribute .name("email") .type("https://axschema.org/contact/email") .required(true) ) .attribute(firstnameAttribute -> firstnameAttribute .name("firstname") .type("https://axschema.org/namePerson/first") .required(true) ) .attribute(lastnameAttribute -> lastnameAttribute .name("lastname") .type("https://axschema.org/namePerson/last") .required(true) ) ) .attributeExchange(yahooExchange -> yahooExchange .identifierPattern(".*yahoo.com.*") .attribute(emailAttribute -> emailAttribute .name("email") .type("https://schema.openid.net/contact/email") .required(true) ) .attribute(fullnameAttribute -> fullnameAttribute .name("fullname") .type("https://axschema.org/namePerson") .required(true) ) ) ); } } public class AutoProvisioningUserDetailsService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> { public UserDetails loadUserDetails(OpenIDAuthenticationToken token) throws UsernameNotFoundException { return new User(token.getName(), "NOTUSED", AuthorityUtils.createAuthorityList("ROLE_USER")); } }
openidLoginCustomizer
- the Customizer
to provide more options for
the OpenIDLoginConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
OpenIDLoginConfigurer
public HeadersConfigurer<HttpSecurity> headers() throws java.lang.Exception
WebSecurityConfigurerAdapter
's default constructor. Accepting the
default provided by WebSecurityConfigurerAdapter
or only invoking
headers()
without invoking additional methods on it, is the equivalent of:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .contentTypeOptions() .and() .xssProtection() .and() .cacheControl() .and() .httpStrictTransportSecurity() .and() .frameOptions() .and() ...; } }You can disable the headers using the following:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }You can enable only a few of the headers by first invoking
HeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on the headers()
result.
For example, the following will enable HeadersConfigurer.cacheControl()
and
HeadersConfigurer.frameOptions()
only.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .defaultsDisabled() .cacheControl() .and() .frameOptions() .and() ...; } }You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except
HeadersConfigurer.frameOptions()
.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .frameOptions() .disable() .and() ...; } }
HeadersConfigurer
for further customizationsjava.lang.Exception
HeadersConfigurer
public HttpSecurity headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter
's default constructor.
WebSecurityConfigurerAdapter
or only invoking
headers()
without invoking additional methods on it, is the equivalent of:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers(headers -> headers .contentTypeOptions(withDefaults()) .xssProtection(withDefaults()) .cacheControl(withDefaults()) .httpStrictTransportSecurity(withDefaults()) .frameOptions(withDefaults() ); } }You can disable the headers using the following:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers(headers -> headers.disable()); } }You can enable only a few of the headers by first invoking
HeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on the headers()
result.
For example, the following will enable HeadersConfigurer.cacheControl()
and
HeadersConfigurer.frameOptions()
only.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers(headers -> headers .defaultsDisabled() .cacheControl(withDefaults()) .frameOptions(withDefaults()) ); } }You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except
HeadersConfigurer.frameOptions()
.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers(headers -> headers .frameOptions(frameOptions -> frameOptions.disable()) ); }
headersCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public CorsConfigurer<HttpSecurity> cors() throws java.lang.Exception
CorsFilter
to be used. If a bean by the name of corsFilter is
provided, that CorsFilter
is used. Else if corsConfigurationSource is
defined, then that CorsConfiguration
is used. Otherwise, if Spring MVC is
on the classpath a HandlerMappingIntrospector
is used.CorsConfigurer
for customizationsjava.lang.Exception
public HttpSecurity cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer) throws java.lang.Exception
CorsFilter
to be used. If a bean by the name of corsFilter is
provided, that CorsFilter
is used. Else if corsConfigurationSource is
defined, then that CorsConfiguration
is used. Otherwise, if Spring MVC is
on the classpath a HandlerMappingIntrospector
is used.
You can enable CORS using:
@Configuration @EnableWebSecurity public class CorsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .cors(withDefaults()); } }
corsCustomizer
- the Customizer
to provide more options for
the CorsConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public SessionManagementConfigurer<HttpSecurity> sessionManagement() throws java.lang.Exception
@Configuration @EnableWebSecurity public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin() .permitAll().and().sessionManagement().maximumSessions(1) .expiredUrl("/login?expired"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }When using
SessionManagementConfigurer.maximumSessions(int)
, do not forget
to configure HttpSessionEventPublisher
for the application to ensure that
expired sessions are cleaned up.
