Class WebSecurity
java.lang.Object
org.springframework.security.config.annotation.AbstractSecurityBuilder<O>
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>
org.springframework.security.config.annotation.web.builders.WebSecurity
- All Implemented Interfaces:
org.springframework.beans.factory.Aware,org.springframework.context.ApplicationContextAware,SecurityBuilder<jakarta.servlet.Filter>,org.springframework.web.context.ServletContextAware
public final class WebSecurity
extends AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>
implements SecurityBuilder<jakarta.servlet.Filter>, org.springframework.context.ApplicationContextAware, org.springframework.web.context.ServletContextAware
The WebSecurity is created by WebSecurityConfiguration to create the
FilterChainProxy known as the Spring Security Filter Chain
(springSecurityFilterChain). The springSecurityFilterChain is the Filter that
the DelegatingFilterProxy delegates to.
Customizations to the WebSecurity can be made by creating a
WebSecurityConfigurer or exposing a WebSecurityCustomizer bean.
- Since:
- 3.2
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionclassAllows registeringRequestMatcherinstances that should be ignored by Spring Security. -
Constructor Summary
ConstructorsConstructorDescriptionWebSecurity(ObjectPostProcessor<Object> objectPostProcessor) Creates a new instance -
Method Summary
Modifier and TypeMethodDescriptionaddSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) Adds builders to createSecurityFilterChaininstances.debug(boolean debugEnabled) Controls debugging support for Spring Security.expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler) Set theSecurityExpressionHandlerto be used.Gets theSecurityExpressionHandlerto be used.Gets theWebInvocationPrivilegeEvaluatorto be used.httpFirewall(HttpFirewall httpFirewall) Allows customizing theHttpFirewall.ignoring()Allows addingRequestMatcherinstances that Spring Security should ignore.protected jakarta.servlet.FilterSubclasses must implement this method to build the object that is being returned.postBuildAction(Runnable postBuildAction) Executes the Runnable immediately after the build takes placeprivilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator) Set theWebInvocationPrivilegeEvaluatorto be used.requestRejectedHandler(RequestRejectedHandler requestRejectedHandler) Sets the handler to handleRequestRejectedExceptionvoidsetApplicationContext(org.springframework.context.ApplicationContext applicationContext) voidsetServletContext(jakarta.servlet.ServletContext servletContext) Methods inherited from class org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder
apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObjectMethods inherited from class org.springframework.security.config.annotation.AbstractSecurityBuilder
build, getObjectMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.springframework.security.config.annotation.SecurityBuilder
build
-
Constructor Details
-
WebSecurity
Creates a new instance- Parameters:
objectPostProcessor- theObjectPostProcessorto use- See Also:
-
-
Method Details
-
ignoring
Allows adding
Example Usage:RequestMatcherinstances that Spring Security should ignore. Web Security provided by Spring Security (including theSecurityContext) will not be available onHttpServletRequestthat match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .requestMatchers("/resources/**", "/static/**");Alternatively this will accomplish the same result:webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .requestMatchers("/resources/**").requestMatchers("/static/**");Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples:webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ .requestMatchers("/resources/**"); webSecurityBuilder.ignoring() // ignore all URLs that start with /static/ .requestMatchers("/static/**"); // now both URLs that start with /resources/ and /static/ will be ignored- Returns:
- the
WebSecurity.IgnoredRequestConfigurerto use for registering request that should be ignored
-
httpFirewall
Allows customizing theHttpFirewall. The default isStrictHttpFirewall.- Parameters:
httpFirewall- the customHttpFirewall- Returns:
- the
WebSecurityfor further customizations
-
debug
Controls debugging support for Spring Security.- Parameters:
debugEnabled- if true, enables debug support with Spring Security. Default is false.- Returns:
- the
WebSecurityfor further customization. - See Also:
-
addSecurityFilterChainBuilder
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) Adds builders to create
SecurityFilterChaininstances.Typically this method is invoked automatically within the framework from
WebSecurityConfiguration.springSecurityFilterChain()- Parameters:
securityFilterChainBuilder- the builder to use to create theSecurityFilterChaininstances- Returns:
- the
WebSecurityfor further customizations
-
privilegeEvaluator
Set theWebInvocationPrivilegeEvaluatorto be used. If this is not specified, then aRequestMatcherDelegatingWebInvocationPrivilegeEvaluatorwill be created based on the list ofSecurityFilterChain.- Parameters:
privilegeEvaluator- theWebInvocationPrivilegeEvaluatorto use- Returns:
- the
WebSecurityfor further customizations
-
expressionHandler
Set theSecurityExpressionHandlerto be used. If this is not specified, then aDefaultWebSecurityExpressionHandlerwill be used.- Parameters:
expressionHandler- theSecurityExpressionHandlerto use- Returns:
- the
WebSecurityfor further customizations
-
getExpressionHandler
Gets theSecurityExpressionHandlerto be used.- Returns:
- the
SecurityExpressionHandlerfor further customizations
-
getPrivilegeEvaluator
Gets theWebInvocationPrivilegeEvaluatorto be used.- Returns:
- the
WebInvocationPrivilegeEvaluatorfor further customizations
-
postBuildAction
Executes the Runnable immediately after the build takes place- Parameters:
postBuildAction-- Returns:
- the
WebSecurityfor further customizations
-
requestRejectedHandler
Sets the handler to handleRequestRejectedException- Parameters:
requestRejectedHandler-- Returns:
- the
WebSecurityfor further customizations - Since:
- 5.7
-
performBuild
Description copied from class:AbstractConfiguredSecurityBuilderSubclasses must implement this method to build the object that is being returned.- Specified by:
performBuildin classAbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity> - Returns:
- the Object to be buit or null if the implementation allows it
- Throws:
Exception
-
setApplicationContext
public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException - Specified by:
setApplicationContextin interfaceorg.springframework.context.ApplicationContextAware- Throws:
org.springframework.beans.BeansException
-
setServletContext
public void setServletContext(jakarta.servlet.ServletContext servletContext) - Specified by:
setServletContextin interfaceorg.springframework.web.context.ServletContextAware
-