public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<org.springframework.security.web.DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<org.springframework.security.web.DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
HttpSecurity is similar to Spring Security's XML <http> element in the
namespace configuration. It allows configuring web based security for specific http
requests. By default it will be applied to all requests, but can be restricted using
requestMatcher(RequestMatcher) or other similar methods.
HttpSecurity.
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
EnableWebSecurity| Modifier and Type | Class and Description |
|---|---|
class |
HttpSecurity.MvcMatchersRequestMatcherConfigurer
An extension to
HttpSecurity.RequestMatcherConfigurer that allows optionally configuring
the servlet path. |
class |
HttpSecurity.RequestMatcherConfigurer
Allows mapping HTTP requests that this
HttpSecurity will be used for |
| Constructor and Description |
|---|
HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor,
AuthenticationManagerBuilder authenticationBuilder,
java.util.Map<java.lang.Class<?>,java.lang.Object> sharedObjects)
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
HttpSecurity |
addFilter(javax.servlet.Filter filter)
Adds a
Filter that must be an instance of or extend one of the Filters
provided within the Security framework. |
HttpSecurity |
addFilterAfter(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> afterFilter)
Allows adding a
Filter after one of the known Filter classes. |
HttpSecurity |
addFilterAt(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> atFilter)
Adds the Filter at the location of the specified Filter class.
|
HttpSecurity |
addFilterBefore(javax.servlet.Filter filter,
java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
Allows adding a
Filter before one of the known Filter classes. |
AnonymousConfigurer<HttpSecurity> |
anonymous()
Allows configuring how an anonymous user is represented.
|
HttpSecurity |
anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer)
Allows configuring how an anonymous user is represented.
|
HttpSecurity |
antMatcher(java.lang.String antPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided ant pattern. |
HttpSecurity |
authenticationProvider(org.springframework.security.authentication.AuthenticationProvider authenticationProvider)
Allows adding an additional
AuthenticationProvider to be used |
ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry |
authorizeRequests()
Allows restricting access based upon the
HttpServletRequest using
RequestMatcher implementations (i.e. |
HttpSecurity |
authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
Allows restricting access based upon the
HttpServletRequest using
RequestMatcher implementations (i.e. |
protected void |
beforeConfigure()
Invoked prior to invoking each
SecurityConfigurer.configure(SecurityBuilder) method. |
CorsConfigurer<HttpSecurity> |
cors()
Adds a
CorsFilter to be used. |
HttpSecurity |
cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer)
Adds a
CorsFilter to be used. |
CsrfConfigurer<HttpSecurity> |
csrf()
Adds CSRF support.
|
HttpSecurity |
csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer)
Adds CSRF support.
|
ExceptionHandlingConfigurer<HttpSecurity> |
exceptionHandling()
Allows configuring exception handling.
|
HttpSecurity |
exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer)
Allows configuring exception handling.
|
FormLoginConfigurer<HttpSecurity> |
formLogin()
Specifies to support form based authentication.
|
HttpSecurity |
formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer)
Specifies to support form based authentication.
|
HeadersConfigurer<HttpSecurity> |
headers()
Adds the Security headers to the response.
|
HttpSecurity |
headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer)
Adds the Security headers to the response.
|
HttpBasicConfigurer<HttpSecurity> |
httpBasic()
Configures HTTP Basic authentication.
|
HttpSecurity |
httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer)
Configures HTTP Basic authentication.
|
JeeConfigurer<HttpSecurity> |
jee()
Configures container based pre authentication.
|
HttpSecurity |
jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer)
Configures container based pre authentication.
|
LogoutConfigurer<HttpSecurity> |
logout()
Provides logout support.
|
HttpSecurity |
logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer)
Provides logout support.
|
HttpSecurity |
mvcMatcher(java.lang.String mvcPattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided Spring MVC pattern. |
OAuth2ClientConfigurer<HttpSecurity> |
oauth2Client()
Configures OAuth 2.0 Client support.
|
HttpSecurity |
oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer)
Configures OAuth 2.0 Client support.
|
OAuth2LoginConfigurer<HttpSecurity> |
oauth2Login()
Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
|
HttpSecurity |
oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer)
Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
|
OAuth2ResourceServerConfigurer<HttpSecurity> |
oauth2ResourceServer()
Configures OAuth 2.0 Resource Server support.
|
HttpSecurity |
oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer)
Configures OAuth 2.0 Resource Server support.
|
OpenIDLoginConfigurer<HttpSecurity> |
openidLogin()
Allows configuring OpenID based authentication.
|
HttpSecurity |
openidLogin(Customizer<OpenIDLoginConfigurer<HttpSecurity>> openidLoginCustomizer)
Allows configuring OpenID based authentication.
|
protected org.springframework.security.web.DefaultSecurityFilterChain |
performBuild()
Subclasses must implement this method to build the object that is being returned.
|
PortMapperConfigurer<HttpSecurity> |
portMapper()
Allows configuring a
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class). |
HttpSecurity |
portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer)
Allows configuring a
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class). |
HttpSecurity |
regexMatcher(java.lang.String pattern)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided regex pattern. |
RememberMeConfigurer<HttpSecurity> |
rememberMe()
Allows configuring of Remember Me authentication.
|
HttpSecurity |
rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer)
Allows configuring of Remember Me authentication.
|
RequestCacheConfigurer<HttpSecurity> |
requestCache()
Allows configuring the Request Cache.
|
HttpSecurity |
requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer)
Allows configuring the Request Cache.