In a web.xml this can be configured using the following:
<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>Alternatively,
AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.SessionManagementConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer) throws java.lang.Exception
@Configuration @EnableWebSecurity public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .anyRequest().hasRole("USER") ) .formLogin(formLogin -> formLogin .permitAll() ) .sessionManagement(sessionManagement -> sessionManagement .sessionConcurrency(sessionConcurrency -> sessionConcurrency .maximumSessions(1) .expiredUrl("/login?expired") ) ); } }When using
SessionManagementConfigurer.maximumSessions(int)
, do not forget
to configure HttpSessionEventPublisher
for the application to ensure that
expired sessions are cleaned up.
In a web.xml this can be configured using the following:
<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>Alternatively,
AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.sessionManagementCustomizer
- the Customizer
to provide more options for
the SessionManagementConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public PortMapperConfigurer<HttpSecurity> portMapper() throws java.lang.Exception
PortMapper
that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
. Other provided
SecurityConfigurer
objects use this configured PortMapper
as a
default PortMapper
when redirecting from HTTP to HTTPS or from HTTPS to
HTTP (for example when used in combination with requiresChannel()
. By
default Spring Security uses a PortMapperImpl
which maps the HTTP port 8080
to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
@Configuration @EnableWebSecurity public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example portMapper() configuration .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
PortMapperConfigurer
for further customizationsjava.lang.Exception
requiresChannel()
public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer) throws java.lang.Exception
PortMapper
that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
. Other provided
SecurityConfigurer
objects use this configured PortMapper
as a
default PortMapper
when redirecting from HTTP to HTTPS or from HTTPS to
HTTP (for example when used in combination with requiresChannel()
. By
default Spring Security uses a PortMapperImpl
which maps the HTTP port 8080
to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
@Configuration @EnableWebSecurity public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requiresChannel(requiresChannel -> requiresChannel .anyRequest().requiresSecure() ) .portMapper(portMapper -> portMapper .http(9090).mapsTo(9443) .http(80).mapsTo(443) ); } }
portMapperCustomizer
- the Customizer
to provide more options for
the PortMapperConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
requiresChannel()
public JeeConfigurer<HttpSecurity> jee() throws java.lang.Exception
HttpServletRequest
and if the user is in the role "ROLE_USER" or
"ROLE_ADMIN" will add that to the resulting Authentication
.
@Configuration @EnableWebSecurity public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example jee() configuration .jee().mappableRoles("USER", "ADMIN"); } }Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint>Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
JeeConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer) throws java.lang.Exception
HttpServletRequest
and if the user is in the role "ROLE_USER" or
"ROLE_ADMIN" will add that to the resulting Authentication
.
@Configuration @EnableWebSecurity public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .jee(jee -> jee .mappableRoles("USER", "ADMIN") ); } }Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint>Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
jeeCustomizer
- the Customizer
to provide more options for
the JeeConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public X509Configurer<HttpSecurity> x509() throws java.lang.Exception
@Configuration @EnableWebSecurity public class X509SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example x509() configuration .x509(); } }
X509Configurer
for further customizationsjava.lang.Exception
public HttpSecurity x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer) throws java.lang.Exception
@Configuration @EnableWebSecurity public class X509SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .x509(withDefaults()); } }
x509Customizer
- the Customizer
to provide more options for
the X509Configurer
HttpSecurity
for further customizationsjava.lang.Exception
public RememberMeConfigurer<HttpSecurity> rememberMe() throws java.lang.Exception
HttpSession
expires.
@Configuration @EnableWebSecurity public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example Remember Me Configuration .rememberMe(); } }
RememberMeConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer) throws java.lang.Exception
HttpSession
expires.
@Configuration @EnableWebSecurity public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) .rememberMe(withDefaults()); } }
rememberMeCustomizer
- the Customizer
to provide more options for
the RememberMeConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests() throws java.lang.Exception
HttpServletRequest
using
RequestMatcher
implementations (i.e. via URL patterns).
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("admin").password("password").roles("ADMIN", "USER"); } }We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("admin").password("password").roles("ADMIN", "USER"); } }Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**") .hasRole("ADMIN")
ExpressionUrlAuthorizationConfigurer
for further customizationsjava.lang.Exception
requestMatcher(RequestMatcher)
public HttpSecurity authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) throws java.lang.Exception
HttpServletRequest
using
RequestMatcher
implementations (i.e. via URL patterns).
