Package org.springframework.security.config.annotation.web.configuration

Class WebSecurityConfigurerAdapter

  • All Implemented Interfaces:
    SecurityConfigurer<javax.servlet.Filter,​WebSecurity>, WebSecurityConfigurer<WebSecurity>
    @Order(100)
public abstract class WebSecurityConfigurerAdapter
extends java.lang.Object
implements WebSecurityConfigurer<WebSecurity>
    Provides a convenient base class for creating a WebSecurityConfigurer instance. The implementation allows customization by overriding methods.

    Will automatically apply the result of looking up AbstractHttpConfigurer from SpringFactoriesLoader to allow developers to extend the defaults. To do this, you must create a class that extends AbstractHttpConfigurer and then create a file in the classpath at "META-INF/spring.factories" that looks something like: 

     org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer
    If you have multiple classes that should be added you can use "," to separate the values. For example: 
     org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer, sample.OtherThatExtendsAbstractHttpConfigurer
    See Also:
    EnableWebSecurity

    • Constructor Detail

      • WebSecurityConfigurerAdapter

        protected WebSecurityConfigurerAdapter()
        Creates an instance with the default configuration enabled.

      • WebSecurityConfigurerAdapter

        protected WebSecurityConfigurerAdapter​(boolean disableDefaults)
        Creates an instance which allows specifying if the default configuration should be enabled. Disabling the default configuration should be considered more advanced usage as it requires more understanding of how the framework is implemented.
        Parameters:
        disableDefaults - true if the default configuration should be disabled, else false

    • Method Detail

      • configure

        protected void configure​(AuthenticationManagerBuilder auth)
                  throws java.lang.Exception
        Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager. If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager.

        The authenticationManagerBean() method can be used to expose the resulting AuthenticationManager as a Bean. The userDetailsServiceBean() can be used to expose the last populated UserDetailsService that is created with the AuthenticationManagerBuilder as a Bean. The UserDetailsService will also automatically be populated on AbstractConfiguredSecurityBuilder.getSharedObject(Class) for use with other SecurityContextConfigurer (i.e. RememberMeConfigurer )

        For example, the following configuration could be used to register in memory authentication that exposes an in memory UserDetailsService: 

         @Override
 protected void configure(AuthenticationManagerBuilder auth) {
        auth
        // enable in memory based authentication with a user named
        // "user" and "admin"
        .inMemoryAuthentication().withUser("user").password("password").roles("USER").and()
                        .withUser("admin").password("password").roles("USER", "ADMIN");
 }

 // Expose the UserDetailsService as a Bean
 @Bean
 @Override
 public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
 }
        Parameters:
        auth - the AuthenticationManagerBuilder to use
        Throws:
        java.lang.Exception

      • getHttp

        protected final HttpSecurity getHttp()
                              throws java.lang.Exception
        Creates the HttpSecurity or returns the current instance
        Returns:
        the HttpSecurity
        Throws:
        java.lang.Exception

      • authenticationManagerBean

        public org.springframework.security.authentication.AuthenticationManager authenticationManagerBean()
                                                                                            throws java.lang.Exception
        Override this method to expose the AuthenticationManager from configure(AuthenticationManagerBuilder) to be exposed as a Bean. For example: 
         @Bean(name name="myAuthenticationManager")
 @Override
 public AuthenticationManager authenticationManagerBean() throws Exception {
     return super.authenticationManagerBean();
 }
        Returns:
        the AuthenticationManager
        Throws:
        java.lang.Exception

      • authenticationManager

        protected org.springframework.security.authentication.AuthenticationManager authenticationManager()
                                                                                           throws java.lang.Exception
        Gets the AuthenticationManager to use. The default strategy is if configure(AuthenticationManagerBuilder) method is overridden to use the AuthenticationManagerBuilder that was passed in. Otherwise, autowire the AuthenticationManager by type.
        Returns:
        the AuthenticationManager to use
        Throws:
        java.lang.Exception

      • userDetailsServiceBean

        public org.springframework.security.core.userdetails.UserDetailsService userDetailsServiceBean()
                                                                                        throws java.lang.Exception
        Override this method to expose a UserDetailsService created from configure(AuthenticationManagerBuilder) as a bean. In general only the following override should be done of this method: 
         @Bean(name = "myUserDetailsService")
 // any or no name specified is allowed
 @Override
 public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
 }
        To change the instance returned, developers should change userDetailsService() instead
        Returns:
        the UserDetailsService
        Throws:
        java.lang.Exception
        See Also:
        userDetailsService()

      • userDetailsService

        protected org.springframework.security.core.userdetails.UserDetailsService userDetailsService()
        Allows modifying and accessing the UserDetailsService from userDetailsServiceBean() without interacting with the ApplicationContext. Developers should override this method when changing the instance of userDetailsServiceBean().
        Returns:
        the UserDetailsService to use

      • configure

        public void configure​(WebSecurity web)
               throws java.lang.Exception
        Override this method to configure WebSecurity. For example, if you wish to ignore certain requests. Endpoints specified in this method will be ignored by Spring Security, meaning it will not protect them from CSRF, XSS, Clickjacking, and so on. Instead, if you want to protect endpoints against common vulnerabilities, then see configure(HttpSecurity) and the HttpSecurity.authorizeRequests() configuration method.
        Specified by:
        configure in interface SecurityConfigurer<javax.servlet.Filter,​WebSecurity>
        Throws:
        java.lang.Exception

      • configure

        protected void configure​(HttpSecurity http)
                  throws java.lang.Exception
        Override this method to configure the HttpSecurity. Typically subclasses should not invoke this method by calling super as it may override their configuration. The default configuration is: 
         http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
        Any endpoint that requires defense against common vulnerabilities can be specified here, including public ones. See HttpSecurity.authorizeRequests() and the `permitAll()` authorization rule for more details on public endpoints.
        Parameters:
        http - the HttpSecurity to modify
        Throws:
        java.lang.Exception - if an error occurs

      • getApplicationContext

        protected final org.springframework.context.ApplicationContext getApplicationContext()
        Gets the ApplicationContext
        Returns:
        the context

      • setApplicationContext

        @Autowired
public void setApplicationContext​(org.springframework.context.ApplicationContext context)

      • setTrustResolver

        @Autowired(required=false)
public void setTrustResolver​(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)

      • setContentNegotationStrategy

        @Autowired(required=false)
public void setContentNegotationStrategy​(org.springframework.web.accept.ContentNegotiationStrategy contentNegotiationStrategy)

      • setObjectPostProcessor

        @Autowired
public void setObjectPostProcessor​(ObjectPostProcessor<java.lang.Object> objectPostProcessor)

      • setAuthenticationConfiguration

        @Autowired
public void setAuthenticationConfiguration​(AuthenticationConfiguration authenticationConfiguration)