Java-Based Spring Security Configuration: Difference between revisions
Jump to navigation
Jump to search
Line 70: | Line 70: | ||
* <tt>fullyAuthenticated()</tt> allows access if the. user is fully authenticated (not remembered). | * <tt>fullyAuthenticated()</tt> allows access if the. user is fully authenticated (not remembered). | ||
* <tt>hasAnyAuthority(String ...)</tt> allows access if the user has any of the given authorities. | * <tt>hasAnyAuthority(String ...)</tt> allows access if the user has any of the given authorities. | ||
* <tt></tt> | * <tt>hasAnyRole(String ...)</tt> allows access if the user has any of the given roles. | ||
* <tt></tt> | * <tt>hasAuthority(String)</tt> allows access if the user has the given authority. | ||
* <tt></tt> | * <tt>hasIpAddress(String)</tt> allows access if the request comes from the given IP address. | ||
* <tt></tt> | * <tt>hasRole(String)</tt> allows access if the user has the given role. | ||
* <tt></tt> | * <tt>not()</tt> negates the access of any of the other access methods. | ||
* <tt></tt> | * <tt>permitAll()</tt> allows access unconditionally. | ||
* <tt></tt> | * <tt>rememberMe()</tt> allows access for users who are authenticated via remember-me. | ||
Revision as of 05:30, 13 November 2018
External
Internal
Overview
This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:
- one of the available user stores, such as the in-memory user store, JDBC user store or LDAP-backed user store, or alternatively, a custom user details service.
- what web requests should be secured.
Configuration Class
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
...
}
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
}
Security Configuration
WebSecurityConfigurerAdapter can be used t o specify which web request should be secured and which not. This configuration is specified using the following method:
@Override
protected void configure(HttpSecurity http) throws Exception {
...
}
The HttpSecurity object can be used to configure how security is handled at the web level:
- what security conditions should be met before allowing a request to be served.
- the custom login page.
- how to log out.
- cross-site request forgery protection.
Securing Requests
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
antMatchers("/design", "/orders").hasRole("ROLE_USER").
antMatchers("/", "/**").permitAll();
}
The call to authorizeRequests() returns an ExpressionInterceptUrlRegistry instance that can be used to specify URL paths and patterns and the security requirements for those paths. The order of the rule declaration is important: security rules declared first take precedence over those declared lower down. Methods to declare security requirements:
- access(String) allows access if the given SpEL expression evaluates to true.
- anonymous() allows access to anonymous users.
- authenticated() allows access to authenticated users.
- denyAll() denies access unconditionally.
- fullyAuthenticated() allows access if the. user is fully authenticated (not remembered).
- hasAnyAuthority(String ...) allows access if the user has any of the given authorities.
- hasAnyRole(String ...) allows access if the user has any of the given roles.
- hasAuthority(String) allows access if the user has the given authority.
- hasIpAddress(String) allows access if the request comes from the given IP address.
- hasRole(String) allows access if the user has the given role.
- not() negates the access of any of the other access methods.
- permitAll() allows access unconditionally.
- rememberMe() allows access for users who are authenticated via remember-me.