Class HttpSecurity
- All Implemented Interfaces:
SecurityBuilder<DefaultSecurityFilterChain>
,HttpSecurityBuilder<HttpSecurity>
HttpSecurity
is similar to Spring Security's XML <http> element in the
namespace configuration. It allows configuring web based security for specific http
requests. By default it will be applied to all requests, but can be restricted using
#requestMatcher(RequestMatcher)
or other similar methods.
Example Usage
The most basic form based configuration can be seen below. The configuration will require that any URL that is requested will require a User with the role "ROLE_USER". It also defines an in memory authentication scheme with a user that has the username "user", the password "password", and the role "ROLE_USER". For additional examples, refer to the Java Doc of individual methods onHttpSecurity
.
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests().requestMatchers("/**").hasRole("USER").and().formLogin(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Since:
- 3.2
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionclass
Allows mapping HTTP requests that thisHttpSecurity
will be used for -
Constructor Summary
ConstructorDescriptionHttpSecurity
(ObjectPostProcessor<Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, Map<Class<?>, Object> sharedObjects) Creates a new instance -
Method Summary
Modifier and TypeMethodDescriptionaddFilter
(jakarta.servlet.Filter filter) Adds aFilter
that must be an instance of or extend one of the Filters provided within the Security framework.addFilterAfter
(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> afterFilter) Allows adding aFilter
after one of the knownFilter
classes.addFilterAt
(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> atFilter) Adds the Filter at the location of the specified Filter class.addFilterBefore
(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> beforeFilter) Allows adding aFilter
before one of the knownFilter
classes.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.anonymous
(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer) Allows configuring how an anonymous user is represented.authenticationManager
(AuthenticationManager authenticationManager) Configure the defaultAuthenticationManager
.authenticationProvider
(AuthenticationProvider authenticationProvider) Allows adding an additionalAuthenticationProvider
to be usedDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.authorizeHttpRequests
(Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer) Allows restricting access based upon theHttpServletRequest
usingRequestMatcher
implementations (i.e.Deprecated.For removal in 7.0.authorizeRequests
(Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) Deprecated.For removal in 7.0.protected void
Invoked prior to invoking eachSecurityConfigurer.configure(SecurityBuilder)
method.cors()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.cors
(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer) Adds aCorsFilter
to be used.csrf()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.csrf
(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer) Enables CSRF protection.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.exceptionHandling
(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer) Allows configuring exception handling.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.formLogin
(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer) Specifies to support form based authentication.headers()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.headers
(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer) Adds the Security headers to the response.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.httpBasic
(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer) Configures HTTP Basic authentication.jee()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.jee
(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer) Configures container based pre authentication.logout()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.logout
(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) Provides logout support.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.oauth2Client
(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer) Configures OAuth 2.0 Client support.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.oauth2Login
(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer) Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.oauth2ResourceServer
(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer) Configures OAuth 2.0 Resource Server support.oidcLogout
(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcLogoutCustomizer) passwordManagement
(Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer) Adds support for the password management.protected DefaultSecurityFilterChain
Subclasses must implement this method to build the object that is being returned.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.portMapper
(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer) Allows configuring aPortMapper
that is available fromAbstractConfiguredSecurityBuilder.getSharedObject(Class)
.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.rememberMe
(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer) Allows configuring of Remember Me authentication.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.requestCache
(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer) Allows configuring the Request Cache.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.requiresChannel
(Customizer<ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry> requiresChannelCustomizer) Configures channel security.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.saml2Login
(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer) Configures authentication support using an SAML 2.0 Service Provider.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.saml2Logout
(Customizer<Saml2LogoutConfigurer<HttpSecurity>> saml2LogoutCustomizer) Configures logout support for an SAML 2.0 Relying Party.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.saml2Metadata
(Customizer<Saml2MetadataConfigurer<HttpSecurity>> saml2MetadataConfigurer) Configures a SAML 2.0 metadata endpoint that presents relying party configurations in an<md:EntityDescriptor>
payload.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.securityContext
(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer) Sets up management of theSecurityContext
on theSecurityContextHolder
betweenHttpServletRequest
's.securityMatcher
(String... patterns) Allows configuring theHttpSecurity
to only be invoked when matching the provided pattern.securityMatcher
(RequestMatcher requestMatcher) Allows configuring theHttpSecurity
to only be invoked when matching the providedRequestMatcher
.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.securityMatchers
(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer) Allows specifying whichHttpServletRequest
instances thisHttpSecurity
will be invoked on.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.servletApi
(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer) Integrates theHttpServletRequest
methods with the values found on theSecurityContext
.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.sessionManagement
(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer) Allows configuring of Session Management.<C> void
setSharedObject
(Class<C> sharedType, C object) Sets an object that is shared by multipleSecurityConfigurer
.userDetailsService
(UserDetailsService userDetailsService) Allows adding an additionalUserDetailsService
to be usedx509()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.x509
(Customizer<X509Configurer<HttpSecurity>> x509Customizer) Configures X509 based pre authentication.Methods inherited from class org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder
apply, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, with
Methods inherited from class org.springframework.security.config.annotation.AbstractSecurityBuilder
build, getObject
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.security.config.annotation.web.HttpSecurityBuilder
getConfigurer, getSharedObject, removeConfigurer
Methods inherited from interface org.springframework.security.config.annotation.SecurityBuilder
build
-
Constructor Details
-
HttpSecurity
public HttpSecurity(ObjectPostProcessor<Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, Map<Class<?>, Object> sharedObjects) Creates a new instance- Parameters:
objectPostProcessor
- theObjectPostProcessor
that should be usedauthenticationBuilder
- theAuthenticationManagerBuilder
to use for additional updatessharedObjects
- the shared Objects to initialize theHttpSecurity
with- See Also:
-
-
Method Details
-
headers
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<HttpSecurity> headers() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useheaders(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Adds the Security headers to the response. This is activated by default when usingEnableWebSecurity
. Accepting the default provided byEnableWebSecurity
or only invokingheaders()
without invoking additional methods on it, is the equivalent of:@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers() .contentTypeOptions() .and() .xssProtection() .and() .cacheControl() .and() .httpStrictTransportSecurity() .and() .frameOptions() .and() ...; return http.build(); } }
You can disable the headers using the following:@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers().disable() ...; return http.build(); } }
You can enable only a few of the headers by first invokingHeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on theheaders()
result. For example, the following will enableHeadersConfigurer.cacheControl()
andHeadersConfigurer.frameOptions()
only.@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers() .defaultsDisabled() .cacheControl() .and() .frameOptions() .and() ...; return http.build(); } }