|
HttpSecurity |
requestMatcher(org.springframework.security.web.util.matcher.RequestMatcher requestMatcher)
Allows configuring the
HttpSecurity to only be invoked when matching the
provided RequestMatcher. |
HttpSecurity.RequestMatcherConfigurer |
requestMatchers()
Allows specifying which
HttpServletRequest instances this
HttpSecurity will be invoked on. |
HttpSecurity |
requestMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer)
Allows specifying which
HttpServletRequest instances this
HttpSecurity will be invoked on. |
ChannelSecurityConfigurer.ChannelRequestMatcherRegistry |
requiresChannel()
Configures channel security.
|
HttpSecurity |
requiresChannel(Customizer<ChannelSecurityConfigurer.ChannelRequestMatcherRegistry> requiresChannelCustomizer)
Configures channel security.
|
Saml2LoginConfigurer<HttpSecurity> |
saml2Login()
Configures authentication support using an SAML 2.0 Service Provider.
|
HttpSecurity |
saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer)
Configures authentication support using an SAML 2.0 Service Provider.
|
SecurityContextConfigurer<HttpSecurity> |
securityContext()
Sets up management of the
SecurityContext on the
SecurityContextHolder between HttpServletRequest's. |
HttpSecurity |
securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer)
Sets up management of the
SecurityContext on the
SecurityContextHolder between HttpServletRequest's. |
ServletApiConfigurer<HttpSecurity> |
servletApi()
Integrates the
HttpServletRequest methods with the values found on the
SecurityContext. |
HttpSecurity |
servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer)
Integrates the
HttpServletRequest methods with the values found on the
SecurityContext. |
SessionManagementConfigurer<HttpSecurity> |
sessionManagement()
Allows configuring of Session Management.
|
HttpSecurity |
sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer)
Allows configuring of Session Management.
|
<C> void |
setSharedObject(java.lang.Class<C> sharedType,
C object)
Sets an object that is shared by multiple
SecurityConfigurer. |
HttpSecurity |
userDetailsService(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
Allows adding an additional
UserDetailsService to be used |
X509Configurer<HttpSecurity> |
x509()
Configures X509 based pre authentication.
|
HttpSecurity |
x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer)
Configures X509 based pre authentication.
|
apply, apply, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurersbuild, getObjectclone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitgetConfigurer, getSharedObject, removeConfigurerbuildpublic HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, java.util.Map<java.lang.Class<?>,java.lang.Object> sharedObjects)
objectPostProcessor - the ObjectPostProcessor that should be usedauthenticationBuilder - the AuthenticationManagerBuilder to use for
additional updatessharedObjects - the shared Objects to initialize the HttpSecurity withWebSecurityConfigurationpublic OpenIDLoginConfigurer<HttpSecurity> openidLogin() throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().openidLogin()
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
// the username must match the OpenID of the user you are
// logging in with
.withUser(
"https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU")
.password("password").roles("USER");
}
}
A more advanced example demonstrating using attribute exchange and providing a
custom AuthenticationUserDetailsService that will make any user that authenticates
a valid user.
@Configuration
@EnableWebSecurity
public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) {
http.authorizeRequests()
.antMatchers("/**")
.hasRole("USER")
.and()
.openidLogin()
.loginPage("/login")
.permitAll()
.authenticationUserDetailsService(
new AutoProvisioningUserDetailsService())
.attributeExchange("https://www.google.com/.*").attribute("email")
.type("https://axschema.org/contact/email").required(true).and()
.attribute("firstname").type("https://axschema.org/namePerson/first")
.required(true).and().attribute("lastname")
.type("https://axschema.org/namePerson/last").required(true).and().and()
.attributeExchange(".*yahoo.com.*").attribute("email")
.type("https://schema.openid.net/contact/email").required(true).and()
.attribute("fullname").type("https://axschema.org/namePerson")
.required(true).and().and().attributeExchange(".*myopenid.com.*")
.attribute("email").type("https://schema.openid.net/contact/email")
.required(true).and().attribute("fullname")
.type("https://schema.openid.net/namePerson").required(true);
}
}
public class AutoProvisioningUserDetailsService implements
AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
public UserDetails loadUserDetails(OpenIDAuthenticationToken token)
throws UsernameNotFoundException {
return new User(token.getName(), "NOTUSED",
AuthorityUtils.createAuthorityList("ROLE_USER"));
}
}
OpenIDLoginConfigurer for further customizations.java.lang.ExceptionOpenIDLoginConfigurerpublic HttpSecurity openidLogin(Customizer<OpenIDLoginConfigurer<HttpSecurity>> openidLoginCustomizer) throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.openidLogin(openidLogin ->
openidLogin
.permitAll()
);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
// the username must match the OpenID of the user you are
// logging in with
.withUser(
"https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU")
.password("password").roles("USER");
}
}
A more advanced example demonstrating using attribute exchange and providing a
custom AuthenticationUserDetailsService that will make any user that authenticates
a valid user.
