Class WebSecurity
- java.lang.Object
-
- org.springframework.security.config.annotation.AbstractSecurityBuilder<O>
-
- org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>
-
- org.springframework.security.config.annotation.web.builders.WebSecurity
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.context.ApplicationContextAware
,SecurityBuilder<javax.servlet.Filter>
,org.springframework.web.context.ServletContextAware
public final class WebSecurity extends AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity> implements SecurityBuilder<javax.servlet.Filter>, org.springframework.context.ApplicationContextAware, org.springframework.web.context.ServletContextAware
The
WebSecurity
is created byWebSecurityConfiguration
to create theFilterChainProxy
known as the Spring Security Filter Chain (springSecurityFilterChain). The springSecurityFilterChain is theFilter
that theDelegatingFilterProxy
delegates to.Customizations to the
WebSecurity
can be made by creating aWebSecurityConfigurer
, overridingWebSecurityConfigurerAdapter
or exposing aWebSecurityCustomizer
bean.- Since:
- 3.2
- See Also:
EnableWebSecurity
,WebSecurityConfiguration
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
WebSecurity.IgnoredRequestConfigurer
Allows registeringRequestMatcher
instances that should be ignored by Spring Security.class
WebSecurity.MvcMatchersIgnoredRequestConfigurer
AnWebSecurity.IgnoredRequestConfigurer
that allows optionally configuring theMvcRequestMatcher.setMethod(HttpMethod)
-
Constructor Summary
Constructors Constructor Description WebSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor)
Creates a new instance
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description WebSecurity
addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)
Adds builders to createSecurityFilterChain
instances.WebSecurity
debug(boolean debugEnabled)
Controls debugging support for Spring Security.WebSecurity
expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)
Set theSecurityExpressionHandler
to be used.SecurityExpressionHandler<FilterInvocation>
getExpressionHandler()
Gets theSecurityExpressionHandler
to be used.WebInvocationPrivilegeEvaluator
getPrivilegeEvaluator()
Gets theWebInvocationPrivilegeEvaluator
to be used.WebSecurity
httpFirewall(HttpFirewall httpFirewall)
Allows customizing theHttpFirewall
.WebSecurity.IgnoredRequestConfigurer
ignoring()
Allows addingRequestMatcher
instances that Spring Security should ignore.protected javax.servlet.Filter
performBuild()
Subclasses must implement this method to build the object that is being returned.WebSecurity
postBuildAction(java.lang.Runnable postBuildAction)
Executes the Runnable immediately after the build takes placeWebSecurity
privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)
Set theWebInvocationPrivilegeEvaluator
to be used.WebSecurity
securityInterceptor(FilterSecurityInterceptor securityInterceptor)
Deprecated.void
setApplicationContext(org.springframework.context.ApplicationContext applicationContext)
void
setServletContext(javax.servlet.ServletContext servletContext)
-
Methods inherited from class org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder
apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObject
-
Methods inherited from class org.springframework.security.config.annotation.AbstractSecurityBuilder
build, getObject
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.springframework.security.config.annotation.SecurityBuilder
build
-
-
-
-
Constructor Detail
-
WebSecurity
public WebSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor)
Creates a new instance- Parameters:
objectPostProcessor
- theObjectPostProcessor
to use- See Also:
WebSecurityConfiguration
-
-
Method Detail
-
ignoring
public WebSecurity.IgnoredRequestConfigurer ignoring()
Allows adding
Example Usage:RequestMatcher
instances that Spring Security should ignore. Web Security provided by Spring Security (including theSecurityContext
) will not be available onHttpServletRequest
that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**", "/static/**");
Alternatively this will accomplish the same result:webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**").antMatchers("/static/**");
Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples:webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ .antMatchers("/resources/**"); webSecurityBuilder.ignoring() // ignore all URLs that start with /static/ .antMatchers("/static/**"); // now both URLs that start with /resources/ and /static/ will be ignored
- Returns:
- the
WebSecurity.IgnoredRequestConfigurer
to use for registering request that should be ignored
-
httpFirewall
public WebSecurity httpFirewall(HttpFirewall httpFirewall)
Allows customizing theHttpFirewall
. The default isStrictHttpFirewall
.- Parameters:
httpFirewall
- the customHttpFirewall
- Returns:
- the
WebSecurity
for further customizations
-
debug
public WebSecurity debug(boolean debugEnabled)
Controls debugging support for Spring Security.- Parameters:
debugEnabled
- if true, enables debug support with Spring Security. Default is false.- Returns:
- the
WebSecurity
for further customization. - See Also:
EnableWebSecurity.debug()
-
addSecurityFilterChainBuilder
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create
SecurityFilterChain
instances.Typically this method is invoked automatically within the framework from
WebSecurityConfigurerAdapter.init(WebSecurity)
- Parameters:
securityFilterChainBuilder
- the builder to use to create theSecurityFilterChain
instances- Returns:
- the
WebSecurity
for further customizations
-
privilegeEvaluator
public WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)
Set theWebInvocationPrivilegeEvaluator
to be used. If this is not specified, then aDefaultWebInvocationPrivilegeEvaluator
will be created whensecurityInterceptor(FilterSecurityInterceptor)
is non null.- Parameters:
privilegeEvaluator
- theWebInvocationPrivilegeEvaluator
to use- Returns:
- the
WebSecurity
for further customizations
-
expressionHandler
public WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)
Set theSecurityExpressionHandler
to be used. If this is not specified, then aDefaultWebSecurityExpressionHandler
will be used.- Parameters:
expressionHandler
- theSecurityExpressionHandler
to use- Returns:
- the
WebSecurity
for further customizations
-
getExpressionHandler
public SecurityExpressionHandler<FilterInvocation> getExpressionHandler()
Gets theSecurityExpressionHandler
to be used.- Returns:
- the
SecurityExpressionHandler
for further customizations
-
getPrivilegeEvaluator
public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()
Gets theWebInvocationPrivilegeEvaluator
to be used.- Returns:
- the
WebInvocationPrivilegeEvaluator
for further customizations
-
securityInterceptor
public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor)
Deprecated.Sets theFilterSecurityInterceptor
. This is typically invoked byWebSecurityConfigurerAdapter
.- Parameters:
securityInterceptor
- theFilterSecurityInterceptor
to use- Returns:
- the
WebSecurity
for further customizations
-
postBuildAction
public WebSecurity postBuildAction(java.lang.Runnable postBuildAction)
Executes the Runnable immediately after the build takes place- Parameters:
postBuildAction
-- Returns:
- the
WebSecurity
for further customizations
-
performBuild
protected javax.servlet.Filter performBuild() throws java.lang.Exception
Description copied from class:AbstractConfiguredSecurityBuilder
Subclasses must implement this method to build the object that is being returned.- Specified by:
performBuild
in classAbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>
- Returns:
- the Object to be buit or null if the implementation allows it
- Throws:
java.lang.Exception
-
setApplicationContext
public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException
- Specified by:
setApplicationContext
in interfaceorg.springframework.context.ApplicationContextAware
- Throws:
org.springframework.beans.BeansException
-
setServletContext
public void setServletContext(javax.servlet.ServletContext servletContext)
- Specified by:
setServletContext
in interfaceorg.springframework.web.context.ServletContextAware
-
-