Java-Based Spring Security Configuration

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:

Configuration Class

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    ...
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    ...
  }
}

Security Configuration

WebSecurityConfigurerAdapter can be used t o specify which web request should be secured and which not. This configuration is specified using the following method: 

@Override
protected void configure(HttpSecurity http) throws Exception {
  ...
}

The HttpSecurity object can be used to configure how security is handled at the web level:

  • what security conditions should be met before allowing a request to be served.
  • the custom login page.
  • how to log out.
  • cross-site request forgery protection.

Securing Requests

@Override
protected void configure(HttpSecurity http) throws Exception {
 http.authorizeRequests().
   antMatchers("/design", "/orders").hasRole("ROLE_USER").
   antMatchers("/", "/**").permitAll();  
}

The call to authorizeRequests() returns an ExpressionInterceptUrlRegistry instance that can be used to specify URL paths and patterns and the security requirements for those paths. The order of the rule declaration is important: security rules declared first take precedence over those declared lower down. Methods to declare security requirements:

  • access(String) allows access if the given SpEL expression evaluates to true.
  • anonymous() allows access to anonymous users.
  • authenticated() allows access to authenticated users.
  • denyAll() denies access unconditionally.
  • fullyAuthenticated() allows access if the. user is fully authenticated (not remembered).
  • hasAnyAuthority(String ...) allows access if the user has any of the given authorities.
Retrieved from "https://kb.novaordis.com/index.php?title=Java-Based_Spring_Security_Configuration&oldid=51868"