All Implemented Interfaces:
SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>

A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using #requestMatcher(RequestMatcher) or other similar methods.

Example Usage

The most basic form based configuration can be seen below. The configuration will require that any URL that is requested will require a User with the role "ROLE_USER". It also defines an in memory authentication scheme with a user that has the username "user", the password "password", and the role "ROLE_USER". For additional examples, refer to the Java Doc of individual methods on HttpSecurity.
 @Configuration
 @EnableWebSecurity
 public class FormLoginSecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                http.authorizeHttpRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
                return http.build();
        }

        @Bean
        public UserDetailsService userDetailsService() {
                UserDetails user = User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                return new InMemoryUserDetailsManager(user);
        }
 }
 
Since:
3.2
See Also:
  • Constructor Details

  • Method Details

    • headers

      @Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<HttpSecurity> headers() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Adds the Security headers to the response. This is activated by default when using EnableWebSecurity. Accepting the default provided by EnableWebSecurity or only invoking headers() without invoking additional methods on it, is the equivalent of:
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers()
                                      .contentTypeOptions()
                                      .and()
                                      .xssProtection()
                                      .and()
                                      .cacheControl()
                                      .and()
                                      .httpStrictTransportSecurity()
                                      .and()
                                      .frameOptions()
                                      .and()
                              ...;
                      return http.build();
              }
       }
       
      You can disable the headers using the following:
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers().disable()
                              ...;
                      return http.build();
              }
       }
       
      You can enable only a few of the headers by first invoking HeadersConfigurer.defaultsDisabled() and then invoking the appropriate methods on the headers() result. For example, the following will enable HeadersConfigurer.cacheControl() and HeadersConfigurer.frameOptions() only.
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers()
                                      .defaultsDisabled()
                                      .cacheControl()
                                      .and()
                                      .frameOptions()
                                      .and()
                              ...;
                      return http.build();
              }
       }
       
      You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except HeadersConfigurer.frameOptions().
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers()
                                       .frameOptions()
                                              .disable()
                                       .and()
                              ...;
                      return http.build();
              }
       }
       
      Returns:
      the HeadersConfigurer for further customizations
      Throws:
      Exception
      See Also:
    • headers

      public HttpSecurity headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer) throws Exception
      Adds the Security headers to the response. This is activated by default when using EnableWebSecurity.

      Example Configurations

      Accepting the default provided by EnableWebSecurity or only invoking headers() without invoking additional methods on it, is the equivalent of:
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers((headers) ->
                                      headers
                                              .contentTypeOptions(withDefaults())
                                              .xssProtection(withDefaults())
                                              .cacheControl(withDefaults())
                                              .httpStrictTransportSecurity(withDefaults())
                                              .frameOptions(withDefaults()
                              );
                      return http.build();
              }
       }
       
      You can disable the headers using the following:
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers((headers) -> headers.disable());
                      return http.build();
              }
       }
       
      You can enable only a few of the headers by first invoking HeadersConfigurer.defaultsDisabled() and then invoking the appropriate methods on the headers() result. For example, the following will enable HeadersConfigurer.cacheControl() and HeadersConfigurer.frameOptions() only.
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .headers((headers) ->
                                      headers
                                              .defaultsDisabled()
                                              .cacheControl(withDefaults())
                                              .frameOptions(withDefaults())
                              );
                      return http.build();
              }
       }
       
      You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except HeadersConfigurer.frameOptions().
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
              http
                      .headers((headers) ->
                              headers
                                      .frameOptions((frameOptions) -> frameOptions.disable())
                      );
                      return http.build();
              }
       }
       
      Parameters:
      headersCustomizer - the Customizer to provide more options for the HeadersConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • cors

      @Deprecated(since="6.1", forRemoval=true) public CorsConfigurer<HttpSecurity> cors() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Adds a CorsFilter to be used. If a bean by the name of corsFilter is provided, that CorsFilter is used. Else if corsConfigurationSource is defined, then that CorsConfiguration is used. Otherwise, if Spring MVC is on the classpath a HandlerMappingIntrospector is used.
      Returns:
      the CorsConfigurer for customizations
      Throws:
      Exception
    • cors

      public HttpSecurity cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer) throws Exception
      Adds a CorsFilter to be used. If a bean by the name of corsFilter is provided, that CorsFilter is used. Else if corsConfigurationSource is defined, then that CorsConfiguration is used. Otherwise, if Spring MVC is on the classpath a HandlerMappingIntrospector is used. You can enable CORS using:
       @Configuration
       @EnableWebSecurity
       public class CorsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .cors(withDefaults());
                      return http.build();
              }
       }
       
      Parameters:
      corsCustomizer - the Customizer to provide more options for the CorsConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • sessionManagement

      @Deprecated(since="6.1", forRemoval=true) public SessionManagementConfigurer<HttpSecurity> sessionManagement() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use sessionManagement(Customizer) or sessionManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows configuring of Session Management.

      Example Configuration

      The following configuration demonstrates how to enforce that only a single instance of a user is authenticated at a time. If a user authenticates with the username "user" without logging out and an attempt to authenticate with "user" is made the first session will be forcibly terminated and sent to the "/login?expired" URL.
       @Configuration
       @EnableWebSecurity
       public class SessionManagementSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin()
                                      .permitAll().and().sessionManagement().maximumSessions(1)
                                      .expiredUrl("/login?expired");
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      When using SessionManagementConfigurer.maximumSessions(int), do not forget to configure HttpSessionEventPublisher for the application to ensure that expired sessions are cleaned up. In a web.xml this can be configured using the following:
       <listener>
            <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
       </listener>
       
      Alternatively, AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher() could return true.
      Returns:
      the SessionManagementConfigurer for further customizations
      Throws:
      Exception
    • sessionManagement

      public HttpSecurity sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer) throws Exception
      Allows configuring of Session Management.

      Example Configuration

      The following configuration demonstrates how to enforce that only a single instance of a user is authenticated at a time. If a user authenticates with the username "user" without logging out and an attempt to authenticate with "user" is made the first session will be forcibly terminated and sent to the "/login?expired" URL.
       @Configuration
       @EnableWebSecurity
       public class SessionManagementSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .anyRequest().hasRole("USER")
                              )
                              .formLogin((formLogin) ->
                                      formLogin
                                              .permitAll()
                              )
                              .sessionManagement((sessionManagement) ->
                                      sessionManagement
                                              .sessionConcurrency((sessionConcurrency) ->
                                                      sessionConcurrency
                                                              .maximumSessions(1)
                                                              .expiredUrl("/login?expired")
                                              )
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      When using SessionManagementConfigurer.maximumSessions(int), do not forget to configure HttpSessionEventPublisher for the application to ensure that expired sessions are cleaned up. In a web.xml this can be configured using the following:
       <listener>
            <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
       </listener>
       
      Alternatively, AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher() could return true.
      Parameters:
      sessionManagementCustomizer - the Customizer to provide more options for the SessionManagementConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • portMapper

      @Deprecated(since="6.1", forRemoval=true) public PortMapperConfigurer<HttpSecurity> portMapper() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use portMapper(Customizer) or portMapper(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows configuring a PortMapper that is available from AbstractConfiguredSecurityBuilder.getSharedObject(Class). Other provided SecurityConfigurer objects use this configured PortMapper as a default PortMapper when redirecting from HTTP to HTTPS or from HTTPS to HTTP (for example when used in combination with requiresChannel(). By default Spring Security uses a PortMapperImpl which maps the HTTP port 8080 to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.