You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers exceptHeadersConfigurer.frameOptions()
.@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers() .frameOptions() .disable() .and() ...; return http.build(); } }
- Returns:
- the
HeadersConfigurer
for further customizations - Throws:
Exception
- See Also:
-
headers
public HttpSecurity headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer) throws Exception Adds the Security headers to the response. This is activated by default when usingEnableWebSecurity
.Example Configurations
Accepting the default provided byEnableWebSecurity
or only invokingheaders()
without invoking additional methods on it, is the equivalent of:@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers((headers) -> headers .contentTypeOptions(withDefaults()) .xssProtection(withDefaults()) .cacheControl(withDefaults()) .httpStrictTransportSecurity(withDefaults()) .frameOptions(withDefaults() ); return http.build(); } }
You can disable the headers using the following:@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers((headers) -> headers.disable()); return http.build(); } }
You can enable only a few of the headers by first invokingHeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on theheaders()
result. For example, the following will enableHeadersConfigurer.cacheControl()
andHeadersConfigurer.frameOptions()
only.@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers((headers) -> headers .defaultsDisabled() .cacheControl(withDefaults()) .frameOptions(withDefaults()) ); return http.build(); } }
You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers exceptHeadersConfigurer.frameOptions()
.@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .headers((headers) -> headers .frameOptions((frameOptions) -> frameOptions.disable()) ); return http.build(); } }
- Parameters:
headersCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
cors
@Deprecated(since="6.1", forRemoval=true) public CorsConfigurer<HttpSecurity> cors() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usecors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Adds aCorsFilter
to be used. If a bean by the name of corsFilter is provided, thatCorsFilter
is used. Else if corsConfigurationSource is defined, then thatCorsConfiguration
is used. Otherwise, if Spring MVC is on the classpath aHandlerMappingIntrospector
is used.- Returns:
- the
CorsConfigurer
for customizations - Throws:
Exception
-
cors
Adds aCorsFilter
to be used. If a bean by the name of corsFilter is provided, thatCorsFilter
is used. Else if corsConfigurationSource is defined, then thatCorsConfiguration
is used. Otherwise, if Spring MVC is on the classpath aHandlerMappingIntrospector
is used. You can enable CORS using:@Configuration @EnableWebSecurity public class CorsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .cors(withDefaults()); return http.build(); } }
- Parameters:
corsCustomizer
- theCustomizer
to provide more options for theCorsConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
sessionManagement
@Deprecated(since="6.1", forRemoval=true) public SessionManagementConfigurer<HttpSecurity> sessionManagement() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsesessionManagement(Customizer)
orsessionManagement(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuring of Session Management.Example Configuration
The following configuration demonstrates how to enforce that only a single instance of a user is authenticated at a time. If a user authenticates with the username "user" without logging out and an attempt to authenticate with "user" is made the first session will be forcibly terminated and sent to the "/login?expired" URL.@Configuration @EnableWebSecurity public class SessionManagementSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin() .permitAll().and().sessionManagement().maximumSessions(1) .expiredUrl("/login?expired"); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
When usingSessionManagementConfigurer.maximumSessions(int)
, do not forget to configureHttpSessionEventPublisher
for the application to ensure that expired sessions are cleaned up. In a web.xml this can be configured using the following:<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>
Alternatively,AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.- Returns:
- the
SessionManagementConfigurer
for further customizations - Throws:
Exception
-
sessionManagement
public HttpSecurity sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer) throws Exception Allows configuring of Session Management.Example Configuration
The following configuration demonstrates how to enforce that only a single instance of a user is authenticated at a time. If a user authenticates with the username "user" without logging out and an attempt to authenticate with "user" is made the first session will be forcibly terminated and sent to the "/login?expired" URL.@Configuration @EnableWebSecurity public class SessionManagementSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .anyRequest().hasRole("USER") ) .formLogin((formLogin) -> formLogin .permitAll() ) .sessionManagement((sessionManagement) -> sessionManagement .sessionConcurrency((sessionConcurrency) -> sessionConcurrency .maximumSessions(1) .expiredUrl("/login?expired") ) ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
When usingSessionManagementConfigurer.maximumSessions(int)
, do not forget to configureHttpSessionEventPublisher
for the application to ensure that expired sessions are cleaned up. In a web.xml this can be configured using the following:<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>
Alternatively,AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.- Parameters:
sessionManagementCustomizer
- theCustomizer
to provide more options for theSessionManagementConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
portMapper
@Deprecated(since="6.1", forRemoval=true) public PortMapperConfigurer<HttpSecurity> portMapper() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseportMapper(Customizer)
orportMapper(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuring aPortMapper
that is available fromAbstractConfiguredSecurityBuilder.getSharedObject(Class)
. Other providedSecurityConfigurer
objects use this configuredPortMapper
as a defaultPortMapper
when redirecting from HTTP to HTTPS or from HTTPS to HTTP (for example when used in combination withrequiresChannel()
. By default Spring Security uses aPortMapperImpl
which maps the HTTP port 8080 to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.Example Configuration
The following configuration will ensure that redirects within Spring Security from HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 to the HTTPS port of 443.@Configuration @EnableWebSecurity public class PortMapperSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example portMapper() configuration .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
PortMapperConfigurer
for further customizations - Throws:
Exception
- See Also:
-
portMapper
public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer) throws Exception Allows configuring aPortMapper
that is available fromAbstractConfiguredSecurityBuilder.getSharedObject(Class)
. Other providedSecurityConfigurer
objects use this configuredPortMapper
as a defaultPortMapper
when redirecting from HTTP to HTTPS or from HTTPS to HTTP (for example when used in combination withrequiresChannel()
. By default Spring Security uses aPortMapperImpl
which maps the HTTP port 8080 to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.Example Configuration
The following configuration will ensure that redirects within Spring Security from HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 to the HTTPS port of 443.@Configuration @EnableWebSecurity public class PortMapperSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .requiresChannel((requiresChannel) -> requiresChannel .anyRequest().requiresSecure() ) .portMapper((portMapper) -> portMapper .http(9090).mapsTo(9443) .http(80).mapsTo(443) ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
portMapperCustomizer
- theCustomizer
to provide more options for thePortMapperConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- See Also:
-
jee
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usejee(Customizer)
orjee(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures container based pre authentication. In this case, authentication is managed by the Servlet Container.Example Configuration
The following configuration will use the principal found on theHttpServletRequest
and if the user is in the role "ROLE_USER" or "ROLE_ADMIN" will add that to the resultingAuthentication
.@Configuration @EnableWebSecurity public class JeeSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and() // Example jee() configuration .jee().mappableRoles("USER", "ADMIN"); return http.build(); } }
Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint>
Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.- Returns:
- the
JeeConfigurer
for further customizations - Throws:
Exception
-
jee
Configures container based pre authentication. In this case, authentication is managed by the Servlet Container.Example Configuration
The following configuration will use the principal found on theHttpServletRequest
and if the user is in the role "ROLE_USER" or "ROLE_ADMIN" will add that to the resultingAuthentication
.@Configuration @EnableWebSecurity public class JeeSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .jee((jee) -> jee .mappableRoles("USER", "ADMIN") ); return http.build(); } }
Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like:<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint>
Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.- Parameters:
jeeCustomizer
- theCustomizer
to provide more options for theJeeConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
x509
