commit
72dd51ae0b
|
@ -337,7 +337,7 @@ More information on {spring-security-docs}/features/exploits/csrf.html[CSRF] and
|
||||||
|
|
||||||
In simple setups, a `SecurityFilterChain` like the following can be used:
|
In simple setups, a `SecurityFilterChain` like the following can be used:
|
||||||
|
|
||||||
include::code:DevProfileSecurityConfiguration[]
|
include::code:DevProfileSecurityConfiguration[tag=!customizer]
|
||||||
|
|
||||||
WARNING: The H2 console is only intended for use during development.
|
WARNING: The H2 console is only intended for use during development.
|
||||||
In production, disabling CSRF protection or allowing frames for a website may create severe security risks.
|
In production, disabling CSRF protection or allowing frames for a website may create severe security risks.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2012-2021 the original author or authors.
|
* Copyright 2012-2022 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -27,8 +27,8 @@ public class MySecurityConfiguration {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http.requestMatcher(EndpointRequest.toAnyEndpoint())
|
http.requestMatcher(EndpointRequest.toAnyEndpoint());
|
||||||
.authorizeRequests((requests) -> requests.anyRequest().permitAll());
|
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2012-2021 the original author or authors.
|
* Copyright 2012-2022 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -22,14 +22,16 @@ import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
|
||||||
|
import static org.springframework.security.config.Customizer.withDefaults;
|
||||||
|
|
||||||
@Configuration(proxyBeanMethods = false)
|
@Configuration(proxyBeanMethods = false)
|
||||||
public class MySecurityConfiguration {
|
public class MySecurityConfiguration {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http.requestMatcher(EndpointRequest.toAnyEndpoint())
|
http.requestMatcher(EndpointRequest.toAnyEndpoint());
|
||||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
|
http.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
|
||||||
http.httpBasic();
|
http.httpBasic(withDefaults());
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,7 @@ import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.context.annotation.Profile;
|
import org.springframework.context.annotation.Profile;
|
||||||
import org.springframework.core.Ordered;
|
import org.springframework.core.Ordered;
|
||||||
import org.springframework.core.annotation.Order;
|
import org.springframework.core.annotation.Order;
|
||||||
|
import org.springframework.security.config.Customizer;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
|
||||||
|
@ -32,13 +33,18 @@ public class DevProfileSecurityConfiguration {
|
||||||
@Bean
|
@Bean
|
||||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||||
SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
|
SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
|
||||||
// @formatter:off
|
http.requestMatcher(PathRequest.toH2Console());
|
||||||
return http.requestMatcher(PathRequest.toH2Console())
|
http.authorizeRequests(yourCustomAuthorization());
|
||||||
// ... configuration for authorization
|
http.csrf((csrf) -> csrf.disable());
|
||||||
.csrf().disable()
|
http.headers((headers) -> headers.frameOptions().sameOrigin());
|
||||||
.headers().frameOptions().sameOrigin().and()
|
return http.build();
|
||||||
.build();
|
|
||||||
// @formatter:on
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// tag::customizer[]
|
||||||
|
<T> Customizer<T> yourCustomAuthorization() {
|
||||||
|
return (t) -> {
|
||||||
|
};
|
||||||
|
}
|
||||||
|
// end::customizer[]
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2012-2021 the original author or authors.
|
* Copyright 2012-2022 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -27,7 +27,7 @@ public class MySecurityConfig {
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
// Customize the application security ...
|
// Customize the application security ...
|
||||||
http.requiresChannel().anyRequest().requiresSecure();
|
http.requiresChannel((channel) -> channel.anyRequest().requiresSecure());
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ public class MyConfiguration {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests().anyRequest().authenticated();
|
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ public class MySecurityConfiguration {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests().anyRequest().authenticated();
|
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -26,8 +26,8 @@ public class MyOAuthClientConfiguration {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeRequests().anyRequest().authenticated();
|
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||||
http.oauth2Login().redirectionEndpoint().baseUri("custom-callback");
|
http.oauth2Login((login) -> login.redirectionEndpoint().baseUri("custom-callback"));
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,16 +22,18 @@ import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||||
import org.springframework.security.web.server.SecurityWebFilterChain;
|
import org.springframework.security.web.server.SecurityWebFilterChain;
|
||||||
|
|
||||||
|
import static org.springframework.security.config.Customizer.withDefaults;
|
||||||
|
|
||||||
@Configuration(proxyBeanMethods = false)
|
@Configuration(proxyBeanMethods = false)
|
||||||
public class MyWebFluxSecurityConfiguration {
|
public class MyWebFluxSecurityConfiguration {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||||
http.authorizeExchange((spec) -> {
|
http.authorizeExchange((exchange) -> {
|
||||||
spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
|
exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
|
||||||
spec.pathMatchers("/foo", "/bar").authenticated();
|
exchange.pathMatchers("/foo", "/bar").authenticated();
|
||||||
});
|
});
|
||||||
http.formLogin();
|
http.formLogin(withDefaults());
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,12 +16,12 @@
|
||||||
|
|
||||||
package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity
|
package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity
|
||||||
|
|
||||||
import org.springframework.boot.autoconfigure.security.servlet.PathRequest
|
|
||||||
import org.springframework.context.annotation.Bean
|
import org.springframework.context.annotation.Bean
|
||||||
import org.springframework.context.annotation.Configuration
|
import org.springframework.context.annotation.Configuration
|
||||||
import org.springframework.context.annotation.Profile
|
import org.springframework.context.annotation.Profile
|
||||||
import org.springframework.core.Ordered
|
import org.springframework.core.Ordered
|
||||||
import org.springframework.core.annotation.Order
|
import org.springframework.core.annotation.Order
|
||||||
|
import org.springframework.security.config.Customizer
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||||
import org.springframework.security.web.SecurityFilterChain
|
import org.springframework.security.web.SecurityFilterChain
|
||||||
|
|
||||||
|
@ -32,10 +32,16 @@ class DevProfileSecurityConfiguration {
|
||||||
@Bean
|
@Bean
|
||||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||||
fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
return http.requestMatcher(PathRequest.toH2Console())
|
return http.authorizeHttpRequests(yourCustomAuthorization())
|
||||||
.csrf().disable()
|
.csrf().disable()
|
||||||
.headers().frameOptions().sameOrigin().and()
|
.headers().frameOptions().sameOrigin().and()
|
||||||
.build()
|
.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// tag::customizer[]
|
||||||
|
private fun <T> yourCustomAuthorization(): Customizer<T> {
|
||||||
|
return Customizer.withDefaults<T>()
|
||||||
|
}
|
||||||
|
// end::customizer[]
|
||||||
|
|
||||||
}
|
}
|
Loading…
Reference in New Issue