      Example Configuration

      The following configuration will ensure that redirects within Spring Security from HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 to the HTTPS port of 443.
       @Configuration
       @EnableWebSecurity
       public class PortMapperSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
                                      .permitAll().and()
                                      // Example portMapper() configuration
                                      .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443);
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the PortMapperConfigurer for further customizations
      Throws:
      Exception
      See Also:
    • portMapper

      public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer) throws Exception
      Allows configuring a PortMapper that is available from AbstractConfiguredSecurityBuilder.getSharedObject(Class). Other provided SecurityConfigurer objects use this configured PortMapper as a default PortMapper when redirecting from HTTP to HTTPS or from HTTPS to HTTP (for example when used in combination with requiresChannel(). By default Spring Security uses a PortMapperImpl which maps the HTTP port 8080 to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.

      Example Configuration

      The following configuration will ensure that redirects within Spring Security from HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 to the HTTPS port of 443.
       @Configuration
       @EnableWebSecurity
       public class PortMapperSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .requiresChannel((requiresChannel) ->
                                      requiresChannel
                                              .anyRequest().requiresSecure()
                              )
                              .portMapper((portMapper) ->
                                      portMapper
                                              .http(9090).mapsTo(9443)
                                              .http(80).mapsTo(443)
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      portMapperCustomizer - the Customizer to provide more options for the PortMapperConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      See Also:
    • jee

      @Deprecated(since="6.1", forRemoval=true) public JeeConfigurer<HttpSecurity> jee() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use jee(Customizer) or jee(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures container based pre authentication. In this case, authentication is managed by the Servlet Container.

      Example Configuration

      The following configuration will use the principal found on the HttpServletRequest and if the user is in the role "ROLE_USER" or "ROLE_ADMIN" will add that to the resulting Authentication.
       @Configuration
       @EnableWebSecurity
       public class JeeSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
                      // Example jee() configuration
                                      .jee().mappableRoles("USER", "ADMIN");
                      return http.build();
              }
       }
       
      Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:
       <login-config>
           <auth-method>FORM</auth-method>
           <form-login-config>
               <form-login-page>/login</form-login-page>
               <form-error-page>/login?error</form-error-page>
           </form-login-config>
       </login-config>
      
       <security-role>
           <role-name>ROLE_USER</role-name>
       </security-role>
       <security-constraint>
           <web-resource-collection>
           <web-resource-name>Public</web-resource-name>
               <description>Matches unconstrained pages</description>
               <url-pattern>/login</url-pattern>
               <url-pattern>/logout</url-pattern>
               <url-pattern>/resources/*</url-pattern>
           </web-resource-collection>
       </security-constraint>
       <security-constraint>
           <web-resource-collection>
               <web-resource-name>Secured Areas</web-resource-name>
               <url-pattern>/*</url-pattern>
           </web-resource-collection>
           <auth-constraint>
               <role-name>ROLE_USER</role-name>
           </auth-constraint>
       </security-constraint>
       
      Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
      Returns:
      the JeeConfigurer for further customizations
      Throws:
      Exception
    • jee

      public HttpSecurity jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer) throws Exception
      Configures container based pre authentication. In this case, authentication is managed by the Servlet Container.

      Example Configuration

      The following configuration will use the principal found on the HttpServletRequest and if the user is in the role "ROLE_USER" or "ROLE_ADMIN" will add that to the resulting Authentication.
       @Configuration
       @EnableWebSecurity
       public class JeeSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .jee((jee) ->
                                      jee
                                              .mappableRoles("USER", "ADMIN")
                              );
                      return http.build();
              }
       }
       
      Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:
       <login-config>
           <auth-method>FORM</auth-method>
           <form-login-config>
               <form-login-page>/login</form-login-page>
               <form-error-page>/login?error</form-error-page>
           </form-login-config>
       </login-config>
      
       <security-role>
           <role-name>ROLE_USER</role-name>
       </security-role>
       <security-constraint>
           <web-resource-collection>
           <web-resource-name>Public</web-resource-name>
               <description>Matches unconstrained pages</description>
               <url-pattern>/login</url-pattern>
               <url-pattern>/logout</url-pattern>
               <url-pattern>/resources/*</url-pattern>
           </web-resource-collection>
       </security-constraint>
       <security-constraint>
           <web-resource-collection>
               <web-resource-name>Secured Areas</web-resource-name>
               <url-pattern>/*</url-pattern>
           </web-resource-collection>
           <auth-constraint>
               <role-name>ROLE_USER</role-name>
           </auth-constraint>
       </security-constraint>
       
      Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
      Parameters:
      jeeCustomizer - the Customizer to provide more options for the JeeConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • x509

      @Deprecated(since="6.1", forRemoval=true) public X509Configurer<HttpSecurity> x509() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures X509 based pre authentication.

      Example Configuration

      The following configuration will attempt to extract the username from the X509 certificate. Remember that the Servlet Container will need to be configured to request client certificates in order for this to work.
       @Configuration
       @EnableWebSecurity
       public class X509SecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
                      // Example x509() configuration
                                      .x509();
                      return http.build();
              }
       }
       
      Returns:
      the X509Configurer for further customizations
      Throws:
      Exception
    • x509

      public HttpSecurity x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer) throws Exception
      Configures X509 based pre authentication.

      Example Configuration

      The following configuration will attempt to extract the username from the X509 certificate. Remember that the Servlet Container will need to be configured to request client certificates in order for this to work.
       @Configuration
       @EnableWebSecurity
       public class X509SecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .x509(withDefaults());
                      return http.build();
              }
       }
       
      Parameters:
      x509Customizer - the Customizer to provide more options for the X509Configurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • rememberMe

      @Deprecated(since="6.1", forRemoval=true) public RememberMeConfigurer<HttpSecurity> rememberMe() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use rememberMe(Customizer) or rememberMe(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows configuring of Remember Me authentication.

      Example Configuration

      The following configuration demonstrates how to allow token based remember me authentication. Upon authenticating if the HTTP parameter named "remember-me" exists, then the user will be remembered even after their HttpSession expires.
       @Configuration
       @EnableWebSecurity
       public class RememberMeSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
                                      .permitAll().and()
                                      // Example Remember Me Configuration
                                      .rememberMe();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the RememberMeConfigurer for further customizations
      Throws:
      Exception
    • rememberMe

      public HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer) throws Exception
      Allows configuring of Remember Me authentication.

