From 39a7b9da38756a77d38c9bd6c56e6da194a87d62 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Fri, 26 Jul 2019 14:41:49 -0700 Subject: [PATCH] Switch to lambda style security configuration Closes gh-17525 --- ...anagementWebSecurityAutoConfiguration.java | 14 ++++++++--- ...anagementWebSecurityConfigurerAdapter.java | 11 +++++++-- ...mentWebSecurityAutoConfigurationTests.java | 18 ++++++++------ ...stractEndpointRequestIntegrationTests.java | 8 +++++-- ...mentWebSecurityAutoConfigurationTests.java | 5 ++-- .../OAuth2WebSecurityConfiguration.java | 4 +++- ...eOAuth2ResourceServerJwkConfiguration.java | 7 +++--- ...esourceServerOpaqueTokenConfiguration.java | 5 ++-- .../OAuth2ResourceServerJwtConfiguration.java | 4 +++- ...esourceServerOpaqueTokenConfiguration.java | 4 +++- ...2ResourceServerAutoConfigurationTests.java | 5 ++-- .../asciidoc/production-ready-features.adoc | 10 ++++---- ...tClientSpringBootTestIntegrationTests.java | 4 ++-- .../customsecurity/SecurityConfiguration.java | 20 ++++++++-------- ...anagementPortSampleSecureWebFluxTests.java | 17 +++++++++---- ...ampleSecureWebFluxCustomSecurityTests.java | 18 ++++++++++---- .../SampleMethodSecurityApplication.java | 24 +++++++------------ .../SampleWebSecureCustomApplication.java | 10 ++++++-- .../jdbc/SampleWebSecureJdbcApplication.java | 9 +++++-- .../secure/SampleWebSecureApplication.java | 15 ++++++------ 20 files changed, 133 insertions(+), 79 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java index ef0c3273735..c2617e9c452 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java @@ -32,6 +32,7 @@ import org.springframework.boot.autoconfigure.security.oauth2.resource.reactive. import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; @@ -56,9 +57,16 @@ import org.springframework.security.web.server.WebFilterChainProxy; public class ReactiveManagementWebSecurityAutoConfiguration { @Bean - public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - return http.authorizeExchange().matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) - .permitAll().anyExchange().authenticated().and().httpBasic().and().formLogin().and().build(); + public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception { + // @formatter:off + http.authorizeExchange((exchanges) -> + exchanges + .matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll() + .anyExchange().authenticated()) + .httpBasic(Customizer.withDefaults()) + .formLogin(Customizer.withDefaults()); + // @formatter:on + return http.build(); } } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java index 8018688baad..c416e7e28e1 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java @@ -19,6 +19,7 @@ package org.springframework.boot.actuate.autoconfigure.security.servlet; import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.boot.actuate.info.InfoEndpoint; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -39,8 +40,14 @@ class ManagementWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapte @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) - .permitAll().anyRequest().authenticated().and().formLogin().and().httpBasic(); + // @formatter:off + http.authorizeRequests((requests) -> + requests + .requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll() + .anyRequest().authenticated()) + .formLogin(Customizer.withDefaults()) + .httpBasic(Customizer.withDefaults()); + // @formatter:on } } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java index 21cdb242449..61a798f62e9 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java @@ -47,6 +47,7 @@ import org.springframework.http.server.reactive.ServerHttpResponse; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpResponse; import org.springframework.security.authentication.ReactiveAuthenticationManager; +import org.springframework.security.config.Customizer; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.WebFilterChainProxy; @@ -163,9 +164,11 @@ class ReactiveManagementWebSecurityAutoConfigurationTests { static class CustomSecurityConfiguration { @Bean - SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - return http.authorizeExchange().pathMatchers("/foo").permitAll().anyExchange().authenticated().and() - .formLogin().and().build(); + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception { + return http + .authorizeExchange( + (exchanges) -> exchanges.pathMatchers("/foo").permitAll().anyExchange().authenticated()) + .formLogin(Customizer.withDefaults()).build(); } } @@ -179,7 +182,7 @@ class ReactiveManagementWebSecurityAutoConfigurationTests { } @Bean - WebFilterChainProxy webFilterChainProxy(ServerHttpSecurity http) { + WebFilterChainProxy webFilterChainProxy(ServerHttpSecurity http) throws Exception { return new WebFilterChainProxy(getFilterChains(http)); } @@ -190,9 +193,10 @@ class ReactiveManagementWebSecurityAutoConfigurationTests { return httpSecurity; } - private List getFilterChains(ServerHttpSecurity http) { - return Collections.singletonList( - http.authorizeExchange().anyExchange().authenticated().and().formLogin().and().build()); + private List getFilterChains(ServerHttpSecurity http) throws Exception { + return Collections + .singletonList(http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated()) + .formLogin(Customizer.withDefaults()).build()); } static class TestServerHttpSecurity extends ServerHttpSecurity implements ApplicationContextAware { diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java index 02ed86edeef..5c16496d799 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java @@ -167,10 +167,14 @@ abstract class AbstractEndpointRequestIntegrationTests { return new WebSecurityConfigurerAdapter() { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.toLinks()).permitAll() + // @formatter:off + http.authorizeRequests((requests) -> requests + .requestMatchers(EndpointRequest.toLinks()).permitAll() .requestMatchers(EndpointRequest.to(TestEndpoint1.class)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest() - .hasRole("ADMIN").and().httpBasic(); + .hasRole("ADMIN")) + .httpBasic(); + // @formatter:on } }; } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java index 274cb8ff9c2..f20f1c68dee 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java @@ -37,6 +37,7 @@ import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockServletContext; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.FilterChainProxy; @@ -126,8 +127,8 @@ class ManagementWebSecurityAutoConfigurationTests { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().antMatchers("/foo").permitAll().anyRequest().authenticated().and().formLogin() - .and().httpBasic(); + http.authorizeRequests((requests) -> requests.antMatchers("/foo").permitAll().anyRequest().authenticated()) + .formLogin(Customizer.withDefaults()).httpBasic(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java