@Deprecated(since="6.1", forRemoval=true) public X509Configurer<HttpSecurity> x509() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usex509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures X509 based pre authentication.Example Configuration
The following configuration will attempt to extract the username from the X509 certificate. Remember that the Servlet Container will need to be configured to request client certificates in order for this to work.@Configuration @EnableWebSecurity public class X509SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and() // Example x509() configuration .x509(); return http.build(); } }
- Returns:
- the
X509Configurer
for further customizations - Throws:
Exception
-
x509
Configures X509 based pre authentication.Example Configuration
The following configuration will attempt to extract the username from the X509 certificate. Remember that the Servlet Container will need to be configured to request client certificates in order for this to work.@Configuration @EnableWebSecurity public class X509SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .x509(withDefaults()); return http.build(); } }
- Parameters:
x509Customizer
- theCustomizer
to provide more options for theX509Configurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
rememberMe
@Deprecated(since="6.1", forRemoval=true) public RememberMeConfigurer<HttpSecurity> rememberMe() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UserememberMe(Customizer)
orrememberMe(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuring of Remember Me authentication.Example Configuration
The following configuration demonstrates how to allow token based remember me authentication. Upon authenticating if the HTTP parameter named "remember-me" exists, then the user will be remembered even after theirHttpSession
expires.@Configuration @EnableWebSecurity public class RememberMeSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example Remember Me Configuration .rememberMe(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
RememberMeConfigurer
for further customizations - Throws:
Exception
-
rememberMe
public HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer) throws Exception Allows configuring of Remember Me authentication.Example Configuration
The following configuration demonstrates how to allow token based remember me authentication. Upon authenticating if the HTTP parameter named "remember-me" exists, then the user will be remembered even after theirHttpSession
expires.@Configuration @EnableWebSecurity public class RememberMeSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) .rememberMe(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
rememberMeCustomizer
- theCustomizer
to provide more options for theRememberMeConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
authorizeRequests
@Deprecated public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests() throws ExceptionDeprecated.For removal in 7.0. UseauthorizeHttpRequests()
insteadAllows restricting access based upon theHttpServletRequest
usingRequestMatcher
implementations (i.e. via URL patterns).Example Configurations
The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/admin/**").hasRole("ADMIN") .requestMatchers("/**").hasRole("USER").and().formLogin(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").requestMatchers("/admin/**") .hasRole("ADMIN") return http.build(); } }
- Returns:
- the
ExpressionUrlAuthorizationConfigurer
for further customizations - Throws:
Exception
-
authorizeRequests
@Deprecated public HttpSecurity authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) throws Exception Deprecated.For removal in 7.0. UseauthorizeHttpRequests()
insteadAllows restricting access based upon theHttpServletRequest
usingRequestMatcher
implementations (i.e. via URL patterns).Example Configurations
The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/admin/**").hasRole("ADMIN") .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") .requestMatchers("/admin/**").hasRole("ADMIN") ); return http.build(); } }
- Parameters:
authorizeRequestsCustomizer
- theCustomizer
to provide more options for theExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
authorizeHttpRequests
@Deprecated(since="6.1", forRemoval=true) public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseauthorizeHttpRequests(Customizer)
insteadAllows restricting access based upon theHttpServletRequest
usingRequestMatcher
implementations (i.e. via URL patterns).Example Configurations
The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests() .requestMatchers("/**").hasRole("USER") .and() .formLogin(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests() .requestMatchers("/admin").hasRole("ADMIN") .requestMatchers("/**").hasRole("USER") .and() .formLogin(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests() .requestMatchers("/**").hasRole("USER") .requestMatchers("/admin/**").hasRole("ADMIN") .and() .formLogin(); return http.build(); } }
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- Since:
- 5.6
-
authorizeHttpRequests
public HttpSecurity authorizeHttpRequests(Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer) throws Exception Allows restricting access based upon theHttpServletRequest
usingRequestMatcher
implementations (i.e. via URL patterns).Example Configurations
The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user".@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorizeHttpRequests) -> authorizeHttpRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access.@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorizeHttpRequests) -> authorizeHttpRequests .requestMatchers("/admin/**").hasRole("ADMIN") .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); UserDetails admin = User.withDefaultPasswordEncoder() .username("admin") .password("password") .roles("ADMIN", "USER") .build(); return new InMemoryUserDetailsManager(user, admin); } }
Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:@Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorizeHttpRequests) -> authorizeHttpRequests .requestMatchers("/**").hasRole("USER") .requestMatchers("/admin/**").hasRole("ADMIN") ); return http.build(); } }
- Parameters:
authorizeHttpRequestsCustomizer
- theCustomizer
to provide more options for theAuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- Since:
- 5.5
-
requestCache
@Deprecated(since="6.1", forRemoval=true) public RequestCacheConfigurer<HttpSecurity> requestCache() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UserequestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuring the Request Cache. For example, a protected page (/protected) may be requested prior to authentication. The application will redirect the user to a login page. After authentication, Spring Security will redirect the user to the originally requested protected page (/protected). This is automatically applied when usingEnableWebSecurity
.- Returns:
- the
RequestCacheConfigurer
for further customizations - Throws:
Exception
-
requestCache
public HttpSecurity requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer) throws Exception Allows configuring the Request Cache. For example, a protected page (/protected) may be requested prior to authentication. The application will redirect the user to a login page. After authentication, Spring Security will redirect the user to the originally requested protected page (/protected). This is automatically applied when usingEnableWebSecurity
.Example Custom Configuration
The following example demonstrates how to disable request caching.@Configuration @EnableWebSecurity public class RequestCacheDisabledSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .requestCache((requestCache) -> requestCache.disable() ); return http.build(); } }
- Parameters:
requestCacheCustomizer
- theCustomizer
to provide more options for theRequestCacheConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
exceptionHandling
@Deprecated(since="6.1", forRemoval=true) public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseexceptionHandling(Customizer)
orexceptionHandling(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuring exception handling. This is automatically applied when usingEnableWebSecurity
.- Returns:
- the
ExceptionHandlingConfigurer
for further customizations - Throws:
Exception
-
exceptionHandling
public HttpSecurity exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer) throws Exception Allows configuring exception handling. This is automatically applied when usingEnableWebSecurity
.Example Custom Configuration
The following customization will ensure that users who are denied access are forwarded to the page "/errors/access-denied".@Configuration @EnableWebSecurity public class ExceptionHandlingSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) // sample exception handling customization .exceptionHandling((exceptionHandling) -> exceptionHandling .accessDeniedPage("/errors/access-denied") ); return http.build(); } }
- Parameters:
exceptionHandlingCustomizer
- theCustomizer
to provide more options for theExceptionHandlingConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
securityContext
@Deprecated(since="6.1", forRemoval=true) public SecurityContextConfigurer<HttpSecurity> securityContext() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsesecurityContext(Customizer)
orsecurityContext(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Sets up management of theSecurityContext
on theSecurityContextHolder
betweenHttpServletRequest
's. This is automatically applied when usingEnableWebSecurity
.- Returns:
- the
SecurityContextConfigurer
for further customizations - Throws:
Exception
-
securityContext
public HttpSecurity securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer) throws Exception Sets up management of theSecurityContext
on theSecurityContextHolder
betweenHttpServletRequest
's. This is automatically applied when usingEnableWebSecurity
. The following customization specifies the sharedSecurityContextRepository