@Configuration
@EnableWebSecurity
public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.openidLogin(openidLogin ->
openidLogin
.loginPage("/login")
.permitAll()
.authenticationUserDetailsService(
new AutoProvisioningUserDetailsService())
.attributeExchange(googleExchange ->
googleExchange
.identifierPattern("https://www.google.com/.*")
.attribute(emailAttribute ->
emailAttribute
.name("email")
.type("https://axschema.org/contact/email")
.required(true)
)
.attribute(firstnameAttribute ->
firstnameAttribute
.name("firstname")
.type("https://axschema.org/namePerson/first")
.required(true)
)
.attribute(lastnameAttribute ->
lastnameAttribute
.name("lastname")
.type("https://axschema.org/namePerson/last")
.required(true)
)
)
.attributeExchange(yahooExchange ->
yahooExchange
.identifierPattern(".*yahoo.com.*")
.attribute(emailAttribute ->
emailAttribute
.name("email")
.type("https://schema.openid.net/contact/email")
.required(true)
)
.attribute(fullnameAttribute ->
fullnameAttribute
.name("fullname")
.type("https://axschema.org/namePerson")
.required(true)
)
)
);
}
}
public class AutoProvisioningUserDetailsService implements
AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
public UserDetails loadUserDetails(OpenIDAuthenticationToken token)
throws UsernameNotFoundException {
return new User(token.getName(), "NOTUSED",
AuthorityUtils.createAuthorityList("ROLE_USER"));
}
}
openidLoginCustomizer - the Customizer to provide more options for
the OpenIDLoginConfigurerHttpSecurity for further customizationsjava.lang.ExceptionOpenIDLoginConfigurerpublic HeadersConfigurer<HttpSecurity> headers() throws java.lang.Exception
WebSecurityConfigurerAdapter's default constructor. Accepting the
default provided by WebSecurityConfigurerAdapter or only invoking
headers() without invoking additional methods on it, is the equivalent of:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.contentTypeOptions()
.and()
.xssProtection()
.and()
.cacheControl()
.and()
.httpStrictTransportSecurity()
.and()
.frameOptions()
.and()
...;
}
}
You can disable the headers using the following:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
...;
}
}
You can enable only a few of the headers by first invoking
HeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on the headers() result.
For example, the following will enable HeadersConfigurer.cacheControl() and
HeadersConfigurer.frameOptions() only.
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.defaultsDisabled()
.cacheControl()
.and()
.frameOptions()
.and()
...;
}
}
You can also choose to keep the defaults but explicitly disable a subset of headers.
For example, the following will enable all the default headers except
HeadersConfigurer.frameOptions().
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.frameOptions()
.disable()
.and()
...;
}
}
HeadersConfigurer for further customizationsjava.lang.ExceptionHeadersConfigurerpublic HttpSecurity headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter's default constructor.
WebSecurityConfigurerAdapter or only invoking
headers() without invoking additional methods on it, is the equivalent of:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers(headers ->
headers
.contentTypeOptions(withDefaults())
.xssProtection(withDefaults())
.cacheControl(withDefaults())
.httpStrictTransportSecurity(withDefaults())
.frameOptions(withDefaults()
);
}
}
You can disable the headers using the following:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers(headers -> headers.disable());
}
}
You can enable only a few of the headers by first invoking
HeadersConfigurer.defaultsDisabled()
and then invoking the appropriate methods on the headers() result.
For example, the following will enable HeadersConfigurer.cacheControl() and
HeadersConfigurer.frameOptions() only.
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers(headers ->
headers
.defaultsDisabled()
.cacheControl(withDefaults())
.frameOptions(withDefaults())
);
}
}
You can also choose to keep the defaults but explicitly disable a subset of headers.
For example, the following will enable all the default headers except
HeadersConfigurer.frameOptions().
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers(headers ->
headers
.frameOptions(frameOptions -> frameOptions.disable())
);
}
headersCustomizer - the Customizer to provide more options for
the HeadersConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic CorsConfigurer<HttpSecurity> cors() throws java.lang.Exception
CorsFilter to be used. If a bean by the name of corsFilter is
provided, that CorsFilter is used. Else if corsConfigurationSource is
defined, then that CorsConfiguration is used. Otherwise, if Spring MVC is
on the classpath a HandlerMappingIntrospector is used.CorsConfigurer for customizationsjava.lang.Exceptionpublic HttpSecurity cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer) throws java.lang.Exception
CorsFilter to be used. If a bean by the name of corsFilter is
provided, that CorsFilter is used. Else if corsConfigurationSource is
defined, then that CorsConfiguration is used. Otherwise, if Spring MVC is
on the classpath a HandlerMappingIntrospector is used.
You can enable CORS using:
@Configuration
@EnableWebSecurity
public class CorsSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors(withDefaults());
}
}
corsCustomizer - the Customizer to provide more options for
the CorsConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic SessionManagementConfigurer<HttpSecurity> sessionManagement() throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin()
.permitAll().and().sessionManagement().maximumSessions(1)
.expiredUrl("/login?expired");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
When using SessionManagementConfigurer.maximumSessions(int), do not forget
to configure HttpSessionEventPublisher for the application to ensure that
expired sessions are cleaned up.
In a web.xml this can be configured using the following:
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
Alternatively,
AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.SessionManagementConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer) throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().hasRole("USER")
)
.formLogin(formLogin ->
formLogin
.permitAll()
)
.sessionManagement(sessionManagement ->
sessionManagement
.sessionConcurrency(sessionConcurrency ->
sessionConcurrency
.maximumSessions(1)
.expiredUrl("/login?expired")
)
);
}
}
When using SessionManagementConfigurer.maximumSessions(int), do not forget
to configure HttpSessionEventPublisher for the application to ensure that
expired sessions are cleaned up.