      Example Configuration

      The following configuration demonstrates how to allow token based remember me authentication. Upon authenticating if the HTTP parameter named "remember-me" exists, then the user will be remembered even after their HttpSession expires.
       @Configuration
       @EnableWebSecurity
       public class RememberMeSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults())
                              .rememberMe(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      rememberMeCustomizer - the Customizer to provide more options for the RememberMeConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • authorizeRequests

      Deprecated.
      For removal in 7.0. Use authorizeHttpRequests() instead
      Allows restricting access based upon the HttpServletRequest using RequestMatcher implementations (i.e. via URL patterns).

      Example Configurations

      The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/admin/**").hasRole("ADMIN")
                                      .requestMatchers("/**").hasRole("USER").and().formLogin();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").requestMatchers("/admin/**")
                              .hasRole("ADMIN")
                      return http.build();
              }
       }
       
      Returns:
      the ExpressionUrlAuthorizationConfigurer for further customizations
      Throws:
      Exception
    • authorizeRequests

      Deprecated.
      For removal in 7.0. Use authorizeHttpRequests() instead
      Allows restricting access based upon the HttpServletRequest using RequestMatcher implementations (i.e. via URL patterns).

      Example Configurations

      The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/admin/**").hasRole("ADMIN")
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                       http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                                              .requestMatchers("/admin/**").hasRole("ADMIN")
                              );
                      return http.build();
              }
       }
       
      Parameters:
      authorizeRequestsCustomizer - the Customizer to provide more options for the ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • authorizeHttpRequests

      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use authorizeHttpRequests(Customizer) instead
      Allows restricting access based upon the HttpServletRequest using RequestMatcher implementations (i.e. via URL patterns).

      Example Configurations

      The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeHttpRequests()
                                      .requestMatchers("/**").hasRole("USER")
                                      .and()
                              .formLogin();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeHttpRequests()
                                      .requestMatchers("/admin").hasRole("ADMIN")
                                      .requestMatchers("/**").hasRole("USER")
                                      .and()
                              .formLogin();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeHttpRequests()
                                      .requestMatchers("/**").hasRole("USER")
                                      .requestMatchers("/admin/**").hasRole("ADMIN")
                                      .and()
                              .formLogin();
                      return http.build();
              }
       }
       
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      Since:
      5.6
    • authorizeHttpRequests

      public HttpSecurity authorizeHttpRequests(Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer) throws Exception
      Allows restricting access based upon the HttpServletRequest using RequestMatcher implementations (i.e. via URL patterns).

      Example Configurations

      The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeHttpRequests((authorizeHttpRequests) ->
                                      authorizeHttpRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeHttpRequests((authorizeHttpRequests) ->
                                      authorizeHttpRequests
                                              .requestMatchers("/admin/**").hasRole("ADMIN")
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      UserDetails admin = User.withDefaultPasswordEncoder()
                              .username("admin")
                              .password("password")
                              .roles("ADMIN", "USER")
                              .build();
                      return new InMemoryUserDetailsManager(user, admin);
              }
       }
       
      Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
       @Configuration
       @EnableWebSecurity
       public class AuthorizeUrlsSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeHttpRequests((authorizeHttpRequests) ->
                                      authorizeHttpRequests
                                              .requestMatchers("/**").hasRole("USER")
                                              .requestMatchers("/admin/**").hasRole("ADMIN")
                              );
                      return http.build();
              }
       }
       
      Parameters:
      authorizeHttpRequestsCustomizer - the Customizer to provide more options for the AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      Since:
      5.5
    • requestCache

      @Deprecated(since="6.1", forRemoval=true) public RequestCacheConfigurer<HttpSecurity> requestCache() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows configuring the Request Cache. For example, a protected page (/protected) may be requested prior to authentication. The application will redirect the user to a login page. After authentication, Spring Security will redirect the user to the originally requested protected page (/protected). This is automatically applied when using EnableWebSecurity.
      Returns:
      the RequestCacheConfigurer for further customizations
      Throws:
      Exception
    • requestCache

      public HttpSecurity requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer) throws Exception
      Allows configuring the Request Cache. For example, a protected page (/protected) may be requested prior to authentication. The application will redirect the user to a login page. After authentication, Spring Security will redirect the user to the originally requested protected page (/protected). This is automatically applied when using EnableWebSecurity.

      Example Custom Configuration

      The following example demonstrates how to disable request caching.
       @Configuration
       @EnableWebSecurity
       public class RequestCacheDisabledSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .requestCache((requestCache) ->
                                      requestCache.disable()
                              );
                      return http.build();
              }
       }
       
      Parameters:
      requestCacheCustomizer - the Customizer to provide more options for the RequestCacheConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • exceptionHandling

      @Deprecated(since="6.1", forRemoval=true) public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows configuring exception handling. This is automatically applied when using EnableWebSecurity.
      Returns:
      the ExceptionHandlingConfigurer for further customizations
      Throws:
      Exception
    • exceptionHandling

      public HttpSecurity exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer) throws Exception
      Allows configuring exception handling. This is automatically applied when using EnableWebSecurity.

      Example Custom Configuration

      The following customization will ensure that users who are denied access are forwarded to the page "/errors/access-denied".
       @Configuration
       @EnableWebSecurity
       public class ExceptionHandlingSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              // sample exception handling customization
                              .exceptionHandling((exceptionHandling) ->
                                      exceptionHandling
                                              .accessDeniedPage("/errors/access-denied")
                              );
                      return http.build();
              }
       }
       
      Parameters:
      exceptionHandlingCustomizer - the Customizer to provide more options for the ExceptionHandlingConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • securityContext

      @Deprecated(since="6.1", forRemoval=true) public SecurityContextConfigurer<HttpSecurity> securityContext() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use securityContext(Customizer) or securityContext(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Sets up management of the SecurityContext on the SecurityContextHolder between HttpServletRequest's. This is automatically applied when using EnableWebSecurity.
      Returns:
      the SecurityContextConfigurer for further customizations
      Throws:
      Exception
    • securityContext

      public HttpSecurity securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer) throws Exception
      Sets up management of the SecurityContext on the SecurityContextHolder between HttpServletRequest's. This is automatically applied when using EnableWebSecurity. The following customization specifies the shared SecurityContextRepository
       @Configuration
       @EnableWebSecurity
       public class SecurityContextSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityContext((securityContext) ->
                                      securityContext
                                              .securityContextRepository(SCR)
                              );
                      return http.build();
              }
       }
       
      Parameters:
      securityContextCustomizer - the Customizer to provide more options for the SecurityContextConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • servletApi