@Configuration @EnableWebSecurity public class SecurityContextSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityContext((securityContext) -> securityContext .securityContextRepository(SCR) ); return http.build(); } }
- Parameters:
securityContextCustomizer
- theCustomizer
to provide more options for theSecurityContextConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
servletApi
@Deprecated(since="6.1", forRemoval=true) public ServletApiConfigurer<HttpSecurity> servletApi() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseservletApi(Customizer)
orservletApi(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Integrates theHttpServletRequest
methods with the values found on theSecurityContext
. This is automatically applied when usingEnableWebSecurity
.- Returns:
- the
ServletApiConfigurer
for further customizations - Throws:
Exception
-
servletApi
public HttpSecurity servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer) throws Exception Integrates theHttpServletRequest
methods with the values found on theSecurityContext
. This is automatically applied when usingEnableWebSecurity
. You can disable it using:@Configuration @EnableWebSecurity public class ServletApiSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .servletApi((servletApi) -> servletApi.disable() ); return http.build(); } }
- Parameters:
servletApiCustomizer
- theCustomizer
to provide more options for theServletApiConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
csrf
@Deprecated(since="6.1", forRemoval=true) public CsrfConfigurer<HttpSecurity> csrf() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usecsrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Enables CSRF protection. This is activated by default when usingEnableWebSecurity
's default constructor. You can disable it using:@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf().disable() ...; return http.build(); } }
- Returns:
- the
CsrfConfigurer
for further customizations - Throws:
Exception
-
csrf
Enables CSRF protection. This is activated by default when usingEnableWebSecurity
. You can disable it using:@Configuration @EnableWebSecurity public class CsrfSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf((csrf) -> csrf.disable()); return http.build(); } }
- Parameters:
csrfCustomizer
- theCustomizer
to provide more options for theCsrfConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
logout
@Deprecated(since="6.1", forRemoval=true) public LogoutConfigurer<HttpSecurity> logout() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Uselogout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Provides logout support. This is automatically applied when usingEnableWebSecurity
. The default is that accessing the URL "/logout" will log the user out by invalidating the HTTP Session, cleaning up anyrememberMe()
authentication that was configured, clearing theSecurityContextHolder
, and then redirect to "/login?success".Example Custom Configuration
The following customization to log out when the URL "/custom-logout" is invoked. Log out will remove the cookie named "remove", not invalidate the HttpSession, clear the SecurityContextHolder, and upon completion redirect to "/logout-success".@Configuration @EnableWebSecurity public class LogoutSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin() .and() // sample logout customization .logout().deleteCookies("remove").invalidateHttpSession(false) .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
LogoutConfigurer
for further customizations - Throws:
Exception
-
logout
public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception Provides logout support. This is automatically applied when usingEnableWebSecurity
. The default is that accessing the URL "/logout" will log the user out by invalidating the HTTP Session, cleaning up anyrememberMe()
authentication that was configured, clearing theSecurityContextHolder
, and then redirect to "/login?success".Example Custom Configuration
The following customization to log out when the URL "/custom-logout" is invoked. Log out will remove the cookie named "remove", not invalidate the HttpSession, clear the SecurityContextHolder, and upon completion redirect to "/logout-success".@Configuration @EnableWebSecurity public class LogoutSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) // sample logout customization .logout((logout) -> logout.deleteCookies("remove") .invalidateHttpSession(false) .logoutUrl("/custom-logout") .logoutSuccessUrl("/logout-success") ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
logoutCustomizer
- theCustomizer
to provide more options for theLogoutConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
anonymous
@Deprecated(since="6.1", forRemoval=true) public AnonymousConfigurer<HttpSecurity> anonymous() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useanonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction withEnableWebSecurity
. By default anonymous users will be represented with anAnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".Example Configuration
The following configuration demonstrates how to specify that anonymous users should contain the role "ROLE_ANON" instead.@Configuration @EnableWebSecurity public class AnonymousSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests() .requestMatchers("/**").hasRole("USER") .and() .formLogin() .and() // sample anonymous customization .anonymous().authorities("ROLE_ANON"); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The following demonstrates how to represent anonymous users as null. Note that this can causeNullPointerException
in code that assumes anonymous authentication is enabled.@Configuration @EnableWebSecurity public class AnonymousSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests() .requestMatchers("/**").hasRole("USER") .and() .formLogin() .and() // sample anonymous customization .anonymous().disable(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
AnonymousConfigurer
for further customizations - Throws:
Exception
-
anonymous
public HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer) throws Exception Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction withEnableWebSecurity
. By default anonymous users will be represented with anAnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".Example Configuration
The following configuration demonstrates how to specify that anonymous users should contain the role "ROLE_ANON" instead.@Configuration @EnableWebSecurity public class AnonymousSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) // sample anonymous customization .anonymous((anonymous) -> anonymous .authorities("ROLE_ANON") ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The following demonstrates how to represent anonymous users as null. Note that this can causeNullPointerException
in code that assumes anonymous authentication is enabled.@Configuration @EnableWebSecurity public class AnonymousSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) // sample anonymous customization .anonymous((anonymous) -> anonymous.disable() ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
anonymousCustomizer
- theCustomizer
to provide more options for theAnonymousConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
formLogin
@Deprecated(since="6.1", forRemoval=true) public FormLoginConfigurer<HttpSecurity> formLogin() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseformLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Specifies to support form based authentication. IfFormLoginConfigurer.loginPage(String)
is not specified a default login page will be generated.Example Configurations
The most basic configuration defaults to automatically generating a login page at the URL "/login", redirecting to "/login?error" for authentication failure. The details of the login page can be found onFormLoginConfigurer.loginPage(String)
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The configuration below demonstrates customizing the defaults.@Configuration @EnableWebSecurity public class FormLoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin() .usernameParameter("username") // default is username .passwordParameter("password") // default is password .loginPage("/authentication/login") // default is /login with an HTTP get .failureUrl("/authentication/login?failed") // default is /login?error .loginProcessingUrl("/authentication/login/process"); // default is /login // with an HTTP // post return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
FormLoginConfigurer
for further customizations - Throws:
Exception
- See Also:
-
formLogin
public HttpSecurity formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer) throws Exception Specifies to support form based authentication. IfFormLoginConfigurer.loginPage(String)
is not specified a default login page will be generated.Example Configurations
The most basic configuration defaults to automatically generating a login page at the URL "/login", redirecting to "/login?error" for authentication failure. The details of the login page can be found onFormLoginConfigurer.loginPage(String)
@Configuration @EnableWebSecurity public class FormLoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The configuration below demonstrates customizing the defaults.@Configuration @EnableWebSecurity public class FormLoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin((formLogin) -> formLogin .usernameParameter("username") .passwordParameter("password") .loginPage("/authentication/login") .failureUrl("/authentication/login?failed") .loginProcessingUrl("/authentication/login/process") ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
formLoginCustomizer
- theCustomizer
to provide more options for theFormLoginConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- See Also:
-
saml2Login
@Deprecated(since="6.1", forRemoval=true) public Saml2LoginConfigurer<HttpSecurity> saml2Login() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usesaml2Login(Customizer)
orsaml2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures authentication support using an SAML 2.0 Service Provider.