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); } }We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); } }Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") .antMatchers("/admin/**").hasRole("ADMIN") ); } }
authorizeRequestsCustomizer
- the Customizer
to provide more options for
the ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry
HttpSecurity
for further customizationsjava.lang.Exception
requestMatcher(RequestMatcher)
public RequestCacheConfigurer<HttpSecurity> requestCache() throws java.lang.Exception
WebSecurityConfigurerAdapter
.RequestCacheConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter
.
@Configuration @EnableWebSecurity public class RequestCacheDisabledSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .requestCache(requestCache -> requestCache.disable() ); } }
requestCacheCustomizer
- the Customizer
to provide more options for
the RequestCacheConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws java.lang.Exception
WebSecurityConfigurerAdapter
.ExceptionHandlingConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter
.
@Configuration @EnableWebSecurity public class ExceptionHandlingSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) // sample exception handling customization .exceptionHandling(exceptionHandling -> exceptionHandling .accessDeniedPage("/errors/access-denied") ); } }
exceptionHandlingCustomizer
- the Customizer
to provide more options for
the ExceptionHandlingConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public SecurityContextConfigurer<HttpSecurity> securityContext() throws java.lang.Exception
SecurityContext
on the
SecurityContextHolder
between HttpServletRequest
's. This is
automatically applied when using WebSecurityConfigurerAdapter
.SecurityContextConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer) throws java.lang.Exception
SecurityContext
on the
SecurityContextHolder
between HttpServletRequest
's. This is
automatically applied when using WebSecurityConfigurerAdapter
.
The following customization specifies the shared SecurityContextRepository
@Configuration @EnableWebSecurity public class SecurityContextSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .securityContext(securityContext -> securityContext .securityContextRepository(SCR) ); } }
securityContextCustomizer
- the Customizer
to provide more options for
the SecurityContextConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public ServletApiConfigurer<HttpSecurity> servletApi() throws java.lang.Exception
HttpServletRequest
methods with the values found on the
SecurityContext
. This is automatically applied when using
WebSecurityConfigurerAdapter
.ServletApiConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer) throws java.lang.Exception
HttpServletRequest
methods with the values found on the
SecurityContext
. This is automatically applied when using
WebSecurityConfigurerAdapter
. You can disable it using:
@Configuration @EnableWebSecurity public class ServletApiSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .servletApi(servletApi -> servletApi.disable() ); } }
servletApiCustomizer
- the Customizer
to provide more options for
the ServletApiConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public CsrfConfigurer<HttpSecurity> csrf() throws java.lang.Exception
WebSecurityConfigurerAdapter
's default constructor. You can disable it
using:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() ...; } }
CsrfConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter
's default constructor. You can disable it
using:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf(csrf -> csrf.disable()); } }
csrfCustomizer
- the Customizer
to provide more options for
the CsrfConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public LogoutConfigurer<HttpSecurity> logout() throws java.lang.Exception
WebSecurityConfigurerAdapter
. The default is that accessing the URL
"/logout" will log the user out by invalidating the HTTP Session, cleaning up any
rememberMe()
authentication that was configured, clearing the
SecurityContextHolder
, and then redirect to "/login?success".
@Configuration @EnableWebSecurity public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample logout customization .logout().deleteCookies("remove").invalidateHttpSession(false) .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
LogoutConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter
. The default is that accessing the URL
"/logout" will log the user out by invalidating the HTTP Session, cleaning up any
rememberMe()
authentication that was configured, clearing the
SecurityContextHolder
, and then redirect to "/login?success".
@Configuration @EnableWebSecurity public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) // sample logout customization .logout(logout -> logout.deleteCookies("remove") .invalidateHttpSession(false) .logoutUrl("/custom-logout") .logoutSuccessUrl("/logout-success") ); } }
logoutCustomizer
- the Customizer
to provide more options for
the LogoutConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public AnonymousConfigurer<HttpSecurity> anonymous() throws java.lang.Exception
WebSecurityConfigurerAdapter
. By
default anonymous users will be represented with an
AnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".
@Configuration @EnableWebSecurity public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .formLogin() .and() // sample anonymous customization .anonymous().authorities("ROLE_ANON"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }The following demonstrates how to represent anonymous users as null. Note that this can cause
NullPointerException
in code that assumes anonymous
authentication is enabled.
