Skip to content

Commit a714ba4

Browse files
committed
Update documentation containing examples of WebSecurityConfigurerAdapter
Closes gh-24551
1 parent 33dda3a commit a714ba4

File tree

3 files changed

+34
-45
lines changed

3 files changed

+34
-45
lines changed

spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2434,19 +2434,15 @@ You can switch on the valve by adding some entries to `application.properties`,
24342434
(The presence of either of those properties switches on the valve.
24352435
Alternatively, you can add the `RemoteIpValve` by adding a `TomcatServletWebServerFactory` bean.)
24362436

2437-
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following `HttpSecurity` configuration:
2437+
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:
24382438

24392439
[source,java,indent=0,subs="verbatim,quotes,attributes"]
24402440
----
2441-
@Configuration(proxyBeanMethods = false)
2442-
public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
2443-
2444-
@Override
2445-
protected void configure(HttpSecurity http) throws Exception {
2446-
// Customize the application security
2447-
http.requiresChannel().anyRequest().requiresSecure();
2448-
}
2449-
2441+
@Bean
2442+
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
2443+
// Customize the application security
2444+
http.requiresChannel().anyRequest().requiresSecure();
2445+
return http.build();
24502446
}
24512447
----
24522448

spring-boot-project/spring-boot-docs/src/docs/asciidoc/production-ready-features.adoc

Lines changed: 14 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -359,16 +359,12 @@ A typical Spring Security configuration might look something like the following
359359

360360
[source,java,indent=0]
361361
----
362-
@Configuration(proxyBeanMethods = false)
363-
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
364-
365-
@Override
366-
protected void configure(HttpSecurity http) throws Exception {
367-
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
368-
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
369-
http.httpBasic();
370-
}
371-
362+
@Bean
363+
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
364+
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
365+
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
366+
http.httpBasic();
367+
return http.build();
372368
}
373369
----
374370

@@ -392,18 +388,17 @@ Additionally, if Spring Security is present, you would need to add custom securi
392388

393389
[source,java,indent=0]
394390
----
395-
@Configuration(proxyBeanMethods = false)
396-
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
397-
398-
@Override
399-
protected void configure(HttpSecurity http) throws Exception {
400-
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
391+
@Bean
392+
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
393+
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
401394
requests.anyRequest().permitAll());
402-
}
403-
404-
}
395+
return http.build();
396+
}
405397
----
406398

399+
NOTE: In both the examples above, the configuration applies only to the actuator endpoints.
400+
Since Spring Boot's security configuration backs off completely in the presence of any `SecurityFilterChain` bean, you will need to configure an additional `SecurityFilterChain` bean with rules that apply to the rest of the application.
401+
407402

408403

409404
[[production-ready-endpoints-caching]]

spring-boot-project/spring-boot-docs/src/docs/asciidoc/spring-boot-features.adoc

Lines changed: 14 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3695,11 +3695,11 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
36953695
=== MVC Security
36963696
The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
36973697
`SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
3698-
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
3698+
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
36993699

37003700
To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
37013701

3702-
Access rules can be overridden by adding a custom `WebSecurityConfigurerAdapter`.
3702+
Access rules can be overridden by adding a custom `SecurityFilterChain` or `WebSecurityConfigurerAdapter` bean.
37033703
Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
37043704
`EndpointRequest` can be used to create a `RequestMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.
37053705
`PathRequest` can be used to create a `RequestMatcher` for resources in commonly used locations.
@@ -3800,23 +3800,21 @@ The following example shows how an OpenID Connect Provider can be configured wit
38003800

38013801
By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs matching `/login/oauth2/code/*`.
38023802
If you want to customize the `redirect-uri` to use a different pattern, you need to provide configuration to process that custom pattern.
3803-
For example, for servlet applications, you can add your own `WebSecurityConfigurerAdapter` that resembles the following:
3803+
For example, for servlet applications, you can add your own `SecurityFilterChain` that resembles the following:
38043804

38053805
[source,java,indent=0]
38063806
----
3807-
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
3808-
3809-
@Override
3810-
protected void configure(HttpSecurity http) throws Exception {
3811-
http
3812-
.authorizeRequests()
3813-
.anyRequest().authenticated()
3814-
.and()
3815-
.oauth2Login()
3816-
.redirectionEndpoint()
3817-
.baseUri("/custom-callback");
3818-
}
3819-
}
3807+
@Bean
3808+
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
3809+
http
3810+
.authorizeRequests()
3811+
.anyRequest().authenticated()
3812+
.and()
3813+
.oauth2Login()
3814+
.redirectionEndpoint()
3815+
.baseUri("/custom-callback");
3816+
return http.build();
3817+
}
38203818
----
38213819

38223820

0 commit comments

Comments
 (0)