The "authentication flow" is implemented using the Web Browser SSO Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core,Profiles and Bindings specifications.
As a prerequisite to using this feature, is that you have a SAML v2.0 Identity Provider to provide an assertion. The representation of the Service Provider, the relying party, and the remote Identity Provider, the asserting party is contained withinRelyingPartyRegistration
.
RelyingPartyRegistration
(s) are composed within aRelyingPartyRegistrationRepository
, which is required and must be registered with theApplicationContext
or configured viasaml2Login().relyingPartyRegistrationRepository(..)
.
The default configuration provides an auto-generated login page at"/login"
and redirects to"/login?error"
when an authentication error occurs. The login page will display each of the identity providers with a link that is capable of initiating the "authentication flow".
Example Configuration
The following example shows the minimal configuration required, using SimpleSamlPhp as the Authentication Provider.@Configuration @EnableWebSecurity public class Saml2LoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .saml2Login(); return http.build(); } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration()); } private RelyingPartyRegistration getSaml2RelyingPartyRegistration() { //remote IDP entity ID String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php"; //remote WebSSO Endpoint - Where to Send AuthNRequests to String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php"; //local registration ID String registrationId = "simplesamlphp"; //local entity ID - autogenerated based on URL String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}"; //local signing (and decryption key) Saml2X509Credential signingCredential = getSigningCredential(); //IDP certificate for verification of incoming messages Saml2X509Credential idpVerificationCertificate = getVerificationCertificate(); return RelyingPartyRegistration.withRegistrationId(registrationId) .remoteIdpEntityId(idpEntityId) .idpWebSsoUrl(webSsoEndpoint) .credential(signingCredential) .credential(idpVerificationCertificate) .localEntityIdTemplate(localEntityIdTemplate) .build(); } }
- Returns:
- the
Saml2LoginConfigurer
for further customizations - Throws:
Exception
- Since:
- 5.2
-
saml2Login
public HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer) throws Exception Configures authentication support using an SAML 2.0 Service Provider.
The "authentication flow" is implemented using the Web Browser SSO Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core,Profiles and Bindings specifications.
As a prerequisite to using this feature, is that you have a SAML v2.0 Identity Provider to provide an assertion. The representation of the Service Provider, the relying party, and the remote Identity Provider, the asserting party is contained withinRelyingPartyRegistration
.
RelyingPartyRegistration
(s) are composed within aRelyingPartyRegistrationRepository
, which is required and must be registered with theApplicationContext
or configured viasaml2Login().relyingPartyRegistrationRepository(..)
.
The default configuration provides an auto-generated login page at"/login"
and redirects to"/login?error"
when an authentication error occurs. The login page will display each of the identity providers with a link that is capable of initiating the "authentication flow".
Example Configuration
The following example shows the minimal configuration required, using SimpleSamlPhp as the Authentication Provider.@Configuration @EnableWebSecurity public class Saml2LoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .anyRequest().authenticated() ) .saml2Login(withDefaults()); return http.build(); } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration()); } private RelyingPartyRegistration getSaml2RelyingPartyRegistration() { //remote IDP entity ID String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php"; //remote WebSSO Endpoint - Where to Send AuthNRequests to String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php"; //local registration ID String registrationId = "simplesamlphp"; //local entity ID - autogenerated based on URL String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}"; //local signing (and decryption key) Saml2X509Credential signingCredential = getSigningCredential(); //IDP certificate for verification of incoming messages Saml2X509Credential idpVerificationCertificate = getVerificationCertificate(); return RelyingPartyRegistration.withRegistrationId(registrationId) .remoteIdpEntityId(idpEntityId) .idpWebSsoUrl(webSsoEndpoint) .credential(signingCredential) .credential(idpVerificationCertificate) .localEntityIdTemplate(localEntityIdTemplate) .build(); } }
- Parameters:
saml2LoginCustomizer
- theCustomizer
to provide more options for theSaml2LoginConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- Since:
- 5.2
-
saml2Logout
public HttpSecurity saml2Logout(Customizer<Saml2LogoutConfigurer<HttpSecurity>> saml2LogoutCustomizer) throws Exception Configures logout support for an SAML 2.0 Relying Party.
Implements the Single Logout Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core, Profiles and Bindings specifications.
As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting Party to sent a logout request to. The representation of the relying party and the asserting party is contained withinRelyingPartyRegistration
.
RelyingPartyRegistration
(s) are composed within aRelyingPartyRegistrationRepository
, which is required and must be registered with theApplicationContext
or configured viasaml2Login(Customizer)
.
The default configuration provides an auto-generated logout endpoint at"/logout"
and redirects to/login?logout
when logout completes.
Example Configuration
The following example shows the minimal configuration required, using a hypothetical asserting party.@EnableWebSecurity @Configuration public class Saml2LogoutSecurityConfig { @Bean public SecurityFilterChain web(HttpSecurity http) throws Exception { http .authorizeRequests((authorize) -> authorize .anyRequest().authenticated() ) .saml2Login(withDefaults()) .saml2Logout(withDefaults()); return http.build(); } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { RelyingPartyRegistration registration = RelyingPartyRegistrations .withMetadataLocation("https://ap.example.org/metadata") .registrationId("simple") .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } }
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- Since:
- 5.6
-
saml2Logout
@Deprecated(since="6.1", forRemoval=true) public Saml2LogoutConfigurer<HttpSecurity> saml2Logout() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usesaml2Logout(Customizer)
orsaml2Logout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures logout support for an SAML 2.0 Relying Party.