@Configuration @EnableWebSecurity public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .formLogin() .and() // sample anonymous customization .anonymous().disable(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
AnonymousConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter
. By
default anonymous users will be represented with an
AnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".
@Configuration @EnableWebSecurity public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) // sample anonymous customization .anonymous(anonymous -> anonymous .authorities("ROLE_ANON") ) } }The following demonstrates how to represent anonymous users as null. Note that this can cause
NullPointerException
in code that assumes anonymous
authentication is enabled.
@Configuration @EnableWebSecurity public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) // sample anonymous customization .anonymous(anonymous -> anonymous.disable() ); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
anonymousCustomizer
- the Customizer
to provide more options for
the AnonymousConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public FormLoginConfigurer<HttpSecurity> formLogin() throws java.lang.Exception
FormLoginConfigurer.loginPage(String)
is not specified a default login page
will be generated.
FormLoginConfigurer.loginPage(String)
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }The configuration below demonstrates customizing the defaults.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .usernameParameter("username") // default is username .passwordParameter("password") // default is password .loginPage("/authentication/login") // default is /login with an HTTP get .failureUrl("/authentication/login?failed") // default is /login?error .loginProcessingUrl("/authentication/login/process"); // default is /login // with an HTTP // post } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
FormLoginConfigurer
for further customizationsjava.lang.Exception
FormLoginConfigurer.loginPage(String)
public HttpSecurity formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer) throws java.lang.Exception
FormLoginConfigurer.loginPage(String)
is not specified a default login page
will be generated.
FormLoginConfigurer.loginPage(String)
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); } }The configuration below demonstrates customizing the defaults.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(formLogin -> formLogin .usernameParameter("username") .passwordParameter("password") .loginPage("/authentication/login") .failureUrl("/authentication/login?failed") .loginProcessingUrl("/authentication/login/process") ); } }
formLoginCustomizer
- the Customizer
to provide more options for
the FormLoginConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
FormLoginConfigurer.loginPage(String)
public Saml2LoginConfigurer<HttpSecurity> saml2Login() throws java.lang.Exception
RelyingPartyRegistration
.
RelyingPartyRegistration
(s) are composed within a
RelyingPartyRegistrationRepository
,
which is required and must be registered with the ApplicationContext
or
configured via saml2Login().relyingPartyRegistrationRepository(..)
.
"/login"
and
redirects to "/login?error"
when an authentication error occurs.
The login page will display each of the identity providers with a link
that is capable of initiating the "authentication flow".
@Configuration public class Saml2LoginConfig { @EnableWebSecurity public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .saml2Login(); } } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration()); } private RelyingPartyRegistration getSaml2RelyingPartyRegistration() { //remote IDP entity ID String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php"; //remote WebSSO Endpoint - Where to Send AuthNRequests to String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php"; //local registration ID String registrationId = "simplesamlphp"; //local entity ID - autogenerated based on URL String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}"; //local signing (and decryption key) Saml2X509Credential signingCredential = getSigningCredential(); //IDP certificate for verification of incoming messages Saml2X509Credential idpVerificationCertificate = getVerificationCertificate(); return RelyingPartyRegistration.withRegistrationId(registrationId) * .remoteIdpEntityId(idpEntityId) * .idpWebSsoUrl(webSsoEndpoint) * .credential(signingCredential) * .credential(idpVerificationCertificate) * .localEntityIdTemplate(localEntityIdTemplate) * .build(); } }
Saml2LoginConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer) throws java.lang.Exception
RelyingPartyRegistration
.
RelyingPartyRegistration
(s) are composed within a
RelyingPartyRegistrationRepository
,
which is required and must be registered with the ApplicationContext
or
configured via saml2Login().relyingPartyRegistrationRepository(..)
.
"/login"
and
redirects to "/login?error"
when an authentication error occurs.
The login page will display each of the identity providers with a link
that is capable of initiating the "authentication flow".