      @Deprecated(since="6.1", forRemoval=true) public ServletApiConfigurer<HttpSecurity> servletApi() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use servletApi(Customizer) or servletApi(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Integrates the HttpServletRequest methods with the values found on the SecurityContext. This is automatically applied when using EnableWebSecurity.
      Returns:
      the ServletApiConfigurer for further customizations
      Throws:
      Exception
    • servletApi

      public HttpSecurity servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer) throws Exception
      Integrates the HttpServletRequest methods with the values found on the SecurityContext. This is automatically applied when using EnableWebSecurity. You can disable it using:
       @Configuration
       @EnableWebSecurity
       public class ServletApiSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .servletApi((servletApi) ->
                                      servletApi.disable()
                              );
                      return http.build();
              }
       }
       
      Parameters:
      servletApiCustomizer - the Customizer to provide more options for the ServletApiConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • csrf

      @Deprecated(since="6.1", forRemoval=true) public CsrfConfigurer<HttpSecurity> csrf() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Enables CSRF protection. This is activated by default when using EnableWebSecurity's default constructor. You can disable it using:
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .csrf().disable()
                              ...;
                      return http.build();
              }
       }
       
      Returns:
      the CsrfConfigurer for further customizations
      Throws:
      Exception
    • csrf

      public HttpSecurity csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer) throws Exception
      Enables CSRF protection. This is activated by default when using EnableWebSecurity. You can disable it using:
       @Configuration
       @EnableWebSecurity
       public class CsrfSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .csrf((csrf) -> csrf.disable());
                      return http.build();
              }
       }
       
      Parameters:
      csrfCustomizer - the Customizer to provide more options for the CsrfConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • logout

      @Deprecated(since="6.1", forRemoval=true) public LogoutConfigurer<HttpSecurity> logout() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Provides logout support. This is automatically applied when using EnableWebSecurity. The default is that accessing the URL "/logout" will log the user out by invalidating the HTTP Session, cleaning up any rememberMe() authentication that was configured, clearing the SecurityContextHolder, and then redirect to "/login?success".

      Example Custom Configuration

      The following customization to log out when the URL "/custom-logout" is invoked. Log out will remove the cookie named "remove", not invalidate the HttpSession, clear the SecurityContextHolder, and upon completion redirect to "/logout-success".
       @Configuration
       @EnableWebSecurity
       public class LogoutSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
                                      .and()
                                      // sample logout customization
                                      .logout().deleteCookies("remove").invalidateHttpSession(false)
                                      .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success");
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the LogoutConfigurer for further customizations
      Throws:
      Exception
    • logout

      public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception
      Provides logout support. This is automatically applied when using EnableWebSecurity. The default is that accessing the URL "/logout" will log the user out by invalidating the HTTP Session, cleaning up any rememberMe() authentication that was configured, clearing the SecurityContextHolder, and then redirect to "/login?success".

      Example Custom Configuration

      The following customization to log out when the URL "/custom-logout" is invoked. Log out will remove the cookie named "remove", not invalidate the HttpSession, clear the SecurityContextHolder, and upon completion redirect to "/logout-success".
       @Configuration
       @EnableWebSecurity
       public class LogoutSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults())
                              // sample logout customization
                              .logout((logout) ->
                                      logout.deleteCookies("remove")
                                              .invalidateHttpSession(false)
                                              .logoutUrl("/custom-logout")
                                              .logoutSuccessUrl("/logout-success")
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      logoutCustomizer - the Customizer to provide more options for the LogoutConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • anonymous

      @Deprecated(since="6.1", forRemoval=true) public AnonymousConfigurer<HttpSecurity> anonymous() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction with EnableWebSecurity. By default anonymous users will be represented with an AnonymousAuthenticationToken and contain the role "ROLE_ANONYMOUS".

      Example Configuration

      The following configuration demonstrates how to specify that anonymous users should contain the role "ROLE_ANON" instead.
       @Configuration
       @EnableWebSecurity
       public class AnonymousSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests()
                                      .requestMatchers("/**").hasRole("USER")
                                      .and()
                              .formLogin()
                                      .and()
                              // sample anonymous customization
                              .anonymous().authorities("ROLE_ANON");
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The following demonstrates how to represent anonymous users as null. Note that this can cause NullPointerException in code that assumes anonymous authentication is enabled.
       @Configuration
       @EnableWebSecurity
       public class AnonymousSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests()
                                      .requestMatchers("/**").hasRole("USER")
                                      .and()
                              .formLogin()
                                      .and()
                              // sample anonymous customization
                              .anonymous().disable();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the AnonymousConfigurer for further customizations
      Throws:
      Exception
    • anonymous

      public HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer) throws Exception
      Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction with EnableWebSecurity. By default anonymous users will be represented with an AnonymousAuthenticationToken and contain the role "ROLE_ANONYMOUS".

      Example Configuration

      The following configuration demonstrates how to specify that anonymous users should contain the role "ROLE_ANON" instead.
       @Configuration
       @EnableWebSecurity
       public class AnonymousSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults())
                              // sample anonymous customization
                              .anonymous((anonymous) ->
                                      anonymous
                                              .authorities("ROLE_ANON")
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The following demonstrates how to represent anonymous users as null. Note that this can cause NullPointerException in code that assumes anonymous authentication is enabled.
       @Configuration
       @EnableWebSecurity
       public class AnonymousSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults())
                              // sample anonymous customization
                              .anonymous((anonymous) ->
                                      anonymous.disable()
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      anonymousCustomizer - the Customizer to provide more options for the AnonymousConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • formLogin

      @Deprecated(since="6.1", forRemoval=true) public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Specifies to support form based authentication. If FormLoginConfigurer.loginPage(String) is not specified a default login page will be generated.

      Example Configurations

      The most basic configuration defaults to automatically generating a login page at the URL "/login", redirecting to "/login?error" for authentication failure. The details of the login page can be found on FormLoginConfigurer.loginPage(String)
       @Configuration
       @EnableWebSecurity
       public class FormLoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The configuration below demonstrates customizing the defaults.
       @Configuration
       @EnableWebSecurity
       public class FormLoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
                                      .usernameParameter("username") // default is username
                                      .passwordParameter("password") // default is password
                                      .loginPage("/authentication/login") // default is /login with an HTTP get
                                      .failureUrl("/authentication/login?failed") // default is /login?error
                                      .loginProcessingUrl("/authentication/login/process"); // default is /login
                                                                                                                                                      // with an HTTP
                                                                                                                                                      // post
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the FormLoginConfigurer for further customizations
      Throws:
      Exception
      See Also:
    • formLogin

      public HttpSecurity formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer) throws Exception
      Specifies to support form based authentication. If FormLoginConfigurer.loginPage(String) is not specified a default login page will be generated.