Implements the Single Logout Profile, using POST and REDIRECT bindings, as documented in the SAML V2.0 Core, Profiles and Bindings specifications.
As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting Party to sent a logout request to. The representation of the relying party and the asserting party is contained withinRelyingPartyRegistration
.
RelyingPartyRegistration
(s) are composed within aRelyingPartyRegistrationRepository
, which is required and must be registered with theApplicationContext
or configured viasaml2Login()
.
The default configuration provides an auto-generated logout endpoint at"/logout"
and redirects to/login?logout
when logout completes.
Example Configuration
The following example shows the minimal configuration required, using a hypothetical asserting party.@EnableWebSecurity @Configuration public class Saml2LogoutSecurityConfig { @Bean public SecurityFilterChain web(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .saml2Login() .and() .saml2Logout(); return http.build(); } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { RelyingPartyRegistration registration = RelyingPartyRegistrations .withMetadataLocation("https://ap.example.org/metadata") .registrationId("simple") .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } }
- Returns:
- the
Saml2LoginConfigurer
for further customizations - Throws:
Exception
- Since:
- 5.6
-
saml2Metadata
public HttpSecurity saml2Metadata(Customizer<Saml2MetadataConfigurer<HttpSecurity>> saml2MetadataConfigurer) throws Exception Configures a SAML 2.0 metadata endpoint that presents relying party configurations in an<md:EntityDescriptor>
payload.By default, the endpoints are
/saml2/metadata
and/saml2/metadata/{registrationId}
though note that also/saml2/service-provider-metadata/{registrationId}
is recognized for backward compatibility purposes.Example Configuration
The following example shows the minimal configuration required, using a hypothetical asserting party.@EnableWebSecurity @Configuration public class Saml2LogoutSecurityConfig { @Bean public SecurityFilterChain web(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()) .saml2Metadata(Customizer.withDefaults()); return http.build(); } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { RelyingPartyRegistration registration = RelyingPartyRegistrations .withMetadataLocation("https://ap.example.org/metadata") .registrationId("simple") .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } }
- Parameters:
saml2MetadataConfigurer
- theCustomizer
to provide more options for theSaml2MetadataConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- Since:
- 6.1
-
saml2Metadata
@Deprecated(since="6.1", forRemoval=true) public Saml2MetadataConfigurer<HttpSecurity> saml2Metadata() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usesaml2Metadata(Customizer)
orsaml2Metadata(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures a SAML 2.0 metadata endpoint that presents relying party configurations in an<md:EntityDescriptor>
payload.By default, the endpoints are
/saml2/metadata
and/saml2/metadata/{registrationId}
though note that also/saml2/service-provider-metadata/{registrationId}
is recognized for backward compatibility purposes.Example Configuration
The following example shows the minimal configuration required, using a hypothetical asserting party.@EnableWebSecurity @Configuration public class Saml2LogoutSecurityConfig { @Bean public SecurityFilterChain web(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()) .saml2Metadata(Customizer.withDefaults()); return http.build(); } @Bean public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() { RelyingPartyRegistration registration = RelyingPartyRegistrations .withMetadataLocation("https://ap.example.org/metadata") .registrationId("simple") .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } }
- Returns:
- the
Saml2MetadataConfigurer
for further customizations - Throws:
Exception
- Since:
- 6.1
-
oauth2Login
@Deprecated(since="6.1", forRemoval=true) public OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useoauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
The "authentication flow" is implemented using the Authorization Code Grant, as specified in the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0 specification.
As a prerequisite to using this feature, you must register a client with a provider. The client registration information may than be used for configuring aClientRegistration
using aClientRegistration.Builder
.
ClientRegistration
(s) are composed within aClientRegistrationRepository
, which is required and must be registered with theApplicationContext
or configured viaoauth2Login().clientRegistrationRepository(..)
.
The default configuration provides an auto-generated login page at"/login"
and redirects to"/login?error"
when an authentication error occurs. The login page will display each of the clients with a link that is capable of initiating the "authentication flow".
Example Configuration
The following example shows the minimal configuration required, using Google as the Authentication Provider.@Configuration @EnableWebSecurity public class OAuth2LoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); return http.build(); } @Bean public ClientRegistrationRepository clientRegistrationRepository() { return new InMemoryClientRegistrationRepository(this.googleClientRegistration()); } private ClientRegistration googleClientRegistration() { return ClientRegistration.withRegistrationId("google") .clientId("google-client-id") .clientSecret("google-client-secret") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}") .scope("openid", "profile", "email", "address", "phone") .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth") .tokenUri("https://www.googleapis.com/oauth2/v4/token") .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo") .userNameAttributeName(IdTokenClaimNames.SUB) .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs") .clientName("Google") .build(); } }
For more advanced configuration, see
OAuth2LoginConfigurer
for available options to customize the defaults.- Returns:
- the
OAuth2LoginConfigurer
for further customizations - Throws:
Exception
- Since:
- 5.0
- See Also:
-
oauth2Login
public HttpSecurity oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer) throws Exception Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
The "authentication flow" is implemented using the Authorization Code Grant, as specified in the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0 specification.
As a prerequisite to using this feature, you must register a client with a provider. The client registration information may than be used for configuring aClientRegistration
using aClientRegistration.Builder
.
ClientRegistration
(s) are composed within aClientRegistrationRepository
, which is required and must be registered with theApplicationContext
or configured viaoauth2Login().clientRegistrationRepository(..)
.
The default configuration provides an auto-generated login page at"/login"
and redirects to"/login?error"
when an authentication error occurs. The login page will display each of the clients with a link that is capable of initiating the "authentication flow".