@Configuration public class Saml2LoginConfig { @EnableWebSecurity public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .saml2Login(withDefaults()); } } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration()); } private RelyingPartyRegistration getSaml2RelyingPartyRegistration() { //remote IDP entity ID String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php"; //remote WebSSO Endpoint - Where to Send AuthNRequests to String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php"; //local registration ID String registrationId = "simplesamlphp"; //local entity ID - autogenerated based on URL String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}"; //local signing (and decryption key) Saml2X509Credential signingCredential = getSigningCredential(); //IDP certificate for verification of incoming messages Saml2X509Credential idpVerificationCertificate = getVerificationCertificate(); return RelyingPartyRegistration.withRegistrationId(registrationId) * .remoteIdpEntityId(idpEntityId) * .idpWebSsoUrl(webSsoEndpoint) * .credential(signingCredential) * .credential(idpVerificationCertificate) * .localEntityIdTemplate(localEntityIdTemplate) * .build(); } }
saml2LoginCustomizer
- the Customizer
to provide more options for
the Saml2LoginConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws java.lang.Exception
ClientRegistration
using a
ClientRegistration.Builder
.
ClientRegistration
(s) are composed within a
ClientRegistrationRepository
,
which is required and must be registered with the ApplicationContext
or
configured via oauth2Login().clientRegistrationRepository(..)
.
"/login"
and
redirects to "/login?error"
when an authentication error occurs.
The login page will display each of the clients with a link
that is capable of initiating the "authentication flow".
@Configuration public class OAuth2LoginConfig { @EnableWebSecurity public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); } } @Bean public ClientRegistrationRepository clientRegistrationRepository() { return new InMemoryClientRegistrationRepository(this.googleClientRegistration()); } private ClientRegistration googleClientRegistration() { return ClientRegistration.withRegistrationId("google") .clientId("google-client-id") .clientSecret("google-client-secret") .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}") .scope("openid", "profile", "email", "address", "phone") .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth") .tokenUri("https://www.googleapis.com/oauth2/v4/token") .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo") .userNameAttributeName(IdTokenClaimNames.SUB) .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs") .clientName("Google") .build(); } }
For more advanced configuration, see OAuth2LoginConfigurer
for available options to customize the defaults.
OAuth2LoginConfigurer
for further customizationsjava.lang.Exception
ClientRegistration
,
ClientRegistrationRepository
public HttpSecurity oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer) throws java.lang.Exception
ClientRegistration
using a
ClientRegistration.Builder
.
ClientRegistration
(s) are composed within a
ClientRegistrationRepository
,
which is required and must be registered with the ApplicationContext
or
configured via oauth2Login().clientRegistrationRepository(..)
.
"/login"
and
redirects to "/login?error"
when an authentication error occurs.
The login page will display each of the clients with a link
that is capable of initiating the "authentication flow".
@Configuration public class OAuth2LoginConfig { @EnableWebSecurity public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .anyRequest().authenticated() ) .oauth2Login(withDefaults()); } } @Bean public ClientRegistrationRepository clientRegistrationRepository() { return new InMemoryClientRegistrationRepository(this.googleClientRegistration()); } private ClientRegistration googleClientRegistration() { return ClientRegistration.withRegistrationId("google") .clientId("google-client-id") .clientSecret("google-client-secret") .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}") .scope("openid", "profile", "email", "address", "phone") .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth") .tokenUri("https://www.googleapis.com/oauth2/v4/token") .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo") .userNameAttributeName(IdTokenClaimNames.SUB) .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs") .clientName("Google") .build(); } }
For more advanced configuration, see OAuth2LoginConfigurer
for available options to customize the defaults.
