添加链接
link之家
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
  • org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder < DefaultSecurityFilterChain , HttpSecurity >
  • org.springframework.security.config.annotation.web.builders.HttpSecurity
  • public final class HttpSecurity
    extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity>
    implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity>
    A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.

    Example Usage

    The most basic form based configuration can be seen below. The configuration will require that any URL that is requested will require a User with the role "ROLE_USER". It also defines an in memory authentication scheme with a user that has the username "user", the password "password", and the role "ROLE_USER". For additional examples, refer to the Java Doc of individual methods on HttpSecurity . @Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Since:
    See Also:
    EnableWebSecurity
    class HttpSecurity.MvcMatchersRequestMatcherConfigurer
    An extension to HttpSecurity.RequestMatcherConfigurer that allows optionally configuring the servlet path.
    class HttpSecurity.RequestMatcherConfigurer
    Allows mapping HTTP requests that this HttpSecurity will be used for
    HttpSecurity ( ObjectPostProcessor <java.lang.Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, java.util.Map<java.lang.Class<? extends java.lang.Object>,java.lang.Object> sharedObjects)
    Creates a new instance
    HttpSecurity addFilter (javax.servlet.Filter filter)
    Adds a Filter that must be an instance of or extend one of the Filters provided within the Security framework.
    HttpSecurity addFilterAfter (javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> afterFilter)
    Allows adding a Filter after one of the known Filter classes.
    HttpSecurity addFilterAt (javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> atFilter)
    Adds the Filter at the location of the specified Filter class.
    HttpSecurity addFilterBefore (javax.servlet.Filter filter, java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
    Allows adding a Filter before one of the known Filter classes.
    AnonymousConfigurer < HttpSecurity > anonymous ()
    Allows configuring how an anonymous user is represented.
    HttpSecurity antMatcher (java.lang.String antPattern)
    Allows configuring the HttpSecurity to only be invoked when matching the provided ant pattern.
    HttpSecurity authenticationProvider ( AuthenticationProvider authenticationProvider)
    Allows adding an additional AuthenticationProvider to be used
    ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests ()
    Allows restricting access based upon the HttpServletRequest using
    protected void beforeConfigure ()
    Invoked prior to invoking each SecurityConfigurer.configure(SecurityBuilder) method.
    CorsConfigurer < HttpSecurity > cors ()
    Adds a CorsFilter to be used.
    CsrfConfigurer < HttpSecurity > csrf ()
    Adds CSRF support.
    ExceptionHandlingConfigurer < HttpSecurity > exceptionHandling ()
    Allows configuring exception handling.
    FormLoginConfigurer < HttpSecurity > formLogin ()
    Specifies to support form based authentication.
    HeadersConfigurer < HttpSecurity > headers ()
    Adds the Security headers to the response.
    HttpBasicConfigurer < HttpSecurity > httpBasic ()
    Configures HTTP Basic authentication.
    JeeConfigurer < HttpSecurity > jee ()
    Configures container based pre authentication.
    LogoutConfigurer < HttpSecurity > logout ()
    Provides logout support.
    HttpSecurity mvcMatcher (java.lang.String mvcPattern)
    Allows configuring the HttpSecurity to only be invoked when matching the provided Spring MVC pattern.
    OAuth2LoginConfigurer < HttpSecurity > oauth2Login ()
    Configures authentication against an external OAuth 2.0 or OpenID Connect 1.0 Provider.
    OpenIDLoginConfigurer < HttpSecurity > openidLogin ()
    Allows configuring OpenID based authentication.
    protected DefaultSecurityFilterChain performBuild ()
    Subclasses must implement this method to build the object that is being returned.
    PortMapperConfigurer < HttpSecurity > portMapper () HttpSecurity regexMatcher (java.lang.String pattern)
    Allows configuring the HttpSecurity to only be invoked when matching the provided regex pattern.
    RememberMeConfigurer < HttpSecurity > rememberMe ()
    Allows configuring of Remember Me authentication.
    RequestCacheConfigurer < HttpSecurity > requestCache ()
    Allows configuring the Request Cache.
    HttpSecurity requestMatcher ( RequestMatcher requestMatcher)
    Allows configuring the HttpSecurity to only be invoked when matching the provided RequestMatcher .
    HttpSecurity.RequestMatcherConfigurer requestMatchers ()
    Allows specifying which HttpServletRequest instances this HttpSecurity will be invoked on.
    ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel ()
    Configures channel security.
    SecurityContextConfigurer < HttpSecurity > securityContext ()
    Sets up management of the SecurityContext on the SecurityContextHolder between HttpServletRequest 's.
    ServletApiConfigurer < HttpSecurity > servletApi ()
    Integrates the HttpServletRequest methods with the values found on the SecurityContext .
    SessionManagementConfigurer < HttpSecurity > sessionManagement ()
    Allows configuring of Session Management.
    <C> void setSharedObject (java.lang.Class<C> sharedType, C object)
    Sets an object that is shared by multiple SecurityConfigurer .
    HttpSecurity userDetailsService ( UserDetailsService userDetailsService)
    Allows adding an additional UserDetailsService to be used
    X509Configurer < HttpSecurity > x509 ()
    Configures X509 based pre authentication.