In a web.xml this can be configured using the following:
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
Alternatively,
AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher()
could return true.sessionManagementCustomizer - the Customizer to provide more options for
the SessionManagementConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic PortMapperConfigurer<HttpSecurity> portMapper() throws java.lang.Exception
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class). Other provided
SecurityConfigurer objects use this configured PortMapper as a
default PortMapper when redirecting from HTTP to HTTPS or from HTTPS to
HTTP (for example when used in combination with requiresChannel(). By
default Spring Security uses a PortMapperImpl which maps the HTTP port 8080
to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
@Configuration
@EnableWebSecurity
public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.permitAll().and()
// Example portMapper() configuration
.portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
PortMapperConfigurer for further customizationsjava.lang.ExceptionrequiresChannel()public HttpSecurity portMapper(Customizer<PortMapperConfigurer<HttpSecurity>> portMapperCustomizer) throws java.lang.Exception
PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class). Other provided
SecurityConfigurer objects use this configured PortMapper as a
default PortMapper when redirecting from HTTP to HTTPS or from HTTPS to
HTTP (for example when used in combination with requiresChannel(). By
default Spring Security uses a PortMapperImpl which maps the HTTP port 8080
to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.
@Configuration
@EnableWebSecurity
public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requiresChannel(requiresChannel ->
requiresChannel
.anyRequest().requiresSecure()
)
.portMapper(portMapper ->
portMapper
.http(9090).mapsTo(9443)
.http(80).mapsTo(443)
);
}
}
portMapperCustomizer - the Customizer to provide more options for
the PortMapperConfigurerHttpSecurity for further customizationsjava.lang.ExceptionrequiresChannel()public JeeConfigurer<HttpSecurity> jee() throws java.lang.Exception
HttpServletRequest and if the user is in the role "ROLE_USER" or
"ROLE_ADMIN" will add that to the resulting Authentication.
@Configuration
@EnableWebSecurity
public class JeeSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and()
// Example jee() configuration
.jee().mappableRoles("USER", "ADMIN");
}
}
Developers wishing to use pre authentication with the container will need to ensure
their web.xml configures the security constraints. For example, the web.xml (there
is no equivalent Java based configuration supported by the Servlet specification)
might look like:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login?error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ROLE_USER</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Matches unconstrained pages</description>
<url-pattern>/login</url-pattern>
<url-pattern>/logout</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Areas</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
Last you will need to configure your container to contain the user with the correct
roles. This configuration is specific to the Servlet Container, so consult your
Servlet Container's documentation.JeeConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer) throws java.lang.Exception
HttpServletRequest and if the user is in the role "ROLE_USER" or
"ROLE_ADMIN" will add that to the resulting Authentication.
@Configuration
@EnableWebSecurity
public class JeeSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.jee(jee ->
jee
.mappableRoles("USER", "ADMIN")
);
}
}
Developers wishing to use pre authentication with the container will need to ensure
their web.xml configures the security constraints. For example, the web.xml (there
is no equivalent Java based configuration supported by the Servlet specification)
might look like:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login?error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ROLE_USER</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Matches unconstrained pages</description>
<url-pattern>/login</url-pattern>
<url-pattern>/logout</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Areas</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
Last you will need to configure your container to contain the user with the correct
roles. This configuration is specific to the Servlet Container, so consult your
Servlet Container's documentation.jeeCustomizer - the Customizer to provide more options for
the JeeConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic X509Configurer<HttpSecurity> x509() throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class X509SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and()
// Example x509() configuration
.x509();
}
}
X509Configurer for further customizationsjava.lang.Exceptionpublic HttpSecurity x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer) throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class X509SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.x509(withDefaults());
}
}
x509Customizer - the Customizer to provide more options for
the X509ConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic RememberMeConfigurer<HttpSecurity> rememberMe() throws java.lang.Exception
HttpSession expires.
@Configuration
@EnableWebSecurity
public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.permitAll().and()
// Example Remember Me Configuration
.rememberMe();
}
}
RememberMeConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer) throws java.lang.Exception
HttpSession expires.
@Configuration
@EnableWebSecurity
public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults())
.rememberMe(withDefaults());
}
}
rememberMeCustomizer - the Customizer to provide more options for
the RememberMeConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests() throws java.lang.Exception
HttpServletRequest using
RequestMatcher implementations (i.e. via URL patterns).
@Configuration
@EnableWebSecurity
public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
.and().withUser("admin").password("password").roles("ADMIN", "USER");
}
}
We can also configure multiple URLs. The configuration below requires
authentication to every URL and will grant access to URLs starting with /admin/ to
only the "admin" user. All other URLs either user can access.
@Configuration
@EnableWebSecurity
public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/**").hasRole("USER").and().formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
.and().withUser("admin").password("password").roles("ADMIN", "USER");
}
}
Note that the matchers are considered in order. Therefore, the following is invalid
because the first matcher matches every request and will never get to the second
mapping:
http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**")
.hasRole("ADMIN")
ExpressionUrlAuthorizationConfigurer for further customizationsjava.lang.ExceptionrequestMatcher(RequestMatcher)public HttpSecurity authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) throws java.lang.Exception
HttpServletRequest using
RequestMatcher implementations (i.e. via URL patterns).
@Configuration
@EnableWebSecurity
public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults());
}
}
We can also configure multiple URLs. The configuration below requires
authentication to every URL and will grant access to URLs starting with /admin/ to
only the "admin" user. All other URLs either user can access.
@Configuration
@EnableWebSecurity
public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults());
}
}
Note that the matchers are considered in order. Therefore, the following is invalid
because the first matcher matches every request and will never get to the second
mapping:
@Configuration
@EnableWebSecurity
public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN")
);
}
}
authorizeRequestsCustomizer - the Customizer to provide more options for
the ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistryHttpSecurity for further customizationsjava.lang.ExceptionrequestMatcher(RequestMatcher)public RequestCacheConfigurer<HttpSecurity> requestCache() throws java.lang.Exception
WebSecurityConfigurerAdapter.RequestCacheConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter.
