Merge branch '2.6.x' into 2.7.x

Closes gh-31354
This commit is contained in:
Stephane Nicoll 2022-06-13 14:29:18 +02:00
commit 72dd51ae0b
10 changed files with 43 additions and 27 deletions

View File

@ -337,7 +337,7 @@ More information on {spring-security-docs}/features/exploits/csrf.html[CSRF] and
In simple setups, a `SecurityFilterChain` like the following can be used: In simple setups, a `SecurityFilterChain` like the following can be used:
include::code:DevProfileSecurityConfiguration[] include::code:DevProfileSecurityConfiguration[tag=!customizer]
WARNING: The H2 console is only intended for use during development. WARNING: The H2 console is only intended for use during development.
In production, disabling CSRF protection or allowing frames for a website may create severe security risks. In production, disabling CSRF protection or allowing frames for a website may create severe security risks.

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2021 the original author or authors. * Copyright 2012-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,8 +27,8 @@ public class MySecurityConfiguration {
@Bean @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()) http.requestMatcher(EndpointRequest.toAnyEndpoint());
.authorizeRequests((requests) -> requests.anyRequest().permitAll()); http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
return http.build(); return http.build();
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2021 the original author or authors. * Copyright 2012-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -22,14 +22,16 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false) @Configuration(proxyBeanMethods = false)
public class MySecurityConfiguration { public class MySecurityConfiguration {
@Bean @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()) http.requestMatcher(EndpointRequest.toAnyEndpoint());
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN")); http.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic(); http.httpBasic(withDefaults());
return http.build(); return http.build();
} }

View File

@ -22,6 +22,7 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile; import org.springframework.context.annotation.Profile;
import org.springframework.core.Ordered; import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order; import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
@ -32,13 +33,18 @@ public class DevProfileSecurityConfiguration {
@Bean @Bean
@Order(Ordered.HIGHEST_PRECEDENCE) @Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception { SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off http.requestMatcher(PathRequest.toH2Console());
return http.requestMatcher(PathRequest.toH2Console()) http.authorizeRequests(yourCustomAuthorization());
// ... configuration for authorization http.csrf((csrf) -> csrf.disable());
.csrf().disable() http.headers((headers) -> headers.frameOptions().sameOrigin());
.headers().frameOptions().sameOrigin().and() return http.build();
.build();
// @formatter:on
} }
// tag::customizer[]
<T> Customizer<T> yourCustomAuthorization() {
return (t) -> {
};
}
// end::customizer[]
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2021 the original author or authors. * Copyright 2012-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,7 +27,7 @@ public class MySecurityConfig {
@Bean @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// Customize the application security ... // Customize the application security ...
http.requiresChannel().anyRequest().requiresSecure(); http.requiresChannel((channel) -> channel.anyRequest().requiresSecure());
return http.build(); return http.build();
} }

View File

@ -30,7 +30,7 @@ public class MyConfiguration {
@Bean @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated(); http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
return http.build(); return http.build();
} }

View File

@ -26,7 +26,7 @@ public class MySecurityConfiguration {
@Bean @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated(); http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
return http.build(); return http.build();
} }

View File

@ -26,8 +26,8 @@ public class MyOAuthClientConfiguration {
@Bean @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated(); http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2Login().redirectionEndpoint().baseUri("custom-callback"); http.oauth2Login((login) -> login.redirectionEndpoint().baseUri("custom-callback"));
return http.build(); return http.build();
} }

View File

@ -22,16 +22,18 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false) @Configuration(proxyBeanMethods = false)
public class MyWebFluxSecurityConfiguration { public class MyWebFluxSecurityConfiguration {
@Bean @Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange((spec) -> { http.authorizeExchange((exchange) -> {
spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll(); exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
spec.pathMatchers("/foo", "/bar").authenticated(); exchange.pathMatchers("/foo", "/bar").authenticated();
}); });
http.formLogin(); http.formLogin(withDefaults());
return http.build(); return http.build();
} }

View File

@ -16,12 +16,12 @@
package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity
import org.springframework.boot.autoconfigure.security.servlet.PathRequest
import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.context.annotation.Profile import org.springframework.context.annotation.Profile
import org.springframework.core.Ordered import org.springframework.core.Ordered
import org.springframework.core.annotation.Order import org.springframework.core.annotation.Order
import org.springframework.security.config.Customizer
import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.web.SecurityFilterChain import org.springframework.security.web.SecurityFilterChain
@ -32,10 +32,16 @@ class DevProfileSecurityConfiguration {
@Bean @Bean
@Order(Ordered.HIGHEST_PRECEDENCE) @Order(Ordered.HIGHEST_PRECEDENCE)
fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain { fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
return http.requestMatcher(PathRequest.toH2Console()) return http.authorizeHttpRequests(yourCustomAuthorization())
.csrf().disable() .csrf().disable()
.headers().frameOptions().sameOrigin().and() .headers().frameOptions().sameOrigin().and()
.build() .build()
} }
// tag::customizer[]
private fun <T> yourCustomAuthorization(): Customizer<T> {
return Customizer.withDefaults<T>()
}
// end::customizer[]
} }