root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch '2.4.x' 

Closes gh-24593
This commit is contained in:
Madhura Bhave 2020-12-22 11:17:54 -08:00
parent ad6b01d6d0 a714ba44ea
commit 467f853641
3 changed files with 34 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc
View File

@ -2434,19 +2434,15 @@ You can switch on the valve by adding some entries to `application.properties`,
(The presence of either of those properties switches on the valve. (The presence of either of those properties switches on the valve.
Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.) Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.)
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following `HttpSecurity` configuration: To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:
[source,java,indent=0,subs="verbatim,quotes,attributes"] [source,java,indent=0,subs="verbatim,quotes,attributes"]
---- ----
@Configuration(proxyBeanMethods = false) @Bean
public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// Customize the application security
@Override http.requiresChannel().anyRequest().requiresSecure();
protected void configure(HttpSecurity http) throws Exception { return http.build();
// Customize the application security
http.requiresChannel().anyRequest().requiresSecure();
}
} }
---- ----

33
spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc
View File

@ -359,16 +359,12 @@ A typical Spring Security configuration might look something like the following
[source,java,indent=0] [source,java,indent=0]
---- ----
@Configuration(proxyBeanMethods = false) @Bean
public class ActuatorSecurity extends WebSecurityConfigurerAdapter { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
@Override requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
protected void configure(HttpSecurity http) throws Exception { http.httpBasic();
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> return http.build();
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic();
}
} }
---- ----
@ -392,18 +388,17 @@ Additionally, if Spring Security is present, you would need to add custom securi
[source,java,indent=0] [source,java,indent=0]
---- ----
@Configuration(proxyBeanMethods = false) @Bean
public class ActuatorSecurity extends WebSecurityConfigurerAdapter { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
requests.anyRequest().permitAll()); requests.anyRequest().permitAll());
} return http.build();
}
}
---- ----
NOTE: In both the examples above, the configuration applies only to the actuator endpoints.
Since Spring Boot's security configuration backs off completely in the presence of any `SecurityFilterChain` bean, you will need to configure an additional `SecurityFilterChain` bean with rules that apply to the rest of the application.
[[production-ready-endpoints-caching]] [[production-ready-endpoints-caching]]

30
spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc
View File

@ -3695,11 +3695,11 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
=== MVC Security === MVC Security
The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`. The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
`SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications. `SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security). To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`. To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
Access rules can be overridden by adding a custom `WebSecurityConfigurerAdapter`. Access rules can be overridden by adding a custom `SecurityFilterChain` or `WebSecurityConfigurerAdapter` bean.
Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources. Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
`EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property. `EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.
`PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations. `PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations.
@ -3800,23 +3800,21 @@ The following example shows how an OpenID Connect Provider can be configured wit
By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`. By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`.
If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern. If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern.
For example, for servlet applications, you can add your own `WebSecurityConfigurerAdapter` that resembles the following: For example, for servlet applications, you can add your own `SecurityFilterChain` that resembles the following:
[source,java,indent=0] [source,java,indent=0]
---- ----
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
@Override http
protected void configure(HttpSecurity http) throws Exception { .authorizeRequests()
http .anyRequest().authenticated()
.authorizeRequests() .and()
.anyRequest().authenticated() .oauth2Login()
.and() .redirectionEndpoint()
.oauth2Login() .baseUri("/custom-callback");
.redirectionEndpoint() return http.build();
.baseUri("/custom-callback"); }
}
}
---- ----