Example Configuration
The following example shows the minimal configuration required, using Google as the Authentication Provider.@Configuration @EnableWebSecurity public class OAuth2LoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .anyRequest().authenticated() ) .oauth2Login(withDefaults()); return http.build(); } @Bean public ClientRegistrationRepository clientRegistrationRepository() { return new InMemoryClientRegistrationRepository(this.googleClientRegistration()); } private ClientRegistration googleClientRegistration() { return ClientRegistration.withRegistrationId("google") .clientId("google-client-id") .clientSecret("google-client-secret") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}") .scope("openid", "profile", "email", "address", "phone") .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth") .tokenUri("https://www.googleapis.com/oauth2/v4/token") .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo") .userNameAttributeName(IdTokenClaimNames.SUB) .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs") .clientName("Google") .build(); } }
For more advanced configuration, see
OAuth2LoginConfigurer
for available options to customize the defaults.- Parameters:
oauth2LoginCustomizer
- theCustomizer
to provide more options for theOAuth2LoginConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- See Also:
-
oidcLogout
- Throws:
Exception
-
oidcLogout
public HttpSecurity oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcLogoutCustomizer) throws Exception - Throws:
Exception
-
oauth2Client
@Deprecated(since="6.1", forRemoval=true) public OAuth2ClientConfigurer<HttpSecurity> oauth2Client() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useoauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures OAuth 2.0 Client support.- Returns:
- the
OAuth2ClientConfigurer
for further customizations - Throws:
Exception
- Since:
- 5.1
- See Also:
-
oauth2Client
public HttpSecurity oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer) throws Exception Configures OAuth 2.0 Client support.Example Configuration
The following example demonstrates how to enable OAuth 2.0 Client support for all endpoints.@Configuration @EnableWebSecurity public class OAuth2ClientSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .anyRequest().authenticated() ) .oauth2Client(withDefaults()); return http.build(); } }
- Parameters:
oauth2ClientCustomizer
- theCustomizer
to provide more options for theOAuth2ClientConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- See Also:
-
oauth2ResourceServer
@Deprecated(since="6.1", forRemoval=true) public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useoauth2ResourceServer(Customizer)
insteadConfigures OAuth 2.0 Resource Server support.- Returns:
- the
OAuth2ResourceServerConfigurer
for further customizations - Throws:
Exception
- Since:
- 5.1
- See Also:
-
oauth2ResourceServer
public HttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer) throws Exception Configures OAuth 2.0 Resource Server support.Example Configuration
The following example demonstrates how to configure a custom JWT authentication converter.@Configuration @EnableWebSecurity public class OAuth2ResourceServerSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .anyRequest().authenticated() ) .oauth2ResourceServer((oauth2ResourceServer) -> oauth2ResourceServer .jwt((jwt) -> jwt .decoder(jwtDecoder()) ) ); return http.build(); } @Bean public JwtDecoder jwtDecoder() { return NimbusJwtDecoder.withPublicKey(this.key).build(); } }
- Parameters:
oauth2ResourceServerCustomizer
- theCustomizer
to provide more options for theOAuth2ResourceServerConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- See Also:
-
requiresChannel
@Deprecated(since="6.1", forRemoval=true) public ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry requiresChannel() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UserequiresChannel(Customizer)
orrequiresChannel(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.Example Configuration
The example below demonstrates how to require HTTPs for every request. Only requiring HTTPS for some requests is supported, but not recommended since an application that allows for HTTP introduces many security vulnerabilities. For one such example, read about Firesheep.@Configuration @EnableWebSecurity public class ChannelSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin() .and().requiresChannel().anyRequest().requiresSecure(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
ChannelSecurityConfigurer
for further customizations - Throws:
Exception
-
requiresChannel
public HttpSecurity requiresChannel(Customizer<ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry> requiresChannelCustomizer) throws Exception Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.Example Configuration
The example below demonstrates how to require HTTPs for every request. Only requiring HTTPS for some requests is supported, but not recommended since an application that allows for HTTP introduces many security vulnerabilities. For one such example, read about Firesheep.@Configuration @EnableWebSecurity public class ChannelSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .formLogin(withDefaults()) .requiresChannel((requiresChannel) -> requiresChannel .anyRequest().requiresSecure() ); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
requiresChannelCustomizer
- theCustomizer
to provide more options for theChannelSecurityConfigurer.ChannelRequestMatcherRegistry
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
httpBasic
@Deprecated(since="6.1", forRemoval=true) public HttpBasicConfigurer<HttpSecurity> httpBasic() throws ExceptionDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsehttpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures HTTP Basic authentication.Example Configuration
The example below demonstrates how to configure HTTP Basic authentication for an application. The default realm is "Realm", but can be customized usingHttpBasicConfigurer.realmName(String)
.@Configuration @EnableWebSecurity public class HttpBasicSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().httpBasic(); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
HttpBasicConfigurer
for further customizations - Throws:
Exception
-
httpBasic
public HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer) throws Exception Configures HTTP Basic authentication.Example Configuration
The example below demonstrates how to configure HTTP Basic authentication for an application. The default realm is "Realm", but can be customized usingHttpBasicConfigurer.realmName(String)
.@Configuration @EnableWebSecurity public class HttpBasicSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests((authorizeRequests) -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
httpBasicCustomizer
- theCustomizer
to provide more options for theHttpBasicConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
passwordManagement
public HttpSecurity passwordManagement(Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer) throws Exception Adds support for the password management.Example Configuration
The example below demonstrates how to configure password management for an application. The default change password page is "/change-password", but can be customized usingPasswordManagementConfigurer.changePasswordPage(String)
.@Configuration @EnableWebSecurity public class PasswordManagementSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeRequests(authorizeRequests -> authorizeRequests .requestMatchers("/**").hasRole("USER") ) .passwordManagement(passwordManagement -> passwordManagement .changePasswordPage("/custom-change-password-page") ); return http.build(); } }
- Parameters:
passwordManagementCustomizer
- theCustomizer
to provide more options for thePasswordManagementConfigurer
- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
- Since:
- 5.6
-
authenticationManager
Configure the defaultAuthenticationManager
.- Parameters:
authenticationManager
- theAuthenticationManager
to use- Returns:
- the
HttpSecurity
for further customizations - Since:
- 5.6
-
beforeConfigure
Description copied from class:AbstractConfiguredSecurityBuilder
Invoked prior to invoking eachSecurityConfigurer.configure(SecurityBuilder)
method. Subclasses may override this method to hook into the lifecycle without using aSecurityConfigurer
.- Overrides:
beforeConfigure
in classAbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,
HttpSecurity> - Throws:
Exception
-
performBuild
Description copied from class:AbstractConfiguredSecurityBuilder
Subclasses must implement this method to build the object that is being returned.- Specified by:
performBuild
in classAbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,