      Example Configurations

      The most basic configuration defaults to automatically generating a login page at the URL "/login", redirecting to "/login?error" for authentication failure. The details of the login page can be found on FormLoginConfigurer.loginPage(String)
       @Configuration
       @EnableWebSecurity
       public class FormLoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The configuration below demonstrates customizing the defaults.
       @Configuration
       @EnableWebSecurity
       public class FormLoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin((formLogin) ->
                                      formLogin
                                              .usernameParameter("username")
                                              .passwordParameter("password")
                                              .loginPage("/authentication/login")
                                              .failureUrl("/authentication/login?failed")
                                              .loginProcessingUrl("/authentication/login/process")
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      formLoginCustomizer - the Customizer to provide more options for the FormLoginConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      See Also:
    • saml2Login

      @Deprecated(since="6.1", forRemoval=true) public Saml2LoginConfigurer<HttpSecurity> saml2Login() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use saml2Login(Customizer) or saml2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures authentication support using an SAML 2.0 Service Provider.

      The "authentication flow" is implemented using the Web Browser SSO Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core,Profiles and Bindings specifications.

      As a prerequisite to using this feature, is that you have a SAML v2.0 Identity Provider to provide an assertion. The representation of the Service Provider, the relying party, and the remote Identity Provider, the asserting party is contained within RelyingPartyRegistration.

      RelyingPartyRegistration(s) are composed within a RelyingPartyRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via saml2Login().relyingPartyRegistrationRepository(..).

      The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the identity providers with a link that is capable of initiating the "authentication flow".

      Example Configuration

      The following example shows the minimal configuration required, using SimpleSamlPhp as the Authentication Provider.
       @Configuration
       @EnableWebSecurity
       public class Saml2LoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests()
                                      .anyRequest().authenticated()
                                      .and()
                              .saml2Login();
                      return http.build();
              }
      
              @Bean
              public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                      return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
              }
      
              private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
                      //remote IDP entity ID
                      String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php";
                      //remote WebSSO Endpoint - Where to Send AuthNRequests to
                      String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php";
                      //local registration ID
                      String registrationId = "simplesamlphp";
                      //local entity ID - autogenerated based on URL
                      String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
                      //local signing (and decryption key)
                      Saml2X509Credential signingCredential = getSigningCredential();
                      //IDP certificate for verification of incoming messages
                      Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
                      return RelyingPartyRegistration.withRegistrationId(registrationId)
                                      .remoteIdpEntityId(idpEntityId)
                                      .idpWebSsoUrl(webSsoEndpoint)
                                      .credential(signingCredential)
                                      .credential(idpVerificationCertificate)
                                      .localEntityIdTemplate(localEntityIdTemplate)
                                      .build();
              }
       }
       

      Returns:
      the Saml2LoginConfigurer for further customizations
      Throws:
      Exception
      Since:
      5.2
    • saml2Login

      public HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer) throws Exception
      Configures authentication support using an SAML 2.0 Service Provider.

      The "authentication flow" is implemented using the Web Browser SSO Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core,Profiles and Bindings specifications.

      As a prerequisite to using this feature, is that you have a SAML v2.0 Identity Provider to provide an assertion. The representation of the Service Provider, the relying party, and the remote Identity Provider, the asserting party is contained within RelyingPartyRegistration.

      RelyingPartyRegistration(s) are composed within a RelyingPartyRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via saml2Login().relyingPartyRegistrationRepository(..).

      The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the identity providers with a link that is capable of initiating the "authentication flow".

      Example Configuration

      The following example shows the minimal configuration required, using SimpleSamlPhp as the Authentication Provider.
       @Configuration
       @EnableWebSecurity
       public class Saml2LoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .anyRequest().authenticated()
                              )
                              .saml2Login(withDefaults());
                      return http.build();
              }
      
              @Bean
              public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                      return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
              }
      
              private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
                      //remote IDP entity ID
                      String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php";
                      //remote WebSSO Endpoint - Where to Send AuthNRequests to
                      String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php";
                      //local registration ID
                      String registrationId = "simplesamlphp";
                      //local entity ID - autogenerated based on URL
                      String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
                      //local signing (and decryption key)
                      Saml2X509Credential signingCredential = getSigningCredential();
                      //IDP certificate for verification of incoming messages
                      Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
                      return RelyingPartyRegistration.withRegistrationId(registrationId)
                                      .remoteIdpEntityId(idpEntityId)
                                      .idpWebSsoUrl(webSsoEndpoint)
                                      .credential(signingCredential)
                                      .credential(idpVerificationCertificate)
                                      .localEntityIdTemplate(localEntityIdTemplate)
                                      .build();
              }
       }
       

      Parameters:
      saml2LoginCustomizer - the Customizer to provide more options for the Saml2LoginConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      Since:
      5.2
    • saml2Logout

      public HttpSecurity saml2Logout(Customizer<Saml2LogoutConfigurer<HttpSecurity>> saml2LogoutCustomizer) throws Exception
      Configures logout support for an SAML 2.0 Relying Party.

      Implements the Single Logout Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core, Profiles and Bindings specifications.

      As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting Party to sent a logout request to. The representation of the relying party and the asserting party is contained within RelyingPartyRegistration.

      RelyingPartyRegistration(s) are composed within a RelyingPartyRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via saml2Login(Customizer).

      The default configuration provides an auto-generated logout endpoint at "/logout" and redirects to /login?logout when logout completes.

      Example Configuration

      The following example shows the minimal configuration required, using a hypothetical asserting party.
              @EnableWebSecurity
              @Configuration
              public class Saml2LogoutSecurityConfig {
                      @Bean
                      public SecurityFilterChain web(HttpSecurity http) throws Exception {
                              http
                                      .authorizeRequests((authorize) -> authorize
                                              .anyRequest().authenticated()
                                      )
                                      .saml2Login(withDefaults())
                                      .saml2Logout(withDefaults());
                              return http.build();
                      }
      
                      @Bean
                      public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                              RelyingPartyRegistration registration = RelyingPartyRegistrations
                                              .withMetadataLocation("https://ap.example.org/metadata")
                                              .registrationId("simple")
                                              .build();
                              return new InMemoryRelyingPartyRegistrationRepository(registration);
                      }
              }
       

      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      Since:
      5.6
    • saml2Logout

      @Deprecated(since="6.1", forRemoval=true) public Saml2LogoutConfigurer<HttpSecurity> saml2Logout() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use saml2Logout(Customizer) or saml2Logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures logout support for an SAML 2.0 Relying Party.

      Implements the Single Logout Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core, Profiles and Bindings specifications.

      As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting Party to sent a logout request to. The representation of the relying party and the asserting party is contained within RelyingPartyRegistration.

      RelyingPartyRegistration(s) are composed within a RelyingPartyRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via saml2Login().

      The default configuration provides an auto-generated logout endpoint at "/logout" and redirects to /login?logout when logout completes.

