root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Add a note to the docs about combining multiple security components 

Previously, the documentation did not describe how to combine
multiple security components when one component's
WebSecurityConfigurerAdapter or SecurityWebFilterChain would cause
the other components' beans of the same type to back off.

This commit adds a note that such cases should be handled by the user
defining their own WebSecurityConfigurerAdapter or
SecurityWebFilterChain that configures the use of all of the
components as required.

Closes gh-18507
This commit is contained in:
Andy Wilkinson 2019-10-16 15:59:44 +01:00
parent 1529ba14c8
commit 2cdf801e7f
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
View File

@ -3064,7 +3064,7 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
=== MVC Security
The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
`SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
To switch off the default web application security configuration completely, you can add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
@ -3084,7 +3084,7 @@ To switch off the default web application security configuration completely, you
To also switch off the `UserDetailsService` configuration, you can add a bean of type `ReactiveUserDetailsService` or `ReactiveAuthenticationManager`.
Access rules can be configured by adding a custom `SecurityWebFilterChain`.
Access rules and the use of multiple Spring Security components such as OAuth 2 Client and Resource Server can be configured by adding a custom `SecurityWebFilterChain` bean.
Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
`EndpointRequest` can be used to create a `ServerWebExchangeMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.