oauth2LoginCustomizer
- the Customizer
to provide more options for
the OAuth2LoginConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
ClientRegistration
,
ClientRegistrationRepository
public OAuth2ClientConfigurer<HttpSecurity> oauth2Client() throws java.lang.Exception
OAuth2ClientConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer) throws java.lang.Exception
@Configuration @EnableWebSecurity public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .anyRequest().authenticated() ) .oauth2Client(withDefaults()); } }
oauth2ClientCustomizer
- the Customizer
to provide more options for
the OAuth2ClientConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer() throws java.lang.Exception
OAuth2ResourceServerConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer) throws java.lang.Exception
@Configuration @EnableWebSecurity public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Value("${spring.security.oauth2.resourceserver.jwt.key-value}") RSAPublicKey key; @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .anyRequest().authenticated() ) .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer .jwt(jwt -> jwt .decoder(jwtDecoder()) ) ); } @Bean public JwtDecoder jwtDecoder() { return NimbusJwtDecoder.withPublicKey(this.key).build(); } }
oauth2ResourceServerCustomizer
- the Customizer
to provide more options for
the OAuth2ResourceServerConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel() throws java.lang.Exception
@Configuration @EnableWebSecurity public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and().requiresChannel().anyRequest().requiresSecure(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
ChannelSecurityConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity requiresChannel(Customizer<ChannelSecurityConfigurer.ChannelRequestMatcherRegistry> requiresChannelCustomizer) throws java.lang.Exception
@Configuration @EnableWebSecurity public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) .requiresChannel(requiresChannel -> requiresChannel .anyRequest().requiresSecure() ); } }
requiresChannelCustomizer
- the Customizer
to provide more options for
the ChannelSecurityConfigurer.ChannelRequestMatcherRegistry
HttpSecurity
for further customizationsjava.lang.Exception
public HttpBasicConfigurer<HttpSecurity> httpBasic() throws java.lang.Exception
HttpBasicConfigurer.realmName(String)
.
@Configuration @EnableWebSecurity public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); } }
HttpBasicConfigurer
for further customizationsjava.lang.Exception
public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer) throws java.lang.Exception
HttpBasicConfigurer.realmName(String)
.
@Configuration @EnableWebSecurity public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .httpBasic(withDefaults()); } }
httpBasicCustomizer
- the Customizer
to provide more options for
the HttpBasicConfigurer
HttpSecurity
for further customizationsjava.lang.Exception
public <C> void setSharedObject(java.lang.Class<C> sharedType, C object)
AbstractConfiguredSecurityBuilder
SecurityConfigurer
.setSharedObject
in interface HttpSecurityBuilder<HttpSecurity>
setSharedObject
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
sharedType
- the Class to key the shared object by.object
- the Object to storeprotected void beforeConfigure() throws java.lang.Exception
AbstractConfiguredSecurityBuilder
SecurityConfigurer.configure(SecurityBuilder)
method. Subclasses may
override this method to hook into the lifecycle without using a
SecurityConfigurer
.beforeConfigure
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
java.lang.Exception
protected DefaultSecurityFilterChain performBuild()
AbstractConfiguredSecurityBuilder
performBuild
in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider)
HttpSecurityBuilder
AuthenticationProvider
to be usedauthenticationProvider
in interface HttpSecurityBuilder<HttpSecurity>
authenticationProvider
- the AuthenticationProvider
to be addedHttpSecurity
for further customizationspublic HttpSecurity userDetailsService(UserDetailsService userDetailsService) throws java.lang.Exception
HttpSecurityBuilder
UserDetailsService
to be useduserDetailsService
in interface HttpSecurityBuilder<HttpSecurity>
userDetailsService
- the UserDetailsService
to be addedHttpSecurity
for further customizationsjava.lang.Exception
public HttpSecurity addFilterAfter(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> afterFilter)
HttpSecurityBuilder
Filter
after one of the known Filter
classes. The
known Filter
instances are either a Filter
listed in
HttpSecurityBuilder.addFilter(Filter)
or a Filter
that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class)
or HttpSecurityBuilder.addFilterBefore(Filter, Class)
.addFilterAfter
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to register after the type afterFilter
afterFilter
- the Class of the known Filter
.HttpSecurity
for further customizationspublic HttpSecurity addFilterBefore(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
HttpSecurityBuilder
Filter
before one of the known Filter
classes. The
known Filter
instances are either a Filter
listed in
HttpSecurityBuilder.addFilter(Filter)
or a Filter
that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class)
or HttpSecurityBuilder.addFilterBefore(Filter, Class)
.addFilterBefore
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to register before the type beforeFilter
beforeFilter
- the Class of the known Filter
.HttpSecurity
for further customizationspublic HttpSecurity addFilter(javax.servlet.Filter filter)
HttpSecurityBuilder
Filter
that must be an instance of or extend one of the Filters
provided within the Security framework. The method ensures that the ordering of the
Filters is automatically taken care of.
