Madhura Bhave
commit
467f853641
|
|
@ -2434,19 +2434,15 @@ You can switch on the valve by adding some entries to `application.properties`,
|
|||
(The presence of either of those properties switches on the valve.
|
||||
Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.)
|
||||
|
||||
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following `HttpSecurity` configuration:
|
||||
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:
|
||||
|
||||
[source,java,indent=0,subs="verbatim,quotes,attributes"]
|
||||
----
|
||||
@Configuration(proxyBeanMethods = false)
|
||||
public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
// Customize the application security
|
||||
http.requiresChannel().anyRequest().requiresSecure();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
// Customize the application security
|
||||
http.requiresChannel().anyRequest().requiresSecure();
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
|
|
|
|||
|
|
@ -359,16 +359,12 @@ A typical Spring Security configuration might look something like the following
|
|||
|
||||
[source,java,indent=0]
|
||||
----
|
||||
@Configuration(proxyBeanMethods = false)
|
||||
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
|
||||
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
|
||||
http.httpBasic();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
|
||||
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
|
||||
http.httpBasic();
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
|
|
@ -392,18 +388,17 @@ Additionally, if Spring Security is present, you would need to add custom securi
|
|||
|
||||
[source,java,indent=0]
|
||||
----
|
||||
@Configuration(proxyBeanMethods = false)
|
||||
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
|
||||
requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
}
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
NOTE: In both the examples above, the configuration applies only to the actuator endpoints.
|
||||
Since Spring Boot's security configuration backs off completely in the presence of any `SecurityFilterChain` bean, you will need to configure an additional `SecurityFilterChain` bean with rules that apply to the rest of the application.
|
||||
|
||||
|
||||
|
||||
[[production-ready-endpoints-caching]]
|
||||
|
|
|
|||
|
|
@ -3695,11 +3695,11 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
|
|||
=== MVC Security
|
||||
The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
|
||||
`SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
|
||||
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
|
||||
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
|
||||
|
||||
To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
|
||||
|
||||
Access rules can be overridden by adding a custom `WebSecurityConfigurerAdapter`.
|
||||
Access rules can be overridden by adding a custom `SecurityFilterChain` or `WebSecurityConfigurerAdapter` bean.
|
||||
Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
|
||||
`EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.
|
||||
`PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations.
|
||||
|
|
@ -3800,23 +3800,21 @@ The following example shows how an OpenID Connect Provider can be configured wit
|
|||
|
||||
By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`.
|
||||
If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern.
|
||||
For example, for servlet applications, you can add your own `WebSecurityConfigurerAdapter` that resembles the following:
|
||||
For example, for servlet applications, you can add your own `SecurityFilterChain` that resembles the following:
|
||||
|
||||
[source,java,indent=0]
|
||||
----
|
||||
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login()
|
||||
.redirectionEndpoint()
|
||||
.baseUri("/custom-callback");
|
||||
}
|
||||
}
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login()
|
||||
.redirectionEndpoint()
|
||||
.baseUri("/custom-callback");
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue