public final class WebSecurity extends AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity> implements SecurityBuilder<javax.servlet.Filter>, org.springframework.context.ApplicationContextAware
The WebSecurity
is created by WebSecurityConfiguration
to create the
FilterChainProxy
known as the Spring Security Filter Chain
(springSecurityFilterChain). The springSecurityFilterChain is the Filter
that
the DelegatingFilterProxy
delegates to.
Customizations to the WebSecurity
can be made by creating a
WebSecurityConfigurer
or more likely by overriding
WebSecurityConfigurerAdapter
.
EnableWebSecurity
,
WebSecurityConfiguration
Modifier and Type | Class and Description |
---|---|
class |
WebSecurity.IgnoredRequestConfigurer
Allows registering
RequestMatcher instances that should be ignored by
Spring Security. |
class |
WebSecurity.MvcMatchersIgnoredRequestConfigurer
An
WebSecurity.IgnoredRequestConfigurer that allows optionally configuring the
MvcRequestMatcher.setMethod(HttpMethod) |
Constructor and Description |
---|
WebSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor)
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
WebSecurity |
addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create
SecurityFilterChain instances. |
WebSecurity |
debug(boolean debugEnabled)
Controls debugging support for Spring Security.
|
WebSecurity |
expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)
Set the
SecurityExpressionHandler to be used. |
SecurityExpressionHandler<FilterInvocation> |
getExpressionHandler()
Gets the
SecurityExpressionHandler to be used. |
WebInvocationPrivilegeEvaluator |
getPrivilegeEvaluator()
Gets the
WebInvocationPrivilegeEvaluator to be used. |
WebSecurity |
httpFirewall(HttpFirewall httpFirewall)
Allows customizing the
HttpFirewall . |
WebSecurity.IgnoredRequestConfigurer |
ignoring()
Allows adding
RequestMatcher instances that Spring Security
should ignore. |
protected javax.servlet.Filter |
performBuild()
Subclasses must implement this method to build the object that is being returned.
|
WebSecurity |
postBuildAction(java.lang.Runnable postBuildAction)
Executes the Runnable immediately after the build takes place
|
WebSecurity |
privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)
Set the
WebInvocationPrivilegeEvaluator to be used. |
WebSecurity |
securityInterceptor(FilterSecurityInterceptor securityInterceptor)
Sets the
FilterSecurityInterceptor . |
void |
setApplicationContext(org.springframework.context.ApplicationContext applicationContext) |
apply, apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObject
build, getObject
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
build
public WebSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor)
objectPostProcessor
- the ObjectPostProcessor
to useWebSecurityConfiguration
public WebSecurity.IgnoredRequestConfigurer ignoring()
Allows adding RequestMatcher
instances that Spring Security
should ignore. Web Security provided by Spring Security (including the
SecurityContext
) will not be available on HttpServletRequest
that
match. Typically the requests that are registered should be that of only static
resources. For requests that are dynamic, consider mapping the request to allow all
users instead.
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**", "/static/**");Alternatively this will accomplish the same result:
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**").antMatchers("/static/**");Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples:
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ .antMatchers("/resources/**"); webSecurityBuilder.ignoring() // ignore all URLs that start with /static/ .antMatchers("/static/**"); // now both URLs that start with /resources/ and /static/ will be ignored
WebSecurity.IgnoredRequestConfigurer
to use for registering request that
should be ignoredpublic WebSecurity httpFirewall(HttpFirewall httpFirewall)
HttpFirewall
. The default is
StrictHttpFirewall
.httpFirewall
- the custom HttpFirewall
WebSecurity
for further customizationspublic WebSecurity debug(boolean debugEnabled)
debugEnabled
- if true, enables debug support with Spring Security. Default is
false.WebSecurity
for further customization.EnableWebSecurity.debug()
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create SecurityFilterChain
instances.
Typically this method is invoked automatically within the framework from
WebSecurityConfigurerAdapter.init(WebSecurity)
securityFilterChainBuilder
- the builder to use to create the
SecurityFilterChain
instancesWebSecurity
for further customizationspublic WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)
WebInvocationPrivilegeEvaluator
to be used. If this is not specified,
then a DefaultWebInvocationPrivilegeEvaluator
will be created when
securityInterceptor(FilterSecurityInterceptor)
is non null.privilegeEvaluator
- the WebInvocationPrivilegeEvaluator
to useWebSecurity
for further customizationspublic WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)
SecurityExpressionHandler
to be used. If this is not specified,
then a DefaultWebSecurityExpressionHandler
will be used.expressionHandler
- the SecurityExpressionHandler
to useWebSecurity
for further customizationspublic SecurityExpressionHandler<FilterInvocation> getExpressionHandler()
SecurityExpressionHandler
to be used.SecurityExpressionHandler
for further customizationspublic WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()
WebInvocationPrivilegeEvaluator
to be used.WebInvocationPrivilegeEvaluator
for further customizationspublic WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor)
FilterSecurityInterceptor
. This is typically invoked by
WebSecurityConfigurerAdapter
.securityInterceptor
- the FilterSecurityInterceptor
to useWebSecurity
for further customizationspublic WebSecurity postBuildAction(java.lang.Runnable postBuildAction)
postBuildAction
- WebSecurity
for further customizationsprotected javax.servlet.Filter performBuild() throws java.lang.Exception
AbstractConfiguredSecurityBuilder
performBuild
in class AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>
java.lang.Exception
public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException
setApplicationContext
in interface org.springframework.context.ApplicationContextAware
org.springframework.beans.BeansException