Java-Based Spring Security Configuration
External
Internal
Overview
This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:
- one of the available user stores, such as the in-memory user store, JDBC user store or LDAP-backed user store, or alternatively, a custom user details service.
- what web requests should be secured.
Configuration Class
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
...
}
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
}
Security Configuration
WebSecurityConfigurerAdapter and HttpSecurity can be used to configure security aspects such as what security conditions should be met before allowing a request to be served, custom login page, how to log out, cross-site request forgery protection:
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
Securing Requests
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
antMatchers("/design", "/orders").hasRole("ROLE_USER").
antMatchers("/", "/**").permitAll();
}
The call to authorizeRequests() returns an ExpressionInterceptUrlRegistry instance that can be used to specify URL paths and patterns and the security requirements for those paths. The order of the rule declaration is important: security rules declared first take precedence over those declared lower down. Methods to declare security requirements:
- access(String) allows access if the given SpEL expression evaluates to true.
- anonymous() allows access to anonymous users.
- authenticated() allows access to authenticated users.
- denyAll() denies access unconditionally.
- fullyAuthenticated() allows access if the. user is fully authenticated (not remembered).
- hasAnyAuthority(String ...) allows access if the user has any of the given authorities.
- hasAnyRole(String ...) allows access if the user has any of the given roles.
- hasAuthority(String) allows access if the user has the given authority.
- hasIpAddress(String) allows access if the request comes from the given IP address.
- hasRole(String) allows access if the user has the given role.
- not() negates the access of any of the other access methods.
- permitAll() allows access unconditionally.
- rememberMe() allows access for users who are authenticated via remember-me.
Custom Login Page
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
...
and().formLogin().
loginPage("/login").
loginProcessingUrl("/authenticate").
usernameParameter("user").
passwordParameter("password");
}
The and() method signifies that you're finished with the authorization configuration and are ready to apply some additional configuration. In this case, the path to the login page is installed. When Spring Security determines that the user is unauthenticated and needs to log in, it will redirect the user to this path.
A successful login will take the user directly to the page they were navigating when Spring Security determined that they need to log in. This cam be changed with defaultSuccessUrl("/...").
Logging Out
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
...
and().logout().
logoutSuccessUrl("/");
}
This sets up a security filter that intercepts POST requests to "/logout". A logout form is needed to trigger that POST request:
<form method="POST" th:action="@{/logout}">
<input type="submit" value="Logout"/>
</form>