Java-Based Spring Security Configuration: Difference between revisions
Jump to navigation
Jump to search
| Line 53: | Line 53: | ||
==Securing Requests== | ==Securing Requests== | ||
<syntaxhighlight lang='java'> | |||
@Override | |||
protected void configure(HttpSecurity http) throws Exception { | |||
http.authorizeRequests(). | |||
antMatchers("/design", "/orders").hasRole("ROLE_USER"). | |||
antMatchers("/", "/**").permitAll(); | |||
} | |||
</syntaxhighlight> | |||
The call to <tt>authorizeRequests()</tt> returns an ExpressionInterceptUrlRegistry instance. | |||
Revision as of 05:18, 13 November 2018
External
Internal
Overview
This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:
- one of the available user stores, such as the in-memory user store, JDBC user store or LDAP-backed user store, or alternatively, a custom user details service.
- what web requests should be secured.
Configuration Class
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
...
}
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
}
Security Configuration
WebSecurityConfigurerAdapter can be used t o specify which web request should be secured and which not. This configuration is specified using the following method:
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
The HttpSecurity object can be used to configure how security is handled at the web level:
- what security conditions should be met before allowing a request to be served.
- the custom login page.
- how to log out.
- cross-site request forgery protection.
Securing Requests
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
antMatchers("/design", "/orders").hasRole("ROLE_USER").
antMatchers("/", "/**").permitAll();
}
The call to authorizeRequests() returns an ExpressionInterceptUrlRegistry instance.