      Example Configuration

      The following example shows the minimal configuration required, using a hypothetical asserting party.
              @EnableWebSecurity
              @Configuration
              public class Saml2LogoutSecurityConfig {
                      @Bean
                      public SecurityFilterChain web(HttpSecurity http) throws Exception {
                              http
                                      .authorizeRequests()
                                              .anyRequest().authenticated()
                                              .and()
                                      .saml2Login()
                                              .and()
                                      .saml2Logout();
                              return http.build();
                      }
      
                      @Bean
                      public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                              RelyingPartyRegistration registration = RelyingPartyRegistrations
                                              .withMetadataLocation("https://ap.example.org/metadata")
                                              .registrationId("simple")
                                              .build();
                              return new InMemoryRelyingPartyRegistrationRepository(registration);
                      }
              }
       

      Returns:
      the Saml2LoginConfigurer for further customizations
      Throws:
      Exception
      Since:
      5.6
    • saml2Metadata

      public HttpSecurity saml2Metadata(Customizer<Saml2MetadataConfigurer<HttpSecurity>> saml2MetadataConfigurer) throws Exception
      Configures a SAML 2.0 metadata endpoint that presents relying party configurations in an <md:EntityDescriptor> payload.

      By default, the endpoints are /saml2/metadata and /saml2/metadata/{registrationId} though note that also /saml2/service-provider-metadata/{registrationId} is recognized for backward compatibility purposes.

      Example Configuration

      The following example shows the minimal configuration required, using a hypothetical asserting party.
              @EnableWebSecurity
              @Configuration
              public class Saml2LogoutSecurityConfig {
                      @Bean
                      public SecurityFilterChain web(HttpSecurity http) throws Exception {
                              http
                                      .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
                                      .saml2Metadata(Customizer.withDefaults());
                              return http.build();
                      }
      
                      @Bean
                      public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                              RelyingPartyRegistration registration = RelyingPartyRegistrations
                                              .withMetadataLocation("https://ap.example.org/metadata")
                                              .registrationId("simple")
                                              .build();
                              return new InMemoryRelyingPartyRegistrationRepository(registration);
                      }
              }
       
      Parameters:
      saml2MetadataConfigurer - the Customizer to provide more options for the Saml2MetadataConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      Since:
      6.1
    • saml2Metadata

      @Deprecated(since="6.1", forRemoval=true) public Saml2MetadataConfigurer<HttpSecurity> saml2Metadata() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use saml2Metadata(Customizer) or saml2Metadata(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures a SAML 2.0 metadata endpoint that presents relying party configurations in an <md:EntityDescriptor> payload.

      By default, the endpoints are /saml2/metadata and /saml2/metadata/{registrationId} though note that also /saml2/service-provider-metadata/{registrationId} is recognized for backward compatibility purposes.

      Example Configuration

      The following example shows the minimal configuration required, using a hypothetical asserting party.
              @EnableWebSecurity
              @Configuration
              public class Saml2LogoutSecurityConfig {
                      @Bean
                      public SecurityFilterChain web(HttpSecurity http) throws Exception {
                              http
                                      .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
                                      .saml2Metadata(Customizer.withDefaults());
                              return http.build();
                      }
      
                      @Bean
                      public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
                              RelyingPartyRegistration registration = RelyingPartyRegistrations
                                              .withMetadataLocation("https://ap.example.org/metadata")
                                              .registrationId("simple")
                                              .build();
                              return new InMemoryRelyingPartyRegistrationRepository(registration);
                      }
              }
       
      Returns:
      the Saml2MetadataConfigurer for further customizations
      Throws:
      Exception
      Since:
      6.1
    • oauth2Login

      @Deprecated(since="6.1", forRemoval=true) public OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.

      The "authentication flow" is implemented using the Authorization Code Grant, as specified in the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0 specification.

      As a prerequisite to using this feature, you must register a client with a provider. The client registration information may than be used for configuring a ClientRegistration using a ClientRegistration.Builder.

      ClientRegistration(s) are composed within a ClientRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via oauth2Login().clientRegistrationRepository(..).

      The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the clients with a link that is capable of initiating the "authentication flow".

      Example Configuration

      The following example shows the minimal configuration required, using Google as the Authentication Provider.
       @Configuration
       @EnableWebSecurity
       public class OAuth2LoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests()
                                      .anyRequest().authenticated()
                                      .and()
                              .oauth2Login();
                      return http.build();
              }
      
              @Bean
              public ClientRegistrationRepository clientRegistrationRepository() {
                      return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
              }
      
              private ClientRegistration googleClientRegistration() {
                      return ClientRegistration.withRegistrationId("google")
                              .clientId("google-client-id")
                              .clientSecret("google-client-secret")
                              .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                              .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                              .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                              .scope("openid", "profile", "email", "address", "phone")
                              .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
                              .tokenUri("https://www.googleapis.com/oauth2/v4/token")
                              .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
                              .userNameAttributeName(IdTokenClaimNames.SUB)
                              .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
                              .clientName("Google")
                              .build();
              }
       }
       

      For more advanced configuration, see OAuth2LoginConfigurer for available options to customize the defaults.

      Returns:
      the OAuth2LoginConfigurer for further customizations
      Throws:
      Exception
      Since:
      5.0
      See Also:
    • oauth2Login

      public HttpSecurity oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer) throws Exception
      Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.

      The "authentication flow" is implemented using the Authorization Code Grant, as specified in the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0 specification.

      As a prerequisite to using this feature, you must register a client with a provider. The client registration information may than be used for configuring a ClientRegistration using a ClientRegistration.Builder.

      ClientRegistration(s) are composed within a ClientRegistrationRepository, which is required and must be registered with the ApplicationContext or configured via oauth2Login().clientRegistrationRepository(..).

      The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the clients with a link that is capable of initiating the "authentication flow".

      Example Configuration

      The following example shows the minimal configuration required, using Google as the Authentication Provider.
       @Configuration
       @EnableWebSecurity
       public class OAuth2LoginSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .anyRequest().authenticated()
                              )
                              .oauth2Login(withDefaults());
                      return http.build();
              }
      
              @Bean
              public ClientRegistrationRepository clientRegistrationRepository() {
                      return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
              }
      
              private ClientRegistration googleClientRegistration() {
                      return ClientRegistration.withRegistrationId("google")
                              .clientId("google-client-id")
                              .clientSecret("google-client-secret")
                              .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                              .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                              .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                              .scope("openid", "profile", "email", "address", "phone")
                              .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
                              .tokenUri("https://www.googleapis.com/oauth2/v4/token")
                              .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
                              .userNameAttributeName(IdTokenClaimNames.SUB)
                              .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
                              .clientName("Google")
                              .build();
              }
       }
       

      For more advanced configuration, see OAuth2LoginConfigurer for available options to customize the defaults.

      Parameters:
      oauth2LoginCustomizer - the Customizer to provide more options for the OAuth2LoginConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      See Also:
    • oidcLogout

      public OidcLogoutConfigurer<HttpSecurity> oidcLogout() throws Exception
      Throws:
      Exception
    • oidcLogout

      public HttpSecurity oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcLogoutCustomizer) throws Exception
      Throws:
      Exception
    • oauth2Client

      @Deprecated(since="6.1", forRemoval=true) public OAuth2ClientConfigurer<HttpSecurity> oauth2Client() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures OAuth 2.0 Client support.
      Returns:
      the OAuth2ClientConfigurer for further customizations
      Throws:
      Exception
      Since:
      5.1
      See Also:
    • oauth2Client

      public HttpSecurity oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer) throws Exception
      Configures OAuth 2.0 Client support.