@Configuration
@EnableWebSecurity
public class RequestCacheDisabledSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.requestCache(requestCache ->
requestCache.disable()
);
}
}
requestCacheCustomizer - the Customizer to provide more options for
the RequestCacheConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws java.lang.Exception
WebSecurityConfigurerAdapter.ExceptionHandlingConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter.
@Configuration
@EnableWebSecurity
public class ExceptionHandlingSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
// sample exception handling customization
.exceptionHandling(exceptionHandling ->
exceptionHandling
.accessDeniedPage("/errors/access-denied")
);
}
}
exceptionHandlingCustomizer - the Customizer to provide more options for
the ExceptionHandlingConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic SecurityContextConfigurer<HttpSecurity> securityContext() throws java.lang.Exception
SecurityContext on the
SecurityContextHolder between HttpServletRequest's. This is
automatically applied when using WebSecurityConfigurerAdapter.SecurityContextConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer) throws java.lang.Exception
SecurityContext on the
SecurityContextHolder between HttpServletRequest's. This is
automatically applied when using WebSecurityConfigurerAdapter.
The following customization specifies the shared SecurityContextRepository
@Configuration
@EnableWebSecurity
public class SecurityContextSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.securityContext(securityContext ->
securityContext
.securityContextRepository(SCR)
);
}
}
securityContextCustomizer - the Customizer to provide more options for
the SecurityContextConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic ServletApiConfigurer<HttpSecurity> servletApi() throws java.lang.Exception
HttpServletRequest methods with the values found on the
SecurityContext. This is automatically applied when using
WebSecurityConfigurerAdapter.ServletApiConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer) throws java.lang.Exception
HttpServletRequest methods with the values found on the
SecurityContext. This is automatically applied when using
WebSecurityConfigurerAdapter. You can disable it using:
@Configuration
@EnableWebSecurity
public class ServletApiSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.servletApi(servletApi ->
servletApi.disable()
);
}
}
servletApiCustomizer - the Customizer to provide more options for
the ServletApiConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic CsrfConfigurer<HttpSecurity> csrf() throws java.lang.Exception
WebSecurityConfigurerAdapter's default constructor. You can disable it
using:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
...;
}
}
CsrfConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter's default constructor. You can disable it
using:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable());
}
}
csrfCustomizer - the Customizer to provide more options for
the CsrfConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic LogoutConfigurer<HttpSecurity> logout() throws java.lang.Exception
WebSecurityConfigurerAdapter. The default is that accessing the URL
"/logout" will log the user out by invalidating the HTTP Session, cleaning up any
rememberMe() authentication that was configured, clearing the
SecurityContextHolder, and then redirect to "/login?success".
@Configuration
@EnableWebSecurity
public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.and()
// sample logout customization
.logout().deleteCookies("remove").invalidateHttpSession(false)
.logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
LogoutConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter. The default is that accessing the URL
"/logout" will log the user out by invalidating the HTTP Session, cleaning up any
rememberMe() authentication that was configured, clearing the
SecurityContextHolder, and then redirect to "/login?success".
@Configuration
@EnableWebSecurity
public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults())
// sample logout customization
.logout(logout ->
logout.deleteCookies("remove")
.invalidateHttpSession(false)
.logoutUrl("/custom-logout")
.logoutSuccessUrl("/logout-success")
);
}
}
logoutCustomizer - the Customizer to provide more options for
the LogoutConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic AnonymousConfigurer<HttpSecurity> anonymous() throws java.lang.Exception
WebSecurityConfigurerAdapter. By
default anonymous users will be represented with an
AnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".
@Configuration
@EnableWebSecurity
public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.and()
.formLogin()
.and()
// sample anonymous customization
.anonymous().authorities("ROLE_ANON");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
The following demonstrates how to represent anonymous users as null. Note that this
can cause NullPointerException in code that assumes anonymous
authentication is enabled.
@Configuration
@EnableWebSecurity
public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.and()
.formLogin()
.and()
// sample anonymous customization
.anonymous().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
AnonymousConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer) throws java.lang.Exception
WebSecurityConfigurerAdapter. By
default anonymous users will be represented with an
AnonymousAuthenticationToken
and contain the role "ROLE_ANONYMOUS".
@Configuration
@EnableWebSecurity
public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults())
// sample anonymous customization
.anonymous(anonymous ->
anonymous
.authorities("ROLE_ANON")
)
}
}
The following demonstrates how to represent anonymous users as null. Note that this
can cause NullPointerException in code that assumes anonymous
authentication is enabled.
@Configuration
@EnableWebSecurity
public class AnonymousSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults())
// sample anonymous customization
.anonymous(anonymous ->
anonymous.disable()
);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
anonymousCustomizer - the Customizer to provide more options for
the AnonymousConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic FormLoginConfigurer<HttpSecurity> formLogin() throws java.lang.Exception
FormLoginConfigurer.loginPage(String) is not specified a default login page
will be generated.
FormLoginConfigurer.loginPage(String)
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
The configuration below demonstrates customizing the defaults.