    Methods inherited from class org.springframework.security.config.annotation. AbstractConfiguredSecurityBuilder

    apply , apply , beforeInit , doBuild , getConfigurer , getConfigurers , getOrBuild , getSharedObject , getSharedObjects , objectPostProcessor , postProcess , removeConfigurer , removeConfigurers

    Methods inherited from class org.springframework.security.config.annotation. AbstractSecurityBuilder

    build , getObject

    Methods inherited from interface org.springframework.security.config.annotation.web. HttpSecurityBuilder

    getConfigurer , getSharedObject , removeConfigurer

    Methods inherited from interface org.springframework.security.config.annotation. SecurityBuilder

    build

    HttpSecurity

    public HttpSecurity(ObjectPostProcessor<java.lang.Object> objectPostProcessor,
                        AuthenticationManagerBuilder authenticationBuilder,
                        java.util.Map<java.lang.Class<? extends java.lang.Object>,java.lang.Object> sharedObjects)
    Creates a new instance
    Parameters:
    objectPostProcessor - the ObjectPostProcessor that should be used
    authenticationBuilder - the AuthenticationManagerBuilder to use for additional updates
    sharedObjects - the shared Objects to initialize the HttpSecurity with
    See Also:
    WebSecurityConfiguration

    openidLogin

    public OpenIDLoginConfigurer<HttpSecurity> openidLogin()
                                                    throws java.lang.Exception
    Allows configuring OpenID based authentication.

    Example Configurations

    A basic example accepting the defaults and not using attribute exchange: @Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().openidLogin() .permitAll(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() // the username must match the OpenID of the user you are // logging in with .withUser( "https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG7pjYMuDgNNdASFmobNkcRPaWU") .password("password").roles("USER"); A more advanced example demonstrating using attribute exchange and providing a custom AuthenticationUserDetailsService that will make any user that authenticates a valid user. @Configuration @EnableWebSecurity public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http.authorizeRequests() .antMatchers("/**") .hasRole("USER") .and() .openidLogin() .loginPage("/login") .permitAll() .authenticationUserDetailsService( new AutoProvisioningUserDetailsService()) .attributeExchange("https://www.google.com/.*").attribute("email") .type("http://axschema.org/contact/email").required(true).and() .attribute("firstname").type("http://axschema.org/namePerson/first") .required(true).and().attribute("lastname") .type("http://axschema.org/namePerson/last").required(true).and().and() .attributeExchange(".*yahoo.com.*").attribute("email") .type("http://schema.openid.net/contact/email").required(true).and() .attribute("fullname").type("http://axschema.org/namePerson") .required(true).and().and().attributeExchange(".*myopenid.com.*") .attribute("email").type("http://schema.openid.net/contact/email") .required(true).and().attribute("fullname") .type("http://schema.openid.net/namePerson").required(true); public class AutoProvisioningUserDetailsService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> { public UserDetails loadUserDetails(OpenIDAuthenticationToken token) throws UsernameNotFoundException { return new User(token.getName(), "NOTUSED", AuthorityUtils.createAuthorityList("ROLE_USER"));
    Returns:
    the OpenIDLoginConfigurer for further customizations.
    Throws:
    java.lang.Exception
    See Also:
    OpenIDLoginConfigurer
    public HeadersConfigurer<HttpSecurity> headers()
                                            throws java.lang.Exception
    Adds the Security headers to the response. This is activated by default when using WebSecurityConfigurerAdapter 's default constructor. Accepting the default provided by WebSecurityConfigurerAdapter or only invoking headers() without invoking additional methods on it, is the equivalent of: @Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .headers() .contentTypeOptions() .and() .xssProtection() .and() .cacheControl() .and() .httpStrictTransportSecurity() .and() .frameOptions() .and() You can disable the headers using the following: @Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .headers().disable() You can enable only a few of the headers by first invoking HeadersConfigurer.defaultsDisabled() and then invoking the appropriate methods on the headers() result. For example, the following will enable HeadersConfigurer.cacheControl() and HeadersConfigurer.frameOptions() only. @Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .headers() .defaultsDisabled() .cacheControl() .and() .frameOptions() .and() You can also choose to keep the defaults but explicitly disable a subset of headers. For example, the following will enable all the default headers except HeadersConfigurer.frameOptions() . @Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .headers() .frameOptions() .disable() .and()
    Returns:
    Throws:
    java.lang.Exception
    See Also:
    HeadersConfigurer
    public CorsConfigurer<HttpSecurity> cors()
                                      throws java.lang.Exception
    Adds a CorsFilter to be used. If a bean by the name of corsFilter is provided, that CorsFilter is used. Else if corsConfigurationSource is defined, then that CorsConfiguration is used. Otherwise, if Spring MVC is on the classpath a HandlerMappingIntrospector is used.
    Returns:
    the CorsConfigurer for customizations
    Throws:
    java.lang.Exception

