Class WebSecurity
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.context.ApplicationContextAware
,SecurityBuilder<jakarta.servlet.Filter>
,org.springframework.web.context.ServletContextAware
The WebSecurity
is created by WebSecurityConfiguration
to create the
FilterChainProxy
known as the Spring Security Filter Chain
(springSecurityFilterChain). The springSecurityFilterChain is the Filter
that
the DelegatingFilterProxy
delegates to.
Customizations to the WebSecurity
can be made by creating a
WebSecurityConfigurer
or exposing a WebSecurityCustomizer
bean.
- Since:
- 3.2
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionclass
Allows registeringRequestMatcher
instances that should be ignored by Spring Security. -
Constructor Summary
ConstructorDescriptionWebSecurity
(ObjectPostProcessor<Object> objectPostProcessor) Creates a new instance -
Method Summary
Modifier and TypeMethodDescriptionaddSecurityFilterChainBuilder
(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) Adds builders to createSecurityFilterChain
instances.debug
(boolean debugEnabled) Controls debugging support for Spring Security.expressionHandler
(SecurityExpressionHandler<FilterInvocation> expressionHandler) Set theSecurityExpressionHandler
to be used.Gets theSecurityExpressionHandler
to be used.Gets theWebInvocationPrivilegeEvaluator
to be used.httpFirewall
(HttpFirewall httpFirewall) Allows customizing theHttpFirewall
.ignoring()
Allows addingRequestMatcher
instances that Spring Security should ignore.protected jakarta.servlet.Filter
Subclasses must implement this method to build the object that is being returned.postBuildAction
(Runnable postBuildAction) Executes the Runnable immediately after the build takes placeprivilegeEvaluator
(WebInvocationPrivilegeEvaluator privilegeEvaluator) Set theWebInvocationPrivilegeEvaluator
to be used.requestRejectedHandler
(RequestRejectedHandler requestRejectedHandler) Sets the handler to handleRequestRejectedException
void
setApplicationContext
(org.springframework.context.ApplicationContext applicationContext) void
setServletContext
(jakarta.servlet.ServletContext servletContext) Methods inherited from class org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder
apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObject, with
Methods inherited from class org.springframework.security.config.annotation.AbstractSecurityBuilder
build, getObject
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.security.config.annotation.SecurityBuilder
build
-
Constructor Details
-
WebSecurity
Creates a new instance- Parameters:
objectPostProcessor
- theObjectPostProcessor
to use- See Also:
-
-
Method Details
-
ignoring
Allows adding
Example Usage:RequestMatcher
instances that Spring Security should ignore. Web Security provided by Spring Security (including theSecurityContext
) will not be available onHttpServletRequest
that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .requestMatchers("/resources/**", "/static/**");
Alternatively this will accomplish the same result:webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .requestMatchers("/resources/**").requestMatchers("/static/**");
Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples:webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ .requestMatchers("/resources/**"); webSecurityBuilder.ignoring() // ignore all URLs that start with /static/ .requestMatchers("/static/**"); // now both URLs that start with /resources/ and /static/ will be ignored
- Returns:
- the
WebSecurity.IgnoredRequestConfigurer
to use for registering request that should be ignored
-
httpFirewall
Allows customizing theHttpFirewall
. The default isStrictHttpFirewall
.- Parameters:
httpFirewall
- the customHttpFirewall
- Returns:
- the
WebSecurity
for further customizations
-
debug
Controls debugging support for Spring Security.- Parameters:
debugEnabled
- if true, enables debug support with Spring Security. Default is false.- Returns:
- the
WebSecurity
for further customization. - See Also:
-
addSecurityFilterChainBuilder
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) Adds builders to create
SecurityFilterChain
instances.Typically this method is invoked automatically within the framework from
WebSecurityConfiguration.springSecurityFilterChain()
- Parameters:
securityFilterChainBuilder
- the builder to use to create theSecurityFilterChain
instances- Returns:
- the
WebSecurity
for further customizations
-
privilegeEvaluator
Set theWebInvocationPrivilegeEvaluator
to be used. If this is not specified, then aRequestMatcherDelegatingWebInvocationPrivilegeEvaluator
will be created based on the list ofSecurityFilterChain
.- Parameters:
privilegeEvaluator
- theWebInvocationPrivilegeEvaluator
to use- Returns:
- the
WebSecurity
for further customizations
-
expressionHandler
Set theSecurityExpressionHandler
to be used. If this is not specified, then aDefaultWebSecurityExpressionHandler
will be used.- Parameters:
expressionHandler
- theSecurityExpressionHandler
to use- Returns:
- the
WebSecurity
for further customizations
-
getExpressionHandler
Gets theSecurityExpressionHandler
to be used.- Returns:
- the
SecurityExpressionHandler
for further customizations
-
getPrivilegeEvaluator
Gets theWebInvocationPrivilegeEvaluator
to be used.- Returns:
- the
WebInvocationPrivilegeEvaluator
for further customizations
-
postBuildAction
Executes the Runnable immediately after the build takes place- Parameters:
postBuildAction
-- Returns:
- the
WebSecurity
for further customizations
-
requestRejectedHandler
Sets the handler to handleRequestRejectedException
- Parameters:
requestRejectedHandler
-- Returns:
- the
WebSecurity
for further customizations - Since:
- 5.7
-
performBuild
Description copied from class:AbstractConfiguredSecurityBuilder
Subclasses must implement this method to build the object that is being returned.- Specified by:
performBuild
in classAbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,
WebSecurity> - Returns:
- the Object to be buit or null if the implementation allows it
- Throws:
Exception
-
setApplicationContext
public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException - Specified by:
setApplicationContext
in interfaceorg.springframework.context.ApplicationContextAware
- Throws:
org.springframework.beans.BeansException
-
setServletContext
public void setServletContext(jakarta.servlet.ServletContext servletContext) - Specified by:
setServletContext
in interfaceorg.springframework.web.context.ServletContextAware
-