      Example Configuration

      The following example demonstrates how to enable OAuth 2.0 Client support for all endpoints.
       @Configuration
       @EnableWebSecurity
       public class OAuth2ClientSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .anyRequest().authenticated()
                              )
                              .oauth2Client(withDefaults());
                      return http.build();
              }
       }
       
      Parameters:
      oauth2ClientCustomizer - the Customizer to provide more options for the OAuth2ClientConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      See Also:
    • oauth2ResourceServer

      @Deprecated(since="6.1", forRemoval=true) public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use oauth2ResourceServer(Customizer) instead
      Configures OAuth 2.0 Resource Server support.
      Returns:
      the OAuth2ResourceServerConfigurer for further customizations
      Throws:
      Exception
      Since:
      5.1
      See Also:
    • oauth2ResourceServer

      public HttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer) throws Exception
      Configures OAuth 2.0 Resource Server support.

      Example Configuration

      The following example demonstrates how to configure a custom JWT authentication converter.
       @Configuration
       @EnableWebSecurity
       public class OAuth2ResourceServerSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .anyRequest().authenticated()
                              )
                              .oauth2ResourceServer((oauth2ResourceServer) ->
                                      oauth2ResourceServer
                                              .jwt((jwt) ->
                                                      jwt
                                                              .decoder(jwtDecoder())
                                              )
                              );
                      return http.build();
              }
      
              @Bean
              public JwtDecoder jwtDecoder() {
                      return NimbusJwtDecoder.withPublicKey(this.key).build();
              }
       }
       
      Parameters:
      oauth2ResourceServerCustomizer - the Customizer to provide more options for the OAuth2ResourceServerConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      See Also:
    • requiresChannel

      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use requiresChannel(Customizer) or requiresChannel(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.

      Example Configuration

      The example below demonstrates how to require HTTPs for every request. Only requiring HTTPS for some requests is supported, but not recommended since an application that allows for HTTP introduces many security vulnerabilities. For one such example, read about Firesheep.
       @Configuration
       @EnableWebSecurity
       public class ChannelSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
                                      .and().requiresChannel().anyRequest().requiresSecure();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the ChannelSecurityConfigurer for further customizations
      Throws:
      Exception
    • requiresChannel

      public HttpSecurity requiresChannel(Customizer<ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry> requiresChannelCustomizer) throws Exception
      Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.

      Example Configuration

      The example below demonstrates how to require HTTPs for every request. Only requiring HTTPS for some requests is supported, but not recommended since an application that allows for HTTP introduces many security vulnerabilities. For one such example, read about Firesheep.
       @Configuration
       @EnableWebSecurity
       public class ChannelSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .formLogin(withDefaults())
                              .requiresChannel((requiresChannel) ->
                                      requiresChannel
                                              .anyRequest().requiresSecure()
                              );
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      requiresChannelCustomizer - the Customizer to provide more options for the ChannelSecurityConfigurer.ChannelRequestMatcherRegistry
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • httpBasic

      @Deprecated(since="6.1", forRemoval=true) public HttpBasicConfigurer<HttpSecurity> httpBasic() throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures HTTP Basic authentication.

      Example Configuration

      The example below demonstrates how to configure HTTP Basic authentication for an application. The default realm is "Realm", but can be customized using HttpBasicConfigurer.realmName(String).
       @Configuration
       @EnableWebSecurity
       public class HttpBasicSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().httpBasic();
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the HttpBasicConfigurer for further customizations
      Throws:
      Exception
    • httpBasic

      public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer) throws Exception
      Configures HTTP Basic authentication.

      Example Configuration

      The example below demonstrates how to configure HTTP Basic authentication for an application. The default realm is "Realm", but can be customized using HttpBasicConfigurer.realmName(String).
       @Configuration
       @EnableWebSecurity
       public class HttpBasicSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests((authorizeRequests) ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      httpBasicCustomizer - the Customizer to provide more options for the HttpBasicConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • passwordManagement

      public HttpSecurity passwordManagement(Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer) throws Exception
      Adds support for the password management.

      Example Configuration

      The example below demonstrates how to configure password management for an application. The default change password page is "/change-password", but can be customized using PasswordManagementConfigurer.changePasswordPage(String).
       @Configuration
       @EnableWebSecurity
       public class PasswordManagementSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .authorizeRequests(authorizeRequests ->
                                      authorizeRequests
                                              .requestMatchers("/**").hasRole("USER")
                              )
                              .passwordManagement(passwordManagement ->
                                      passwordManagement
                                              .changePasswordPage("/custom-change-password-page")
                              );
                      return http.build();
              }
       }
       
      Parameters:
      passwordManagementCustomizer - the Customizer to provide more options for the PasswordManagementConfigurer
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
      Since:
      5.6
    • authenticationManager

      public HttpSecurity authenticationManager(AuthenticationManager authenticationManager)
      Configure the default AuthenticationManager.
      Parameters:
      authenticationManager - the AuthenticationManager to use
      Returns:
      the HttpSecurity for further customizations
      Since:
      5.6
    • setSharedObject

      public <C> void setSharedObject(Class<C> sharedType, C object)
      Description copied from class: AbstractConfiguredSecurityBuilder
      Sets an object that is shared by multiple SecurityConfigurer.
      Specified by:
      setSharedObject in interface HttpSecurityBuilder<HttpSecurity>
      Overrides:
      setSharedObject in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
      Parameters:
      sharedType - the Class to key the shared object by.
      object - the Object to store
    • beforeConfigure

      protected void beforeConfigure() throws Exception
      Description copied from class: AbstractConfiguredSecurityBuilder
      Invoked prior to invoking each SecurityConfigurer.configure(SecurityBuilder) method. Subclasses may override this method to hook into the lifecycle without using a SecurityConfigurer.
      Overrides:
      beforeConfigure in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
      Throws:
      Exception
    • performBuild

      protected DefaultSecurityFilterChain performBuild()
      Description copied from class: AbstractConfiguredSecurityBuilder
      Subclasses must implement this method to build the object that is being returned.
      Specified by:
      performBuild in class AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
      Returns:
      the Object to be buit or null if the implementation allows it
    • authenticationProvider

      public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider)
      Description copied from interface: HttpSecurityBuilder
      Allows adding an additional AuthenticationProvider to be used
      Specified by:
      authenticationProvider in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      authenticationProvider - the AuthenticationProvider to be added
      Returns:
      the HttpSecurity for further customizations
    • userDetailsService

      public HttpSecurity userDetailsService(UserDetailsService userDetailsService) throws Exception
      Description copied from interface: HttpSecurityBuilder
      Allows adding an additional UserDetailsService to be used
      Specified by:
      userDetailsService in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      userDetailsService - the UserDetailsService to be added
      Returns:
      the HttpSecurity for further customizations
      Throws:
      Exception
    • addFilterAfter