    sessionManagement

    public SessionManagementConfigurer<HttpSecurity> sessionManagement()
                                                                throws java.lang.Exception
    Allows configuring of Session Management.

    Example Configuration

    The following configuration demonstrates how to enforce that only a single instance of a user is authenticated at a time. If a user authenticates with the username "user" without logging out and an attempt to authenticate with "user" is made the first session will be forcibly terminated and sent to the "/login?expired" URL. @Configuration @EnableWebSecurity public class SessionManagementSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin() .permitAll().and().sessionManagement().maximumSessions(1) .expiredUrl("/login?expired"); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); When using SessionManagementConfigurer.maximumSessions(int) , do not forget to configure HttpSessionEventPublisher for the application to ensure that expired sessions are cleaned up. In a web.xml this can be configured using the following: <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> Alternatively, AbstractSecurityWebApplicationInitializer.enableHttpSessionEventPublisher() could return true.
    Returns:
    the SessionManagementConfigurer for further customizations
    Throws:
    java.lang.Exception

    portMapper

    public PortMapperConfigurer<HttpSecurity> portMapper()
                                                  throws java.lang.Exception
    Allows configuring a PortMapper that is available from AbstractConfiguredSecurityBuilder.getSharedObject(Class) . Other provided SecurityConfigurer objects use this configured PortMapper as a default PortMapper when redirecting from HTTP to HTTPS or from HTTPS to HTTP (for example when used in combination with requiresChannel() . By default Spring Security uses a PortMapperImpl which maps the HTTP port 8080 to the HTTPS port 8443 and the HTTP port of 80 to the HTTPS port of 443.

    Example Configuration

    The following configuration will ensure that redirects within Spring Security from HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 to the HTTPS port of 443. @Configuration @EnableWebSecurity public class PortMapperSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example portMapper() configuration .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Returns:
    the PortMapperConfigurer for further customizations
    Throws:
    java.lang.Exception
    See Also:
    requiresChannel()
    public JeeConfigurer<HttpSecurity> jee()
                                    throws java.lang.Exception
    Configures container based pre authentication. In this case, authentication is managed by the Servlet Container.

    Example Configuration

    The following configuration will use the principal found on the HttpServletRequest and if the user is in the role "ROLE_USER" or "ROLE_ADMIN" will add that to the resulting Authentication . @Configuration @EnableWebSecurity public class JeeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example jee() configuration .jee().mappableRoles("ROLE_USER", "ROLE_ADMIN"); Developers wishing to use pre authentication with the container will need to ensure their web.xml configures the security constraints. For example, the web.xml (there is no equivalent Java based configuration supported by the Servlet specification) might look like: <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secured Areas</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> </security-constraint> Last you will need to configure your container to contain the user with the correct roles. This configuration is specific to the Servlet Container, so consult your Servlet Container's documentation.
    Returns:
    the JeeConfigurer for further customizations
    Throws:
    java.lang.Exception
    public X509Configurer<HttpSecurity> x509()
                                      throws java.lang.Exception
    Configures X509 based pre authentication.

