Java-Based Spring Security Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 63: Line 63:
</syntaxhighlight>
</syntaxhighlight>


The call to <tt>authorizeRequests()</tt> returns an ExpressionInterceptUrlRegistry instance.
The call to <tt>authorizeRequests()</tt> returns an [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.html ExpressionInterceptUrlRegistry] instance.

Revision as of 05:19, 13 November 2018

External

Internal

Overview

This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:

Configuration Class

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    ...
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    ...
  }
}

Security Configuration

WebSecurityConfigurerAdapter can be used t o specify which web request should be secured and which not. This configuration is specified using the following method:

@Override
protected void configure(HttpSecurity http) throws Exception {
  ...
}

The HttpSecurity object can be used to configure how security is handled at the web level:

  • what security conditions should be met before allowing a request to be served.
  • the custom login page.
  • how to log out.
  • cross-site request forgery protection.

Securing Requests

@Override
protected void configure(HttpSecurity http) throws Exception {
 http.authorizeRequests().
   antMatchers("/design", "/orders").hasRole("ROLE_USER").
   antMatchers("/", "/**").permitAll();  
}

The call to authorizeRequests() returns an ExpressionInterceptUrlRegistry instance.