@Order(value=100) public abstract class WebSecurityConfigurerAdapter extends java.lang.Object implements WebSecurityConfigurer<WebSecurity>
WebSecurityConfigurer
instance. The implementation allows customization by overriding methods.
Will automatically apply the result of looking up
AbstractHttpConfigurer
from SpringFactoriesLoader
to allow
developers to extend the defaults.
To do this, you must create a class that extends AbstractHttpConfigurer and then create a file in the classpath at "META-INF/spring.factories" that looks something like:
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurerIf you have multiple classes that should be added you can use "," to separate the values. For example:
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer, sample.OtherThatExtendsAbstractHttpConfigurer
EnableWebSecurity
Modifier | Constructor and Description |
---|---|
protected |
WebSecurityConfigurerAdapter()
Creates an instance with the default configuration enabled.
|
protected |
WebSecurityConfigurerAdapter(boolean disableDefaults)
Creates an instance which allows specifying if the default configuration should be
enabled.
|
Modifier and Type | Method and Description |
---|---|
protected AuthenticationManager |
authenticationManager()
Gets the
AuthenticationManager to use. |
AuthenticationManager |
authenticationManagerBean()
Override this method to expose the
AuthenticationManager from
configure(AuthenticationManagerBuilder) to be exposed as a Bean. |
protected void |
configure(AuthenticationManagerBuilder auth)
Used by the default implementation of
authenticationManager() to attempt
to obtain an AuthenticationManager . |
protected void |
configure(HttpSecurity http)
Override this method to configure the
HttpSecurity . |
void |
configure(WebSecurity web)
Override this method to configure
WebSecurity . |
protected org.springframework.context.ApplicationContext |
getApplicationContext()
Gets the ApplicationContext
|
protected HttpSecurity |
getHttp()
Creates the
HttpSecurity or returns the current instance
] * @return the HttpSecurity |
void |
init(WebSecurity web)
Initialize the
SecurityBuilder . |
void |
setApplicationContext(org.springframework.context.ApplicationContext context) |
void |
setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration) |
void |
setContentNegotationStrategy(org.springframework.web.accept.ContentNegotiationStrategy contentNegotiationStrategy) |
void |
setObjectPostProcessor(ObjectPostProcessor<java.lang.Object> objectPostProcessor) |
void |
setTrustResolver(AuthenticationTrustResolver trustResolver) |
protected UserDetailsService |
userDetailsService()
Allows modifying and accessing the
UserDetailsService from
userDetailsServiceBean() without interacting with the
ApplicationContext . |
UserDetailsService |
userDetailsServiceBean()
Override this method to expose a
UserDetailsService created from
configure(AuthenticationManagerBuilder) as a bean. |
protected WebSecurityConfigurerAdapter()
protected WebSecurityConfigurerAdapter(boolean disableDefaults)
disableDefaults
- true if the default configuration should be disabled, else
falseprotected void configure(AuthenticationManagerBuilder auth) throws java.lang.Exception
authenticationManager()
to attempt
to obtain an AuthenticationManager
. If overridden, the
AuthenticationManagerBuilder
should be used to specify the
AuthenticationManager
.
The authenticationManagerBean()
method can be used to expose the resulting
AuthenticationManager
as a Bean. The userDetailsServiceBean()
can
be used to expose the last populated UserDetailsService
that is created
with the AuthenticationManagerBuilder
as a Bean. The
UserDetailsService
will also automatically be populated on
AbstractConfiguredSecurityBuilder.getSharedObject(Class)
for use with other
SecurityContextConfigurer
(i.e. RememberMeConfigurer )
For example, the following configuration could be used to register in memory
authentication that exposes an in memory UserDetailsService
:
@Override protected void configure(AuthenticationManagerBuilder auth) { auth // enable in memory based authentication with a user named // "user" and "admin" .inMemoryAuthentication().withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } // Expose the UserDetailsService as a Bean @Bean @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); }
auth
- the AuthenticationManagerBuilder
to usejava.lang.Exception
protected final HttpSecurity getHttp() throws java.lang.Exception
HttpSecurity
or returns the current instance
] * @return the HttpSecurity
java.lang.Exception
public AuthenticationManager authenticationManagerBean() throws java.lang.Exception
AuthenticationManager
from
configure(AuthenticationManagerBuilder)
to be exposed as a Bean. For
example:
@Bean(name name="myAuthenticationManager") @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }
AuthenticationManager
java.lang.Exception
protected AuthenticationManager authenticationManager() throws java.lang.Exception
AuthenticationManager
to use. The default strategy is if
configure(AuthenticationManagerBuilder)
method is overridden to use the
AuthenticationManagerBuilder
that was passed in. Otherwise, autowire the
AuthenticationManager
by type.AuthenticationManager
to usejava.lang.Exception
public UserDetailsService userDetailsServiceBean() throws java.lang.Exception
UserDetailsService
created from
configure(AuthenticationManagerBuilder)
as a bean. In general only the
following override should be done of this method:
@Bean(name = "myUserDetailsService") // any or no name specified is allowed @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); }To change the instance returned, developers should change
userDetailsService()
insteadUserDetailsService
java.lang.Exception
userDetailsService()
protected UserDetailsService userDetailsService()
UserDetailsService
from
userDetailsServiceBean()
without interacting with the
ApplicationContext
. Developers should override this method when changing
the instance of userDetailsServiceBean()
.UserDetailsService
to usepublic void init(WebSecurity web) throws java.lang.Exception
SecurityConfigurer
SecurityBuilder
. Here only shared state should be created
and modified, but not properties on the SecurityBuilder
used for building
the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder)
method uses
the correct shared objects when building. Configurers should be applied here.init
in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>
java.lang.Exception
public void configure(WebSecurity web) throws java.lang.Exception
WebSecurity
. For example, if you wish to
ignore certain requests.configure
in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>
java.lang.Exception
protected void configure(HttpSecurity http) throws java.lang.Exception
HttpSecurity
. Typically subclasses
should not invoke this method by calling super as it may override their
configuration. The default configuration is:
http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
http
- the HttpSecurity
to modifyjava.lang.Exception
- if an error occursprotected final org.springframework.context.ApplicationContext getApplicationContext()
@Autowired public void setApplicationContext(org.springframework.context.ApplicationContext context)
@Autowired(required=false) public void setTrustResolver(AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setContentNegotationStrategy(org.springframework.web.accept.ContentNegotiationStrategy contentNegotiationStrategy)
@Autowired public void setObjectPostProcessor(ObjectPostProcessor<java.lang.Object> objectPostProcessor)
@Autowired public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)