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.usernameParameter("username") // default is username
.passwordParameter("password") // default is password
.loginPage("/authentication/login") // default is /login with an HTTP get
.failureUrl("/authentication/login?failed") // default is /login?error
.loginProcessingUrl("/authentication/login/process"); // default is /login
// with an HTTP
// post
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
FormLoginConfigurer for further customizationsjava.lang.ExceptionFormLoginConfigurer.loginPage(String)public HttpSecurity formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer) throws java.lang.Exception
FormLoginConfigurer.loginPage(String) is not specified a default login page
will be generated.
FormLoginConfigurer.loginPage(String)
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults());
}
}
The configuration below demonstrates customizing the defaults.
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(formLogin ->
formLogin
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/authentication/login")
.failureUrl("/authentication/login?failed")
.loginProcessingUrl("/authentication/login/process")
);
}
}
formLoginCustomizer - the Customizer to provide more options for
the FormLoginConfigurerHttpSecurity for further customizationsjava.lang.ExceptionFormLoginConfigurer.loginPage(String)public Saml2LoginConfigurer<HttpSecurity> saml2Login() throws java.lang.Exception
RelyingPartyRegistration.
RelyingPartyRegistration(s) are composed within a
RelyingPartyRegistrationRepository,
which is required and must be registered with the ApplicationContext or
configured via saml2Login().relyingPartyRegistrationRepository(..).
"/login" and
redirects to "/login?error" when an authentication error occurs.
The login page will display each of the identity providers with a link
that is capable of initiating the "authentication flow".
@Configuration
public class Saml2LoginConfig {
@EnableWebSecurity
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.saml2Login();
}
}
@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
}
private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
//remote IDP entity ID
String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php";
//remote WebSSO Endpoint - Where to Send AuthNRequests to
String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php";
//local registration ID
String registrationId = "simplesamlphp";
//local entity ID - autogenerated based on URL
String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
//local signing (and decryption key)
Saml2X509Credential signingCredential = getSigningCredential();
//IDP certificate for verification of incoming messages
Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
return RelyingPartyRegistration.withRegistrationId(registrationId)
* .remoteIdpEntityId(idpEntityId)
* .idpWebSsoUrl(webSsoEndpoint)
* .credential(signingCredential)
* .credential(idpVerificationCertificate)
* .localEntityIdTemplate(localEntityIdTemplate)
* .build();
}
}
Saml2LoginConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer) throws java.lang.Exception
RelyingPartyRegistration.
RelyingPartyRegistration(s) are composed within a
RelyingPartyRegistrationRepository,
which is required and must be registered with the ApplicationContext or
configured via saml2Login().relyingPartyRegistrationRepository(..).
"/login" and
redirects to "/login?error" when an authentication error occurs.
The login page will display each of the identity providers with a link
that is capable of initiating the "authentication flow".
@Configuration
public class Saml2LoginConfig {
@EnableWebSecurity
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.saml2Login(withDefaults());
}
}
@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
}
private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
//remote IDP entity ID
String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php";
//remote WebSSO Endpoint - Where to Send AuthNRequests to
String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php";
//local registration ID
String registrationId = "simplesamlphp";
//local entity ID - autogenerated based on URL
String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
//local signing (and decryption key)
Saml2X509Credential signingCredential = getSigningCredential();
//IDP certificate for verification of incoming messages
Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
return RelyingPartyRegistration.withRegistrationId(registrationId)
* .remoteIdpEntityId(idpEntityId)
* .idpWebSsoUrl(webSsoEndpoint)
* .credential(signingCredential)
* .credential(idpVerificationCertificate)
* .localEntityIdTemplate(localEntityIdTemplate)
* .build();
}
}
saml2LoginCustomizer - the Customizer to provide more options for
the Saml2LoginConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws java.lang.Exception
ClientRegistration using a
ClientRegistration.Builder.
ClientRegistration(s) are composed within a
ClientRegistrationRepository,
which is required and must be registered with the ApplicationContext or
configured via oauth2Login().clientRegistrationRepository(..).
"/login" and
redirects to "/login?error" when an authentication error occurs.
The login page will display each of the clients with a link
that is capable of initiating the "authentication flow".
@Configuration
public class OAuth2LoginConfig {
@EnableWebSecurity
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login();
}
}
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
}
private ClientRegistration googleClientRegistration() {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build();
}
}
For more advanced configuration, see OAuth2LoginConfigurer for available options to customize the defaults.
OAuth2LoginConfigurer for further customizationsjava.lang.ExceptionClientRegistration,
ClientRegistrationRepositorypublic HttpSecurity oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer) throws java.lang.Exception
ClientRegistration using a
ClientRegistration.Builder.
ClientRegistration(s) are composed within a
ClientRegistrationRepository,
which is required and must be registered with the ApplicationContext or
configured via oauth2Login().clientRegistrationRepository(..).
"/login" and
redirects to "/login?error" when an authentication error occurs.
The login page will display each of the clients with a link
that is capable of initiating the "authentication flow".