HttpSecurity> - Returns:
- the Object to be buit or null if the implementation allows it
-
authenticationProvider
Description copied from interface:HttpSecurityBuilder
Allows adding an additionalAuthenticationProvider
to be used- Specified by:
authenticationProvider
in interfaceHttpSecurityBuilder<HttpSecurity>
- Parameters:
authenticationProvider
- theAuthenticationProvider
to be added- Returns:
- the
HttpSecurity
for further customizations
-
userDetailsService
Description copied from interface:HttpSecurityBuilder
Allows adding an additionalUserDetailsService
to be used- Specified by:
userDetailsService
in interfaceHttpSecurityBuilder<HttpSecurity>
- Parameters:
userDetailsService
- theUserDetailsService
to be added- Returns:
- the
HttpSecurity
for further customizations - Throws:
Exception
-
addFilterAfter
public HttpSecurity addFilterAfter(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> afterFilter) Description copied from interface:HttpSecurityBuilder
Allows adding aFilter
after one of the knownFilter
classes. The knownFilter
instances are either aFilter
listed inHttpSecurityBuilder.addFilter(Filter)
or aFilter
that has already been added usingHttpSecurityBuilder.addFilterAfter(Filter, Class)
orHttpSecurityBuilder.addFilterBefore(Filter, Class)
.- Specified by:
addFilterAfter
in interfaceHttpSecurityBuilder<HttpSecurity>
- Parameters:
filter
- theFilter
to register after the typeafterFilter
afterFilter
- the Class of the knownFilter
.- Returns:
- the
HttpSecurity
for further customizations
-
addFilterBefore
public HttpSecurity addFilterBefore(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> beforeFilter) Description copied from interface:HttpSecurityBuilder
Allows adding aFilter
before one of the knownFilter
classes. The knownFilter
instances are either aFilter
listed inHttpSecurityBuilder.addFilter(Filter)
or aFilter
that has already been added usingHttpSecurityBuilder.addFilterAfter(Filter, Class)
orHttpSecurityBuilder.addFilterBefore(Filter, Class)
.- Specified by:
addFilterBefore
in interfaceHttpSecurityBuilder<HttpSecurity>
- Parameters:
filter
- theFilter
to register before the typebeforeFilter
beforeFilter
- the Class of the knownFilter
.- Returns:
- the
HttpSecurity
for further customizations
-
addFilter
Description copied from interface:HttpSecurityBuilder
Adds aFilter
that must be an instance of or extend one of the Filters provided within the Security framework. The method ensures that the ordering of the Filters is automatically taken care of. The ordering of the Filters is:DisableEncodeUrlFilter
ForceEagerSessionCreationFilter
ChannelProcessingFilter
WebAsyncManagerIntegrationFilter
SecurityContextHolderFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CorsFilter
CsrfFilter
LogoutFilter
OAuth2AuthorizationRequestRedirectFilter
Saml2WebSsoAuthenticationRequestFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
- CasAuthenticationFilter
OAuth2LoginAuthenticationFilter
Saml2WebSsoAuthenticationFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
ConcurrentSessionFilter
DigestAuthenticationFilter
BearerTokenAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
OAuth2AuthorizationCodeGrantFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
AuthorizationFilter
SwitchUserFilter
- Specified by:
addFilter
in interfaceHttpSecurityBuilder<HttpSecurity>
- Parameters:
filter
- theFilter
to add- Returns:
- the
HttpSecurity
for further customizations
-
addFilterAt
public HttpSecurity addFilterAt(jakarta.servlet.Filter filter, Class<? extends jakarta.servlet.Filter> atFilter) Adds the Filter at the location of the specified Filter class. For example, if you want the filter CustomFilter to be registered in the same position asUsernamePasswordAuthenticationFilter
, you can invoke:addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
Registration of multiple Filters in the same location means their ordering is not deterministic. More concretely, registering multiple Filters in the same location does not override existing Filters. Instead, do not register Filters you do not want to use.- Parameters:
filter
- the Filter to registeratFilter
- the location of anotherFilter
that is already registered (i.e. known) with Spring Security.- Returns:
- the
HttpSecurity
for further customizations
-
securityMatchers
@Deprecated(since="6.1", forRemoval=true) public HttpSecurity.RequestMatcherConfigurer securityMatchers()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsesecurityMatchers(Customizer)
orsecurityMatchers(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows specifying whichHttpServletRequest
instances thisHttpSecurity
will be invoked on. This method allows for easily invoking theHttpSecurity
for multiple differentRequestMatcher
instances. If only a singleRequestMatcher
is necessary consider usingsecurityMatcher(String...)
, orsecurityMatcher(RequestMatcher)
.Invoking
securityMatchers()
will not override previous invocations ofsecurityMatchers()
},securityMatchers(Customizer)
securityMatcher(String...)
andsecurityMatcher(RequestMatcher)
Example Configurations
The following configuration enables theHttpSecurity
for URLs that begin with "/api/" or "/oauth/".@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**", "/oauth/**") ) .authorizeHttpRequests((authorize) -> authorize anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The configuration below is the same as the previous configuration.@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") .requestMatchers("/oauth/**") ) .authorizeHttpRequests((authorize) -> authorize anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The configuration below is also the same as the above configuration.@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .securityMatchers((matchers) -> matchers .requestMatchers("/oauth/**") ) .authorizeHttpRequests((authorize) -> authorize anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Returns:
- the
HttpSecurity.RequestMatcherConfigurer
for further customizations
-
securityMatchers
public HttpSecurity securityMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer) Allows specifying whichHttpServletRequest
instances thisHttpSecurity
will be invoked on. This method allows for easily invoking theHttpSecurity
for multiple differentRequestMatcher
instances. If only a singleRequestMatcher
is necessary consider usingsecurityMatcher(String...)
, orsecurityMatcher(RequestMatcher)
.Invoking
securityMatchers(Customizer)
will not override previous invocations ofsecurityMatchers()
},securityMatchers(Customizer)
securityMatcher(String...)
andsecurityMatcher(RequestMatcher)
Example Configurations
The following configuration enables theHttpSecurity
for URLs that begin with "/api/" or "/oauth/".@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**", "/oauth/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The configuration below is the same as the previous configuration.@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") .requestMatchers("/oauth/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
The configuration below is also the same as the above configuration.@Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .securityMatchers((matchers) -> matchers .requestMatchers("/oauth/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
- Parameters:
requestMatcherCustomizer
- theCustomizer
to provide more options for theHttpSecurity.RequestMatcherConfigurer
- Returns:
- the
HttpSecurity
for further customizations
-
securityMatcher
Allows configuring theHttpSecurity
to only be invoked when matching the providedRequestMatcher
. If more advanced configuration is necessary, consider usingsecurityMatchers(Customizer)
()}.Invoking
securityMatcher(RequestMatcher)
will override previous invocations ofsecurityMatcher(RequestMatcher)
,securityMatcher(String...)
,securityMatchers(Customizer)
andsecurityMatchers()
- Parameters:
requestMatcher
- theRequestMatcher
to use (i.e. new AntPathRequestMatcher("/admin/**","GET") )- Returns:
- the
HttpSecurity
for further customizations - See Also:
-
securityMatcher
Allows configuring theHttpSecurity
to only be invoked when matching the provided pattern. This method creates aMvcRequestMatcher
if Spring MVC is in the classpath or creates anAntPathRequestMatcher
if not. If more advanced configuration is necessary, consider usingsecurityMatchers(Customizer)
orsecurityMatcher(RequestMatcher)
.Invoking
securityMatcher(String...)
will override previous invocations ofsecurityMatcher(String...)
(String)}},securityMatcher(RequestMatcher)
()},securityMatchers(Customizer)
(String)} andsecurityMatchers()
(String)}.- Parameters:
patterns
- the pattern to match on (i.e. "/admin/**")- Returns:
- the
HttpSecurity
for further customizations - See Also:
-