    Example Configuration

    The following configuration will attempt to extract the username from the X509 certificate. Remember that the Servlet Container will need to be configured to request client certificates in order for this to work. @Configuration @EnableWebSecurity public class X509SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and() // Example x509() configuration .x509();
    Returns:
    the X509Configurer for further customizations
    Throws:
    java.lang.Exception

    rememberMe

    public RememberMeConfigurer<HttpSecurity> rememberMe()
                                                  throws java.lang.Exception
    Allows configuring of Remember Me authentication.

    Example Configuration

    The following configuration demonstrates how to allow token based remember me authentication. Upon authenticating if the HTTP parameter named "remember-me" exists, then the user will be remembered even after their HttpSession expires. @Configuration @EnableWebSecurity public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .permitAll().and() // Example Remember Me Configuration .rememberMe();
    Returns:
    the RememberMeConfigurer for further customizations
    Throws:
    java.lang.Exception

    authorizeRequests

    public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests()
                                                                                          throws java.lang.Exception
    Allows restricting access based upon the HttpServletRequest using

    Example Configurations

    The most basic example is to configure all URLs to require the role "ROLE_USER". The configuration below requires authentication to every URL and will grant access to both the user "admin" and "user". @Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("adminr").password("password").roles("ADMIN", "USER"); We can also configure multiple URLs. The configuration below requires authentication to every URL and will grant access to URLs starting with /admin/ to only the "admin" user. All other URLs either user can access. @Configuration @EnableWebSecurity public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/**").hasRole("USER").and().formLogin(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER") .and().withUser("adminr").password("password").roles("ADMIN", "USER"); Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping: http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**") .hasRole("ADMIN")
    Returns:
    Throws:
    java.lang.Exception
    See Also:
    requestMatcher(RequestMatcher)

    requestCache

    public RequestCacheConfigurer<HttpSecurity> requestCache()
                                                      throws java.lang.Exception
    Allows configuring the Request Cache. For example, a protected page (/protected) may be requested prior to authentication. The application will redirect the user to a login page. After authentication, Spring Security will redirect the user to the originally requested protected page (/protected). This is automatically applied when using WebSecurityConfigurerAdapter .
    Returns:
    the RequestCacheConfigurer for further customizations
    Throws:
    java.lang.Exception

    exceptionHandling

    public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling()
                                                                throws java.lang.Exception
    Allows configuring exception handling. This is automatically applied when using WebSecurityConfigurerAdapter .
    Returns:
    the ExceptionHandlingConfigurer for further customizations
    Throws:
    java.lang.Exception

    securityContext

    public SecurityContextConfigurer<HttpSecurity> securityContext()
                                                            throws java.lang.Exception
    Sets up management of the SecurityContext on the SecurityContextHolder between HttpServletRequest 's. This is automatically applied when using WebSecurityConfigurerAdapter .
    Returns:
    the SecurityContextConfigurer for further customizations
    Throws:
    java.lang.Exception

    servletApi

    public ServletApiConfigurer<HttpSecurity> servletApi()
                                                  throws java.lang.Exception
    Integrates the HttpServletRequest methods with the values found on the SecurityContext . This is automatically applied when using WebSecurityConfigurerAdapter .
    Returns:
    the ServletApiConfigurer for further customizations
    Throws:
    java.lang.Exception
    public CsrfConfigurer<HttpSecurity> csrf()
                                      throws java.lang.Exception
    Adds CSRF support. This is activated by default when using WebSecurityConfigurerAdapter 's default constructor. You can disable it using: @Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .csrf().disable()
    Returns:
    the ServletApiConfigurer for further customizations
    Throws:
    java.lang.Exception
    public LogoutConfigurer<HttpSecurity> logout()
                                          throws java.lang.Exception
    Provides logout support. This is automatically applied when using WebSecurityConfigurerAdapter . The default is that accessing the URL "/logout" will log the user out by invalidating the HTTP Session, cleaning up any rememberMe() authentication that was configured, clearing the SecurityContextHolder , and then redirect to "/login?success".

    Example Custom Configuration

    The following customization to log out when the URL "/custom-logout" is invoked. Log out will remove the cookie named "remove", not invalidate the HttpSession, clear the SecurityContextHolder, and upon completion redirect to "/logout-success". @Configuration @EnableWebSecurity public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample logout customization .logout().deleteCookies("remove").invalidateHttpSession(false) .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Returns:
    Throws:
    java.lang.Exception
    public AnonymousConfigurer<HttpSecurity> anonymous()
                                                throws java.lang.Exception
    Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction with WebSecurityConfigurerAdapter . By default anonymous users will be represented with an AnonymousAuthenticationToken and contain the role "ROLE_ANONYMOUS".

    Example Configuration

    The following configuration demonstrates how to specify that anonymous users should contain the role "ROLE_ANON" instead. @Configuration @EnableWebSecurity public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample anonymous customization .anonymous().authorities("ROLE_ANON"); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); The following demonstrates how to represent anonymous users as null. Note that this can cause NullPointerException in code that assumes anonymous authentication is enabled. @Configuration @EnableWebSecurity public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and() // sample anonymous customization .anonymous().disabled(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Returns:
    Throws:
    java.lang.Exception
    public FormLoginConfigurer<HttpSecurity> formLogin()
                                                throws java.lang.Exception
    Specifies to support form based authentication. If FormLoginConfigurer.loginPage(String) is not specified a default login page will be generated.

    Example Configurations

    The most basic configuration defaults to automatically generating a login page at the URL "/login", redirecting to "/login?error" for authentication failure. The details of the login page can be found on FormLoginConfigurer.loginPage(String) @Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); The configuration below demonstrates customizing the defaults. @Configuration @EnableWebSecurity public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .usernameParameter("username") // default is username .passwordParameter("password") // default is password .loginPage("/authentication/login") // default is /login with an HTTP get .failureUrl("/authentication/login?failed") // default is /login?error .loginProcessingUrl("/authentication/login/process"); // default is /login // with an HTTP // post @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Returns:
    Throws:
    java.lang.Exception
    See Also:
    FormLoginConfigurer.loginPage(String)

    oauth2Login

    public OAuth2LoginConfigurer<HttpSecurity> oauth2Login()
                                                    throws java.lang.Exception
    Configures authentication against an external OAuth 2.0 or OpenID Connect 1.0 Provider. The "authentication flow" is realized using the Authorization Code Grant , as specified in the OAuth 2.0 Authorization Framework . As a prerequisite to using this feature, the developer must register a Client with an Authorization Server . The output of the Client Registration process results in a number of properties that are then used for configuring an instance of a ClientRegistration . Properties specific to a Client include: client_id , client_secret , scope , redirect_uri , etc. There are also properties specific to the Provider , for example, Authorization Endpoint URI , Token Endpoint URI , UserInfo Endpoint URI , etc. Multiple client support is provided for use cases where the application provides the user the option for "Logging in" against one or more Providers, for example, Google , GitHub , Facebook , etc. ClientRegistration (s) are composed within a ClientRegistrationRepository . An instance of ClientRegistrationRepository is required and may be supplied via the ApplicationContext or configured using OAuth2LoginConfigurer.clients(org.springframework.security.oauth2.client.registration.ClientRegistrationRepository) . The default configuration provides an auto-generated login page at "/login" and redirects to "/login?error" when an authentication error occurs. The login page will display each of the clients (composed within the ClientRegistrationRepository ) with an anchor link to "/oauth2/authorization/code/{clientAlias}" . Clicking through the link will initiate the "Authorization Request" flow redirecting the end-user's user-agent to the Authorization Endpoint of the Provider . Assuming the Resource Owner (end-user) grants the Client access, the Authorization Server will redirect the end-user's user-agent to the Redirection Endpoint containing the Authorization Code - the Redirection Endpoint is automatically configured for the application and defaults to "/oauth2/authorize/code/{clientAlias}" . At this point in the "authentication flow" , the configured AuthorizationGrantTokenExchanger will exchange the Authorization Code for an Access Token and then use it to access the protected resource at the UserInfo Endpoint (via OAuth2UserService ) in order to retrieve the details of the Resource Owner (end-user) and establish the "authenticated" session.

    Example Configurations

    The minimal configuration defaults to automatically generating a login page at "/login" and redirecting to "/login?error" when an authentication error occurs or redirecting to "/" when an authenticated session is established. @EnableWebSecurity public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); @Bean public ClientRegistrationRepository clientRegistrationRepository() { // ClientRegistrationRepositoryImpl must be composed of at least one ClientRegistration instance return new ClientRegistrationRepositoryImpl(); The following shows the configuration options available for customizing the defaults. @EnableWebSecurity public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login() .clients(this.clientRegistrationRepository()) .authorizationRequestBuilder(this.authorizationRequestBuilder()) .authorizationCodeTokenExchanger(this.authorizationCodeTokenExchanger()) .userInfoEndpoint() .userInfoService(this.userInfoService()) .userInfoEndpoint() // Provide a mapping between a Converter implementation and a UserInfo Endpoint URI .userInfoTypeConverter(this.userInfoConverter(), new URI("https://www.googleapis.com/oauth2/v3/userinfo")); @Bean public ClientRegistrationRepository clientRegistrationRepository() { // ClientRegistrationRepositoryImpl must be composed of at least one ClientRegistration instance return new ClientRegistrationRepositoryImpl(); @Bean public AuthorizationRequestUriBuilder authorizationRequestBuilder() { // Custom URI builder for the "Authorization Request" return new AuthorizationRequestUriBuilderImpl(); @Bean public AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger() { // Custom implementation that exchanges an "Authorization Code Grant" for an "Access Token" return new AuthorizationCodeTokenExchangerImpl(); @Bean public OAuth2UserService userInfoService() { // Custom implementation that retrieves the details of the authenticated user at the "UserInfo Endpoint" return new OAuth2UserServiceImpl(); @Bean public Converter<ClientHttpResponse, UserInfo> userInfoConverter() { // Default converter implementation for UserInfo return new org.springframework.security.oauth2.client.user.converter.UserInfoConverter();
    Returns:
    the OAuth2LoginConfigurer for further customizations
    Throws:
    java.lang.Exception
    Since:
    See Also:
    Section 4.1 Authorization Code Grant Flow , Section 4.1.1 Authorization Request , Section 4.1.2 Authorization Response , ClientRegistration , ClientRegistrationRepository , AuthorizationRequestUriBuilder , AuthorizationGrantTokenExchanger , OAuth2UserService

    requiresChannel

    public ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel()
                                                                            throws java.lang.Exception
    Configures channel security. In order for this configuration to be useful at least one mapping to a required channel must be provided.

    Example Configuration

    The example below demonstrates how to require HTTPs for every request. Only requiring HTTPS for some requests is supported, but not recommended since an application that allows for HTTP introduces many security vulnerabilities. For one such example, read about Firesheep . @Configuration @EnableWebSecurity public class ChannelSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() .and().requiresChannel().anyRequest().requiresSecure(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Returns:
    the ChannelSecurityConfigurer for further customizations
    Throws:
    java.lang.Exception
    public HttpBasicConfigurer<HttpSecurity> httpBasic()
                                                throws java.lang.Exception
    Configures HTTP Basic authentication.

    Example Configuration

    The example below demonstrates how to configure HTTP Basic authentication for an application. The default realm is "Spring Security Application", but can be customized using HttpBasicConfigurer.realmName(String) . @Configuration @EnableWebSecurity public class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    Returns:
    the HttpBasicConfigurer for further customizations
    Throws:
    java.lang.Exception
    public <C> void setSharedObject(java.lang.Class<C> sharedType,
                                    C object)
    Description copied from class: AbstractConfiguredSecurityBuilder
    Sets an object that is shared by multiple SecurityConfigurer .
    Specified by:
    setSharedObject in interface HttpSecurityBuilder < HttpSecurity >
    Overrides:
    setSharedObject in class AbstractConfiguredSecurityBuilder < DefaultSecurityFilterChain , HttpSecurity >
    Parameters:
    sharedType - the Class to key the shared object by.
    object - the Object to store
    protected void beforeConfigure()
                            throws java.lang.Exception
    Description copied from class: AbstractConfiguredSecurityBuilder
    Invoked prior to invoking each SecurityConfigurer.configure(SecurityBuilder) method. Subclasses may override this method to hook into the lifecycle without using a SecurityConfigurer .
    Overrides:
    beforeConfigure in class AbstractConfiguredSecurityBuilder < DefaultSecurityFilterChain , HttpSecurity >
    Throws:
    java.lang.Exception

    performBuild

    protected DefaultSecurityFilterChain performBuild()
                                               throws java.lang.Exception
    Description copied from class: AbstractConfiguredSecurityBuilder
    Subclasses must implement this method to build the object that is being returned.
    Specified by:
    performBuild in class AbstractConfiguredSecurityBuilder < DefaultSecurityFilterChain , HttpSecurity >
    Returns:
    Throws:
    java.lang.Exception

    authenticationProvider

    public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider)
    Description copied from interface: HttpSecurityBuilder
    Allows adding an additional AuthenticationProvider to be used
    Specified by:
    authenticationProvider in interface HttpSecurityBuilder < HttpSecurity >
    Parameters:
    authenticationProvider - the AuthenticationProvider to be added
    Returns:
    the HttpSecurity for further customizations

    userDetailsService

    public HttpSecurity userDetailsService(UserDetailsService userDetailsService)
                                    throws java.lang.Exception
    Description copied from interface: HttpSecurityBuilder
    Allows adding an additional UserDetailsService to be used
    Specified by:
    userDetailsService in interface HttpSecurityBuilder < HttpSecurity >
    Parameters:
    userDetailsService - the UserDetailsService to be added
    Returns:
    the HttpSecurity for further customizations
    Throws:
    java.lang.Exception

    addFilterAfter

    public HttpSecurity addFilterAfter(javax.servlet.Filter filter,
                                       java.lang.Class<? extends javax.servlet.Filter> afterFilter)
    Description copied from interface: HttpSecurityBuilder
    Allows adding a Filter after one of the known Filter classes. The known Filter instances are either a Filter listed in HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class) .
    Specified by:
    addFilterAfter in interface HttpSecurityBuilder < HttpSecurity >
    Parameters:
    filter - the Filter to register after the type afterFilter
    afterFilter - the Class of the known Filter .
    Returns:
    the HttpSecurity for further customizations

    addFilterBefore

    public HttpSecurity addFilterBefore(javax.servlet.Filter filter,
                                        java.lang.Class<? extends javax.servlet.Filter> beforeFilter)
    Description copied from interface: HttpSecurityBuilder
    Allows adding a Filter before one of the known Filter classes. The known Filter instances are either a Filter listed in HttpSecurityBuilder.addFilter(Filter) or a Filter that has already been added using HttpSecurityBuilder.addFilterAfter(Filter, Class) or HttpSecurityBuilder.addFilterBefore(Filter, Class) .
    Specified by:
    addFilterBefore in interface HttpSecurityBuilder < HttpSecurity >
    Parameters:
    filter - the Filter to register before the type beforeFilter
    beforeFilter - the Class of the known Filter .
    Returns:
    the HttpSecurity for further customizations

    addFilter

    public HttpSecurity addFilter(javax.servlet.Filter filter)
    Description copied from interface: HttpSecurityBuilder
    Adds a Filter that must be an instance of or extend one of the Filters provided within the Security framework. The method ensures that the ordering of the Filters is automatically taken care of. The ordering of the Filters is:
  • ChannelProcessingFilter
  • ConcurrentSessionFilter
  • SecurityContextPersistenceFilter
  • LogoutFilter
  • X509AuthenticationFilter
  • AbstractPreAuthenticatedProcessingFilter
  • CasAuthenticationFilter
  • UsernamePasswordAuthenticationFilter
  • ConcurrentSessionFilter
  • OpenIDAuthenticationFilter
  • DefaultLoginPageGeneratingFilter
  • ConcurrentSessionFilter
  • DigestAuthenticationFilter
  • BasicAuthenticationFilter
  • RequestCacheAwareFilter
  • SecurityContextHolderAwareRequestFilter
  • JaasApiIntegrationFilter
  • RememberMeAuthenticationFilter
  • AnonymousAuthenticationFilter
  • SessionManagementFilter
  • ExceptionTranslationFilter
  • FilterSecurityInterceptor
  • SwitchUserFilter
  • Specified by:
    addFilter in interface HttpSecurityBuilder < HttpSecurity >
    Parameters:
    filter - the Filter to add
    Returns:
    the HttpSecurity for further customizations

    addFilterAt

    public HttpSecurity addFilterAt(javax.servlet.Filter filter,
                                    java.lang.Class<? extends javax.servlet.Filter> atFilter)
    Adds the Filter at the location of the specified Filter class. For example, if you want the filter CustomFilter to be registered in the same position as UsernamePasswordAuthenticationFilter , you can invoke: addFilterAt(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
    Parameters:
    filter - the Filter to register
    atFilter - the location of another Filter that is already registered (i.e. known) with Spring Security.
    Returns:
    the HttpSecurity for further customizations

    requestMatchers

    public HttpSecurity.RequestMatcherConfigurer requestMatchers()
    Allows specifying which HttpServletRequest instances this HttpSecurity will be invoked on. This method allows for easily invoking the HttpSecurity for multiple different RequestMatcher instances. If only a single RequestMatcher is necessary consider using mvcMatcher(String) , antMatcher(String) , regexMatcher(String) , or requestMatcher(RequestMatcher) . Invoking requestMatchers() will not override previous invocations of mvcMatcher(String) }, requestMatchers() , antMatcher(String) , regexMatcher(String) , and requestMatcher(RequestMatcher) .

    Example Configurations

    The following configuration enables the HttpSecurity for URLs that begin with "/api/" or "/oauth/". @Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .requestMatchers() .antMatchers("/api/**", "/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); The configuration below is the same as the previous configuration. @Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .requestMatchers() .antMatchers("/api/**") .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); The configuration below is also the same as the above configuration. @Configuration @EnableWebSecurity public class RequestMatchersSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { .requestMatchers() .antMatchers("/api/**") .and() .requestMatchers() .antMatchers("/oauth/**") .and() .authorizeRequests() .antMatchers("/**").hasRole("USER") .and() .httpBasic(); @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { .inMemoryAuthentication() .withUser("user").password("password").roles("USER");
    Returns:
    the HttpSecurity.RequestMatcherConfigurer for further customizations

    requestMatcher

    public HttpSecurity requestMatcher(RequestMatcher requestMatcher)
    Allows configuring the HttpSecurity to only be invoked when matching the provided RequestMatcher . If more advanced configuration is necessary, consider using requestMatchers() . Invoking requestMatcher(RequestMatcher) will override previous invocations of requestMatchers() , mvcMatcher(String) , antMatcher(String) , regexMatcher(String) , and requestMatcher(RequestMatcher) .
    Parameters:
    requestMatcher - the RequestMatcher to use (i.e. new AntPathRequestMatcher("/admin/**","GET") )
    Returns:
    the HttpSecurity for further customizations
    See Also:
    requestMatchers() , antMatcher(String) , regexMatcher(String)

    antMatcher

    public HttpSecurity antMatcher(java.lang.String antPattern)
    Allows configuring the HttpSecurity to only be invoked when matching the provided ant pattern. If more advanced configuration is necessary, consider using requestMatchers() or requestMatcher(RequestMatcher) . Invoking antMatcher(String) will override previous invocations of mvcMatcher(String) }, requestMatchers() , antMatcher(String) , regexMatcher(String) , and requestMatcher(RequestMatcher) .
    Parameters:
    antPattern - the Ant Pattern to match on (i.e. "/admin/**")
    Returns:
    the HttpSecurity for further customizations
    See Also:
    AntPathRequestMatcher

    mvcMatcher

    public HttpSecurity mvcMatcher(java.lang.String mvcPattern)
    Allows configuring the HttpSecurity to only be invoked when matching the provided Spring MVC pattern. If more advanced configuration is necessary, consider using requestMatchers() or requestMatcher(RequestMatcher) . Invoking mvcMatcher(String) will override previous invocations of mvcMatcher(String) }, requestMatchers() , antMatcher(String) , regexMatcher(String) , and requestMatcher(RequestMatcher) .
    Parameters:
    mvcPattern - the Spring MVC Pattern to match on (i.e. "/admin/**")
    Returns:
    the HttpSecurity for further customizations
    See Also:
    MvcRequestMatcher

    regexMatcher

    public HttpSecurity regexMatcher(java.lang.String pattern)
    Allows configuring the HttpSecurity to only be invoked when matching the provided regex pattern. If more advanced configuration is necessary, consider using requestMatchers() or requestMatcher(RequestMatcher) . Invoking regexMatcher(String) will override previous invocations of mvcMatcher(String) }, requestMatchers() , antMatcher(String) , regexMatcher(String) , and requestMatcher(RequestMatcher) .
    Parameters:
    pattern - the Regular Expression to match on (i.e. "/admin/.+")
    Returns:
    the HttpSecurity for further customizations
    See Also:
    RegexRequestMatcher