You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
194 lines
6.4 KiB
194 lines
6.4 KiB
= Web Migrations |
|
|
|
[[use-path-pattern]] |
|
== Use PathPatternRequestMatcher by Default |
|
|
|
In Spring Security 7, `AntPathRequestMatcher` and `MvcRequestMatcher` are no longer supported and the Java DSL requires that all URIs be absolute (less any context root). |
|
At that time, Spring Security 7 will use `PathPatternRequestMatcher` by default. |
|
|
|
To check how prepared you are for this change, you can publish this bean: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
@Bean |
|
PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() { |
|
return new PathPatternRequestMatcherBuilderFactoryBean(); |
|
} |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@Bean |
|
fun requestMatcherBuilder(): PathPatternRequestMatcherBuilderFactoryBean { |
|
return PathPatternRequestMatcherBuilderFactoryBean() |
|
} |
|
---- |
|
|
|
Xml:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<b:bean class="org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean"/> |
|
---- |
|
====== |
|
|
|
This will tell the Spring Security DSL to use `PathPatternRequestMatcher` for all request matchers that it constructs. |
|
|
|
In the event that you are directly constructing an object (as opposed to having the DSL construct it) that has a `setRequestMatcher` method. you should also proactively specify a `PathPatternRequestMatcher` there as well. |
|
|
|
For example, in the case of `LogoutFilter`, it constructs an `AntPathRequestMatcher` in Spring Security 6: |
|
|
|
[method,java] |
|
---- |
|
private RequestMatcher logoutUrl = new AntPathRequestMatcher("/logout"); |
|
---- |
|
|
|
and will change this to a `PathPatternRequestMatcher` in 7: |
|
|
|
[method,java] |
|
---- |
|
private RequestMatcher logoutUrl = PathPatternRequestMatcher.path().matcher("/logout"); |
|
---- |
|
|
|
If you are constructing your own `LogoutFilter`, consider calling `setLogoutRequestMatcher` to provide this `PathPatternRequestMatcher` in advance. |
|
|
|
== Include the Servlet Path Prefix in Authorization Rules |
|
|
|
For many applications <<use-path-pattern, the above>> will make no difference since most commonly all URIs listed are matched by the default servlet. |
|
|
|
However, if you have other servlets with servlet path prefixes, xref:servlet/authorization/authorize-http-requests.adoc[then these paths now need to be supplied separately]. |
|
|
|
For example, if I have a Spring MVC controller with `@RequestMapping("/orders")` and my MVC application is deployed to `/mvc` (instead of the default servlet), then the URI for this endpoint is `/mvc/orders`. |
|
Historically, the Java DSL hasn't had a simple way to specify the servlet path prefix and Spring Security attempted to infer it. |
|
|
|
Over time, we learned that these inference would surprise developers. |
|
Instead of taking this responsibility away from developers, now it is simpler to specify the servlet path prefix like so: |
|
|
|
[method,java] |
|
---- |
|
PathPatternRequestParser.Builder servlet = PathPatternRequestParser.servletPath("/mvc"); |
|
http |
|
.authorizeHttpRequests((authorize) -> authorize |
|
.requestMatchers(servlet.pattern("/orders/**").matcher()).authenticated() |
|
) |
|
---- |
|
|
|
|
|
For paths that belong to the default servlet, use `PathPatternRequestParser.path()` instead: |
|
|
|
[method,java] |
|
---- |
|
PathPatternRequestParser.Builder request = PathPatternRequestParser.path(); |
|
http |
|
.authorizeHttpRequests((authorize) -> authorize |
|
.requestMatchers(request.pattern("/js/**").matcher()).authenticated() |
|
) |
|
---- |
|
|
|
Note that this doesn't address every kind of servlet since not all servlets have a path prefix. |
|
For example, expressions that match the JSP Servlet might use an ant pattern `/**/*.jsp`. |
|
|
|
There is not yet a general-purpose replacement for these, and so you are encouraged to use `RegexRequestMatcher`, like so: `regexMatcher("\\.jsp$")`. |
|
|
|
For many applications this will make no difference since most commonly all URIs listed are matched by the default servlet. |
|
|
|
[[use-redirect-to-https]] |
|
== Use RedirectToHttps Instead of Channel Security |
|
|
|
Years ago, HTTPS at large was enough of a performance and configuration concern that applications wanted to be able to decide which segments of an application would require HTTPS. |
|
|
|
`requires-channel` in XML and `requiresChannel` in Java Config allowed configurating an application with that in mind: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
http |
|
.requiresChannel((channel) -> channel |
|
.requestMatchers("/secure/**").requiresSecureChannel() |
|
.requestMatchers("/insecure/**").requiresInsecureChannel() |
|
) |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
http { |
|
requiresChannel { |
|
secure("/secure/**") |
|
seccure("/insecure/**", "REQUIRES_INSECURE_CHANNEL") |
|
} |
|
} |
|
---- |
|
|
|
Xml:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<http> |
|
<intercept-url pattern="/secure/**" access="authenticated" requires-channel="REQUIRES_SECURE_CHANNEL"/> |
|
<intercept-url pattern="/insecure/**" access="authenticated" requires-channel="REQUIRES_INSECURE_CHANNEL"/> |
|
</http> |
|
---- |
|
====== |
|
|
|
Modern applications should either always require HTTPS. |
|
However, there are times, like when developing locally, when one would like the application to use HTTP. |
|
Or, you may have continuing circumstances that require part of your application to be HTTP. |
|
|
|
In any case, you can migrate to `redirect-to-https-request-matcher-ref` and `redirectToHttps` by first constructing a `RequestMatcher` that contains all circumstances where redirecting to HTTPS is needed. |
|
Then you can reference that request matcher like so: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
http |
|
.redirectToHttps((https) -> https.requestMatchers("/secure/**")) |
|
// ... |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
var secure: RequestMatcher = PathPatternRequestMatcher.withDefaults().pattern("/secure/**") |
|
http { |
|
redirectToHttps { |
|
requestMatchers = secure |
|
} |
|
// ... |
|
} |
|
---- |
|
|
|
Xml:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<b:bean id="builder" class="org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher$Builder"/> |
|
<b:bean id="secure" class="org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher" factory-bean="builder" factory-method="matcher"> |
|
<b:constructor-arg value="/secure/**"/> |
|
</b:bean> |
|
<http redirect-to-https-request-matcher-ref="secure"> |
|
<intercept-url pattern="/secure/**" access="authenticated"/> |
|
<intercept-url pattern="/insecure/**" access="authenticated"/> |
|
<!-- ... --> |
|
</http> |
|
---- |
|
====== |
|
|
|
[TIP] |
|
===== |
|
If you have several circumstances where HTTP is needed, consider using `OrRequestMatcher` to combine them into a single `RequestMatcher` instance. |
|
=====
|
|
|