Java-Based Spring Security Configuration: Difference between revisions
Jump to navigation
Jump to search
| Line 63: | Line 63: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
The call to <tt>authorizeRequests()</tt> returns an [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.html ExpressionInterceptUrlRegistry] instance. | The call to <tt>authorizeRequests()</tt> returns an [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.html ExpressionInterceptUrlRegistry] instance that can be used to specify URL paths and patterns and the security requirements for those paths. The order of the rule declaration is important: security rules declared first take precedence over those declared lower down. | ||
Revision as of 05:20, 13 November 2018
External
Internal
Overview
This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:
- one of the available user stores, such as the in-memory user store, JDBC user store or LDAP-backed user store, or alternatively, a custom user details service.
- what web requests should be secured.
Configuration Class
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
...
}
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
}
Security Configuration
WebSecurityConfigurerAdapter can be used t o specify which web request should be secured and which not. This configuration is specified using the following method:
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
The HttpSecurity object can be used to configure how security is handled at the web level:
- what security conditions should be met before allowing a request to be served.
- the custom login page.
- how to log out.
- cross-site request forgery protection.
Securing Requests
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
antMatchers("/design", "/orders").hasRole("ROLE_USER").
antMatchers("/", "/**").permitAll();
}
The call to authorizeRequests() returns an ExpressionInterceptUrlRegistry instance that can be used to specify URL paths and patterns and the security requirements for those paths. The order of the rule declaration is important: security rules declared first take precedence over those declared lower down.