The ordering of the Filters is:
ChannelProcessingFilter
ConcurrentSessionFilter
SecurityContextPersistenceFilter
LogoutFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
OpenIDAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
ConcurrentSessionFilter
DigestAuthenticationFilter
BearerTokenAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter
addFilter
in interface HttpSecurityBuilder<HttpSecurity>
filter
- the Filter
to addHttpSecurity
for further customizationspublic HttpSecurity addFilterAt(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> atFilter)
UsernamePasswordAuthenticationFilter
, you can invoke:
addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)Registration of multiple Filters in the same location means their ordering is not deterministic. More concretely, registering multiple Filters in the same location does not override existing Filters. Instead, do not register Filters you do not want to use.
filter
- the Filter to registeratFilter
- the location of another Filter
that is already registered
(i.e. known) with Spring Security.HttpSecurity
for further customizationspublic HttpSecurity.RequestMatcherConfigurer requestMatchers()
HttpServletRequest
instances this
HttpSecurity
will be invoked on. This method allows for easily invoking the
HttpSecurity
for multiple different RequestMatcher
instances. If
only a single RequestMatcher
is necessary consider using mvcMatcher(String)
,
antMatcher(String)
, regexMatcher(String)
, or
requestMatcher(RequestMatcher)
.
Invoking requestMatchers()
will not override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
HttpSecurity
for URLs that begin
with "/api/" or "/oauth/".
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**", "/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }The configuration below is the same as the previous configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**") .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }The configuration below is also the same as the above configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/api/**") .and() .requestMatchers() .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }
HttpSecurity.RequestMatcherConfigurer
for further customizationspublic HttpSecurity requestMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer)
HttpServletRequest
instances this
HttpSecurity
will be invoked on. This method allows for easily invoking the
HttpSecurity
for multiple different RequestMatcher
instances. If
only a single RequestMatcher
is necessary consider using mvcMatcher(String)
,
antMatcher(String)
, regexMatcher(String)
, or
requestMatcher(RequestMatcher)
.
Invoking requestMatchers()
will not override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
HttpSecurity
for URLs that begin
with "/api/" or "/oauth/".
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers(requestMatchers -> requestMatchers .antMatchers("/api/**", "/oauth/**") ) .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .httpBasic(withDefaults()); } }The configuration below is the same as the previous configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers(requestMatchers -> requestMatchers .antMatchers("/api/**") .antMatchers("/oauth/**") ) .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .httpBasic(withDefaults()); } }The configuration below is also the same as the above configuration.
@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers(requestMatchers -> requestMatchers .antMatchers("/api/**") ) .requestMatchers(requestMatchers -> requestMatchers .antMatchers("/oauth/**") ) .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/**").hasRole("USER") ) .httpBasic(withDefaults()); } }
requestMatcherCustomizer
- the Customizer
to provide more options for
the HttpSecurity.RequestMatcherConfigurer
HttpSecurity
for further customizationspublic HttpSecurity requestMatcher(RequestMatcher requestMatcher)
HttpSecurity
to only be invoked when matching the
provided RequestMatcher
. If more advanced configuration is necessary,
consider using requestMatchers()
.
Invoking requestMatcher(RequestMatcher)
will override previous invocations
of requestMatchers()
, mvcMatcher(String)
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
requestMatcher
- the RequestMatcher
to use (i.e. new
AntPathRequestMatcher("/admin/**","GET") )HttpSecurity
for further customizationsrequestMatchers()
,
antMatcher(String)
,
regexMatcher(String)
public HttpSecurity antMatcher(java.lang.String antPattern)
HttpSecurity
to only be invoked when matching the
provided ant pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking antMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
antPattern
- the Ant Pattern to match on (i.e. "/admin/**")HttpSecurity
for further customizationsAntPathRequestMatcher
public HttpSecurity mvcMatcher(java.lang.String mvcPattern)
HttpSecurity
to only be invoked when matching the
provided Spring MVC pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking mvcMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
mvcPattern
- the Spring MVC Pattern to match on (i.e. "/admin/**")HttpSecurity
for further customizationsMvcRequestMatcher
public HttpSecurity regexMatcher(java.lang.String pattern)
HttpSecurity
to only be invoked when matching the
provided regex pattern. If more advanced configuration is necessary, consider using
requestMatchers()
or requestMatcher(RequestMatcher)
.
Invoking regexMatcher(String)
will override previous invocations of mvcMatcher(String)
},
requestMatchers()
, antMatcher(String)
,
regexMatcher(String)
, and requestMatcher(RequestMatcher)
.
pattern
- the Regular Expression to match on (i.e. "/admin/.+")HttpSecurity
for further customizationsRegexRequestMatcher