@Configuration
public class OAuth2LoginConfig {
@EnableWebSecurity
public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
)
.oauth2Login(withDefaults());
}
}
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
}
private ClientRegistration googleClientRegistration() {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build();
}
}
For more advanced configuration, see OAuth2LoginConfigurer for available options to customize the defaults.
oauth2LoginCustomizer - the Customizer to provide more options for
the OAuth2LoginConfigurerHttpSecurity for further customizationsjava.lang.ExceptionClientRegistration,
ClientRegistrationRepositorypublic OAuth2ClientConfigurer<HttpSecurity> oauth2Client() throws java.lang.Exception
OAuth2ClientConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer) throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
)
.oauth2Client(withDefaults());
}
}
oauth2ClientCustomizer - the Customizer to provide more options for
the OAuth2ClientConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer() throws java.lang.Exception
OAuth2ResourceServerConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer) throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${spring.security.oauth2.resourceserver.jwt.key-value}")
RSAPublicKey key;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt
.decoder(jwtDecoder())
)
);
}
@Bean
public JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withPublicKey(this.key).build();
}
}
oauth2ResourceServerCustomizer - the Customizer to provide more options for
the OAuth2ResourceServerConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel() throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.and().requiresChannel().anyRequest().requiresSecure();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
ChannelSecurityConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity requiresChannel(Customizer<ChannelSecurityConfigurer.ChannelRequestMatcherRegistry> requiresChannelCustomizer) throws java.lang.Exception
@Configuration
@EnableWebSecurity
public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.formLogin(withDefaults())
.requiresChannel(requiresChannel ->
requiresChannel
.anyRequest().requiresSecure()
);
}
}
requiresChannelCustomizer - the Customizer to provide more options for
the ChannelSecurityConfigurer.ChannelRequestMatcherRegistryHttpSecurity for further customizationsjava.lang.Exceptionpublic HttpBasicConfigurer<HttpSecurity> httpBasic() throws java.lang.Exception
HttpBasicConfigurer.realmName(String).
@Configuration
@EnableWebSecurity
public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
HttpBasicConfigurer for further customizationsjava.lang.Exceptionpublic HttpSecurity httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer) throws java.lang.Exception
HttpBasicConfigurer.realmName(String).
@Configuration
@EnableWebSecurity
public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.httpBasic(withDefaults());
}
}
httpBasicCustomizer - the Customizer to provide more options for
the HttpBasicConfigurerHttpSecurity for further customizationsjava.lang.Exceptionpublic <C> void setSharedObject(java.lang.Class<C> sharedType,
C object)
AbstractConfiguredSecurityBuilderSecurityConfigurer.setSharedObject in interface HttpSecurityBuilder<HttpSecurity>setSharedObject in class AbstractConfiguredSecurityBuilder<org.springframework.security.web.DefaultSecurityFilterChain,HttpSecurity>sharedType - the Class to key the shared object by.object - the Object to storeprotected void beforeConfigure()
throws java.lang.Exception
AbstractConfiguredSecurityBuilderSecurityConfigurer.configure(SecurityBuilder) method. Subclasses may
override this method to hook into the lifecycle without using a
SecurityConfigurer.beforeConfigure in class AbstractConfiguredSecurityBuilder<org.springframework.security.web.DefaultSecurityFilterChain,HttpSecurity>java.lang.Exceptionprotected org.springframework.security.web.DefaultSecurityFilterChain performBuild()
AbstractConfiguredSecurityBuilderperformBuild in class AbstractConfiguredSecurityBuilder<org.springframework.security.web.DefaultSecurityFilterChain,HttpSecurity>public HttpSecurity authenticationProvider(org.springframework.security.authentication.AuthenticationProvider authenticationProvider)
HttpSecurityBuilderAuthenticationProvider to be usedauthenticationProvider in interface HttpSecurityBuilder<HttpSecurity>authenticationProvider - the AuthenticationProvider to be addedHttpSecurity for further customizationspublic HttpSecurity userDetailsService(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) throws java.lang.Exception
HttpSecurityBuilderUserDetailsService to be useduserDetailsService in interface HttpSecurityBuilder<HttpSecurity>userDetailsService - the UserDetailsService to be addedHttpSecurity for further customizationsjava.lang.Exceptionpublic HttpSecurity addFilterAfter(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> afterFilter)
HttpSecurityBuilderFilter after one of the known Filter classes. The
known Filter instances are either a Filter listed in
HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class).addFilterAfter in interface HttpSecurityBuilder<HttpSecurity>filter - the Filter to register after the type afterFilterafterFilter - the Class of the known Filter.HttpSecurity for further customizationspublic HttpSecurity addFilterBefore(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
HttpSecurityBuilderFilter before one of the known Filter classes. The
known Filter instances are either a Filter listed in
HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using
HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class).addFilterBefore in interface HttpSecurityBuilder<HttpSecurity>filter - the Filter to register before the type beforeFilterbeforeFilter - the Class of the known Filter.HttpSecurity for further customizationspublic HttpSecurity addFilter(javax.servlet.Filter filter)
HttpSecurityBuilderFilter that must be an instance of or extend one of the Filters
provided within the Security framework. The method ensures that the ordering of the
Filters is automatically taken care of.
The ordering of the Filters is:
ChannelProcessingFilterConcurrentSessionFilterSecurityContextPersistenceFilterLogoutFilterX509AuthenticationFilterAbstractPreAuthenticatedProcessingFilterUsernamePasswordAuthenticationFilterConcurrentSessionFilterOpenIDAuthenticationFilterDefaultLoginPageGeneratingFilterDefaultLogoutPageGeneratingFilterConcurrentSessionFilterDigestAuthenticationFilterBearerTokenAuthenticationFilterBasicAuthenticationFilterRequestCacheAwareFilterSecurityContextHolderAwareRequestFilterJaasApiIntegrationFilterRememberMeAuthenticationFilterAnonymousAuthenticationFilterSessionManagementFilterExceptionTranslationFilterFilterSecurityInterceptorSwitchUserFilteraddFilter in interface HttpSecurityBuilder<HttpSecurity>filter - the Filter to addHttpSecurity for further customizationspublic HttpSecurity addFilterAt(javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> atFilter)
UsernamePasswordAuthenticationFilter, you can invoke:
addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)Registration of multiple Filters in the same location means their ordering is not deterministic. More concretely, registering multiple Filters in the same location does not override existing Filters. Instead, do not register Filters you do not want to use.
filter - the Filter to registeratFilter - the location of another Filter that is already registered
(i.e. known) with Spring Security.HttpSecurity for further customizationspublic HttpSecurity.RequestMatcherConfigurer requestMatchers()
HttpServletRequest instances this
HttpSecurity will be invoked on. This method allows for easily invoking the
HttpSecurity for multiple different RequestMatcher instances. If
only a single RequestMatcher is necessary consider using mvcMatcher(String),
antMatcher(String), regexMatcher(String), or
requestMatcher(RequestMatcher).