      public HttpSecurity addFilterAfter(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> afterFilter)
      Description copied from interface: HttpSecurityBuilder
      Allows adding a Filter after one of the known Filter classes. The known Filter instances are either a Filter listed in HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class).
      Specified by:
      addFilterAfter in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      filter - the Filter to register after the type afterFilter
      afterFilter - the Class of the known Filter.
      Returns:
      the HttpSecurity for further customizations
    • addFilterBefore

      public HttpSecurity addFilterBefore(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> beforeFilter)
      Description copied from interface: HttpSecurityBuilder
      Allows adding a Filter before one of the known Filter classes. The known Filter instances are either a Filter listed in HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class).
      Specified by:
      addFilterBefore in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      filter - the Filter to register before the type beforeFilter
      beforeFilter - the Class of the known Filter.
      Returns:
      the HttpSecurity for further customizations
    • addFilter

      public HttpSecurity addFilter(jakarta.servlet.Filter filter)
      Description copied from interface: HttpSecurityBuilder
      Specified by:
      addFilter in interface HttpSecurityBuilder<HttpSecurity>
      Parameters:
      filter - the Filter to add
      Returns:
      the HttpSecurity for further customizations
    • addFilterAt

      public HttpSecurity addFilterAt(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> atFilter)
      Adds the Filter at the location of the specified Filter class. For example, if you want the filter CustomFilter to be registered in the same position as UsernamePasswordAuthenticationFilter, you can invoke:
       addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
       
      Registration of multiple Filters in the same location means their ordering is not deterministic. More concretely, registering multiple Filters in the same location does not override existing Filters. Instead, do not register Filters you do not want to use.
      Parameters:
      filter - the Filter to register
      atFilter - the location of another Filter that is already registered (i.e. known) with Spring Security.
      Returns:
      the HttpSecurity for further customizations
    • securityMatchers

      @Deprecated(since="6.1", forRemoval=true) public HttpSecurity.RequestMatcherConfigurer securityMatchers()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use securityMatchers(Customizer) or securityMatchers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows specifying which HttpServletRequest instances this HttpSecurity will be invoked on. This method allows for easily invoking the HttpSecurity for multiple different RequestMatcher instances. If only a single RequestMatcher is necessary consider using securityMatcher(String...), or securityMatcher(RequestMatcher).

      Invoking securityMatchers() will not override previous invocations of securityMatchers()}, securityMatchers(Customizer) securityMatcher(String...) and securityMatcher(RequestMatcher)

      Example Configurations

      The following configuration enables the HttpSecurity for URLs that begin with "/api/" or "/oauth/".
       @Configuration
       @EnableWebSecurity
       public class RequestMatchersSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/api/**", "/oauth/**")
                              )
                              .authorizeHttpRequests((authorize) -> authorize
                                      anyRequest().hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The configuration below is the same as the previous configuration.
       @Configuration
       @EnableWebSecurity
       public class RequestMatchersSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/api/**")
                                      .requestMatchers("/oauth/**")
                              )
                              .authorizeHttpRequests((authorize) -> authorize
                                      anyRequest().hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The configuration below is also the same as the above configuration.
       @Configuration
       @EnableWebSecurity
       public class RequestMatchersSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/api/**")
                              )
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/oauth/**")
                              )
                              .authorizeHttpRequests((authorize) -> authorize
                                      anyRequest().hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Returns:
      the HttpSecurity.RequestMatcherConfigurer for further customizations
    • securityMatchers

      public HttpSecurity securityMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer)
      Allows specifying which HttpServletRequest instances this HttpSecurity will be invoked on. This method allows for easily invoking the HttpSecurity for multiple different RequestMatcher instances. If only a single RequestMatcher is necessary consider using securityMatcher(String...), or securityMatcher(RequestMatcher).

      Invoking securityMatchers(Customizer) will not override previous invocations of securityMatchers()}, securityMatchers(Customizer) securityMatcher(String...) and securityMatcher(RequestMatcher)

      Example Configurations

      The following configuration enables the HttpSecurity for URLs that begin with "/api/" or "/oauth/".
       @Configuration
       @EnableWebSecurity
       public class RequestMatchersSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/api/**", "/oauth/**")
                              )
                              .authorizeHttpRequests((authorize) -> authorize
                                      .anyRequest().hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The configuration below is the same as the previous configuration.
       @Configuration
       @EnableWebSecurity
       public class RequestMatchersSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/api/**")
                                      .requestMatchers("/oauth/**")
                              )
                              .authorizeHttpRequests((authorize) -> authorize
                                      .anyRequest().hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      The configuration below is also the same as the above configuration.
       @Configuration
       @EnableWebSecurity
       public class RequestMatchersSecurityConfig {
      
              @Bean
              public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                      http
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/api/**")
                              )
                              .securityMatchers((matchers) -> matchers
                                      .requestMatchers("/oauth/**")
                              )
                              .authorizeHttpRequests((authorize) -> authorize
                                      .anyRequest().hasRole("USER")
                              )
                              .httpBasic(withDefaults());
                      return http.build();
              }
      
              @Bean
              public UserDetailsService userDetailsService() {
                      UserDetails user = User.withDefaultPasswordEncoder()
                              .username("user")
                              .password("password")
                              .roles("USER")
                              .build();
                      return new InMemoryUserDetailsManager(user);
              }
       }
       
      Parameters:
      requestMatcherCustomizer - the Customizer to provide more options for the HttpSecurity.RequestMatcherConfigurer
      Returns:
      the HttpSecurity for further customizations
    • securityMatcher

      public HttpSecurity securityMatcher(RequestMatcher requestMatcher)
      Allows configuring the HttpSecurity to only be invoked when matching the provided RequestMatcher. If more advanced configuration is necessary, consider using securityMatchers(Customizer) ()}.

      Invoking securityMatcher(RequestMatcher) will override previous invocations of securityMatcher(RequestMatcher), securityMatcher(String...), securityMatchers(Customizer) and securityMatchers()

      Parameters:
      requestMatcher - the RequestMatcher to use (i.e. new AntPathRequestMatcher("/admin/**","GET") )
      Returns:
      the HttpSecurity for further customizations
      See Also:
    • securityMatcher

      public HttpSecurity securityMatcher(String... patterns)
      Allows configuring the HttpSecurity to only be invoked when matching the provided pattern. This method creates a MvcRequestMatcher if Spring MVC is in the classpath or creates an AntPathRequestMatcher if not. If more advanced configuration is necessary, consider using securityMatchers(Customizer) or securityMatcher(RequestMatcher).

      Invoking securityMatcher(String...) will override previous invocations of securityMatcher(String...) (String)}}, securityMatcher(RequestMatcher) ()}, securityMatchers(Customizer) (String)} and securityMatchers() (String)}.

      Parameters:
      patterns - the pattern to match on (i.e. "/admin/**")
      Returns:
      the HttpSecurity for further customizations
      See Also: