From a714ba44eaecf9ed926cc35da4cb8f30a09b7a5d Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Tue, 22 Dec 2020 11:16:02 -0800 Subject: [PATCH] Update documentation containing examples of WebSecurityConfigurerAdapter Closes gh-24551 --- .../src/docs/asciidoc/howto.adoc | 16 ++++----- .../asciidoc/production-ready-features.adoc | 33 ++++++++----------- .../docs/asciidoc/spring-boot-features.adoc | 30 ++++++++--------- 3 files changed, 34 insertions(+), 45 deletions(-) diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc index 7d2f7f18b40..d36aba418e4 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc @@ -2434,19 +2434,15 @@ You can switch on the valve by adding some entries to `application.properties`, (The presence of either of those properties switches on the valve. Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.) -To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following `HttpSecurity` configuration: +To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration: [source,java,indent=0,subs="verbatim,quotes,attributes"] ---- - @Configuration(proxyBeanMethods = false) - public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // Customize the application security - http.requiresChannel().anyRequest().requiresSecure(); - } - + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + // Customize the application security + http.requiresChannel().anyRequest().requiresSecure(); + return http.build(); } ---- diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc index 53e6d8b0c62..915de364953 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc @@ -359,16 +359,12 @@ A typical Spring Security configuration might look something like the following [source,java,indent=0] ---- - @Configuration(proxyBeanMethods = false) - public class ActuatorSecurity extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().hasRole("ENDPOINT_ADMIN")); - http.httpBasic(); - } - + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + http.httpBasic(); + return http.build(); } ---- @@ -392,18 +388,17 @@ Additionally, if Spring Security is present, you would need to add custom securi [source,java,indent=0] ---- - @Configuration(proxyBeanMethods = false) - public class ActuatorSecurity extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> requests.anyRequest().permitAll()); - } - - } + return http.build(); + } ---- +NOTE: In both the examples above, the configuration applies only to the actuator endpoints. +Since Spring Boot's security configuration backs off completely in the presence of any `SecurityFilterChain` bean, you will need to configure an additional `SecurityFilterChain` bean with rules that apply to the rest of the application. + [[production-ready-endpoints-caching]] diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc index b88f303608a..6fb405e8bd9 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc @@ -3695,11 +3695,11 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for === MVC Security The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`. `SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications. -To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security). +To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security). To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`. -Access rules can be overridden by adding a custom `WebSecurityConfigurerAdapter`. +Access rules can be overridden by adding a custom `SecurityFilterChain` or `WebSecurityConfigurerAdapter` bean. Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources. `EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property. `PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations. @@ -3800,23 +3800,21 @@ The following example shows how an OpenID Connect Provider can be configured wit By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`. If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern. -For example, for servlet applications, you can add your own `WebSecurityConfigurerAdapter` that resembles the following: +For example, for servlet applications, you can add your own `SecurityFilterChain` that resembles the following: [source,java,indent=0] ---- -public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .oauth2Login() - .redirectionEndpoint() - .baseUri("/custom-callback"); - } -} + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .oauth2Login() + .redirectionEndpoint() + .baseUri("/custom-callback"); + return http.build(); + } ----