Invoking requestMatchers() will not override previous invocations of mvcMatcher(String)},
requestMatchers(), antMatcher(String),
regexMatcher(String), and requestMatcher(RequestMatcher).
HttpSecurity for URLs that begin
with "/api/" or "/oauth/".
@Configuration
@EnableWebSecurity
public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/api/**", "/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
The configuration below is the same as the previous configuration.
@Configuration
@EnableWebSecurity
public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/api/**")
.antMatchers("/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
The configuration below is also the same as the above configuration.
@Configuration
@EnableWebSecurity
public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/api/**")
.and()
.requestMatchers()
.antMatchers("/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
HttpSecurity.RequestMatcherConfigurer for further customizationspublic HttpSecurity requestMatchers(Customizer<HttpSecurity.RequestMatcherConfigurer> requestMatcherCustomizer)
HttpServletRequest instances this
HttpSecurity will be invoked on. This method allows for easily invoking the
HttpSecurity for multiple different RequestMatcher instances. If
only a single RequestMatcher is necessary consider using mvcMatcher(String),
antMatcher(String), regexMatcher(String), or
requestMatcher(RequestMatcher).
Invoking requestMatchers() will not override previous invocations of mvcMatcher(String)},
requestMatchers(), antMatcher(String),
regexMatcher(String), and requestMatcher(RequestMatcher).
HttpSecurity for URLs that begin
with "/api/" or "/oauth/".
@Configuration
@EnableWebSecurity
public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers(requestMatchers ->
requestMatchers
.antMatchers("/api/**", "/oauth/**")
)
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.httpBasic(withDefaults());
}
}
The configuration below is the same as the previous configuration.
@Configuration
@EnableWebSecurity
public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers(requestMatchers ->
requestMatchers
.antMatchers("/api/**")
.antMatchers("/oauth/**")
)
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.httpBasic(withDefaults());
}
}
The configuration below is also the same as the above configuration.
@Configuration
@EnableWebSecurity
public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers(requestMatchers ->
requestMatchers
.antMatchers("/api/**")
)
.requestMatchers(requestMatchers ->
requestMatchers
.antMatchers("/oauth/**")
)
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/**").hasRole("USER")
)
.httpBasic(withDefaults());
}
}
requestMatcherCustomizer - the Customizer to provide more options for
the HttpSecurity.RequestMatcherConfigurerHttpSecurity for further customizationspublic HttpSecurity requestMatcher(org.springframework.security.web.util.matcher.RequestMatcher requestMatcher)
HttpSecurity to only be invoked when matching the
provided RequestMatcher. If more advanced configuration is necessary,
consider using requestMatchers().
Invoking requestMatcher(RequestMatcher) will override previous invocations
of requestMatchers(), mvcMatcher(String), antMatcher(String),
regexMatcher(String), and requestMatcher(RequestMatcher).
requestMatcher - the RequestMatcher to use (i.e. new
AntPathRequestMatcher("/admin/**","GET") )HttpSecurity for further customizationsrequestMatchers(),
antMatcher(String),
regexMatcher(String)public HttpSecurity antMatcher(java.lang.String antPattern)
HttpSecurity to only be invoked when matching the
provided ant pattern. If more advanced configuration is necessary, consider using
requestMatchers() or requestMatcher(RequestMatcher).
Invoking antMatcher(String) will override previous invocations of mvcMatcher(String)},
requestMatchers(), antMatcher(String),
regexMatcher(String), and requestMatcher(RequestMatcher).
antPattern - the Ant Pattern to match on (i.e. "/admin/**")HttpSecurity for further customizationsAntPathRequestMatcherpublic HttpSecurity mvcMatcher(java.lang.String mvcPattern)
HttpSecurity to only be invoked when matching the
provided Spring MVC pattern. If more advanced configuration is necessary, consider using
requestMatchers() or requestMatcher(RequestMatcher).
Invoking mvcMatcher(String) will override previous invocations of mvcMatcher(String)},
requestMatchers(), antMatcher(String),
regexMatcher(String), and requestMatcher(RequestMatcher).
mvcPattern - the Spring MVC Pattern to match on (i.e. "/admin/**")HttpSecurity for further customizationsMvcRequestMatcherpublic HttpSecurity regexMatcher(java.lang.String pattern)
HttpSecurity to only be invoked when matching the
provided regex pattern. If more advanced configuration is necessary, consider using
requestMatchers() or requestMatcher(RequestMatcher).
Invoking regexMatcher(String) will override previous invocations of mvcMatcher(String)},
requestMatchers(), antMatcher(String),
regexMatcher(String), and requestMatcher(RequestMatcher).
pattern - the Regular Expression to match on (i.e. "/admin/.+")HttpSecurity for further customizationsRegexRequestMatcher