From 2cdf801e7fd64d2c204fff0cd082a1c99d36553f Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Wed, 16 Oct 2019 15:59:44 +0100 Subject: [PATCH] Add a note to the docs about combining multiple security components Previously, the documentation did not describe how to combine multiple security components when one component's WebSecurityConfigurerAdapter or SecurityWebFilterChain would cause the other components' beans of the same type to back off. This commit adds a note that such cases should be handled by the user defining their own WebSecurityConfigurerAdapter or SecurityWebFilterChain that configures the use of all of the components as required. Closes gh-18507 --- .../src/main/asciidoc/spring-boot-features.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index f3bd9e31de2..5a42d993f32 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -3064,7 +3064,7 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for === MVC Security The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`. `SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications. -To switch off the default web application security configuration completely, you can add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security). +To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security). To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`. @@ -3084,7 +3084,7 @@ To switch off the default web application security configuration completely, you To also switch off the `UserDetailsService` configuration, you can add a bean of type `ReactiveUserDetailsService` or `ReactiveAuthenticationManager`. -Access rules can be configured by adding a custom `SecurityWebFilterChain`. +Access rules and the use of multiple Spring Security components such as OAuth 2 Client and Resource Server can be configured by adding a custom `SecurityWebFilterChain` bean. Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources. `EndpointRequest` can be used to create a `ServerWebExchangeMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.