index 8b77628c497..5ef96011f79 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java @@ -20,6 +20,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService; @@ -56,7 +57,8 @@ class OAuth2WebSecurityConfiguration { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().authenticated().and().oauth2Login().and().oauth2Client(); + http.authorizeRequests((requests) -> requests.anyRequest().authenticated()) + .oauth2Login(Customizer.withDefaults()).oauth2Client(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java index 46342ca6078..04ad7e622b8 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java @@ -89,9 +89,10 @@ class ReactiveOAuth2ResourceServerJwkConfiguration { @Bean @ConditionalOnBean(ReactiveJwtDecoder.class) - SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ReactiveJwtDecoder jwtDecoder) { - http.authorizeExchange().anyExchange().authenticated().and().oauth2ResourceServer().jwt() - .jwtDecoder(jwtDecoder); + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ReactiveJwtDecoder jwtDecoder) + throws Exception { + http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated()) + .oauth2ResourceServer((server) -> server.jwt((jwt) -> jwt.jwtDecoder(jwtDecoder))); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java index ab37be7253e..f52d03df278 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java @@ -57,8 +57,9 @@ class ReactiveOAuth2ResourceServerOpaqueTokenConfiguration { @Bean @ConditionalOnBean(ReactiveOAuth2TokenIntrospectionClient.class) - SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - http.authorizeExchange().anyExchange().authenticated().and().oauth2ResourceServer().opaqueToken(); + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception { + http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated()) + .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken); return http.build(); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java index 6a0f30dc5b7..48556c5bf43 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java @@ -31,6 +31,7 @@ import org.springframework.context.annotation.Conditional; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoders; @@ -95,7 +96,8 @@ class OAuth2ResourceServerJwtConfiguration { return new WebSecurityConfigurerAdapter() { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().jwt(); + http.authorizeRequests((requests) -> requests.anyRequest().authenticated()) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); } }; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java index 8eb5fe2788e..2e339b4932d 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java @@ -23,6 +23,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient; import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; @@ -60,7 +61,8 @@ class OAuth2ResourceServerOpaqueTokenConfiguration { return new WebSecurityConfigurerAdapter() { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().opaqueToken(); + http.authorizeRequests((requests) -> requests.anyRequest().authenticated()) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); } }; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java index 07c08abdb02..7e17bc49497 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java @@ -375,8 +375,9 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests { static class SecurityWebFilterChainConfig { @Bean - SecurityWebFilterChain testSpringSecurityFilterChain(ServerHttpSecurity http) { - http.authorizeExchange().pathMatchers("/message/**").hasRole("ADMIN").anyExchange().authenticated().and() + SecurityWebFilterChain testSpringSecurityFilterChain(ServerHttpSecurity http) throws Exception { + http.authorizeExchange( + (exchanges) -> exchanges.pathMatchers("/message/**").hasRole("ADMIN").anyExchange().authenticated()) .httpBasic(); return http.build(); } diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc index 36ed2f2c3c9..8eaed843e1a 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc @@ -396,9 +396,9 @@ A typical Spring Security configuration might look something like the following @Override protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() - .anyRequest().hasRole("ENDPOINT_ADMIN") - .and() + http.requestMatcher(EndpointRequest.toAnyEndpoint()) + .authorizeRequests((requests) -> + requests.anyRequest().hasRole("ENDPOINT_ADMIN")) .httpBasic(); } @@ -432,8 +432,8 @@ following example: @Override protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() - .anyRequest().permitAll(); + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + .anyRequest().permitAll()); } } diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/reactive/webclient/WebTestClientSpringBootTestIntegrationTests.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/reactive/webclient/WebTestClientSpringBootTestIntegrationTests.java index 6f30ee247e6..e2c6ff6cf68 100644 --- a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/reactive/webclient/WebTestClientSpringBootTestIntegrationTests.java +++ b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/reactive/webclient/WebTestClientSpringBootTestIntegrationTests.java @@ -67,8 +67,8 @@ class WebTestClientSpringBootTestIntegrationTests { static class TestConfiguration { @Bean - SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - return http.authorizeExchange().anyExchange().permitAll().and().build(); + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception { + return http.authorizeExchange((exchanges) -> exchanges.anyExchange().permitAll()).build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java index 011927e17f9..39461aa505e 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java @@ -21,6 +21,7 @@ import org.springframework.boot.actuate.web.mappings.MappingsEndpoint; import org.springframework.boot.autoconfigure.security.servlet.PathRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; @@ -43,16 +44,15 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off - http.authorizeRequests() - .mvcMatchers("/actuator/beans").hasRole("BEANS") - .requestMatchers(EndpointRequest.to("health", "info")).permitAll() - .requestMatchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") - .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() - .antMatchers("/foo").permitAll() - .antMatchers("/**").hasRole("USER") - .and() - .cors() - .and() + http.authorizeRequests((requests) -> + requests + .mvcMatchers("/actuator/beans").hasRole("BEANS") + .requestMatchers(EndpointRequest.to("health", "info")).permitAll() + .requestMatchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") + .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() + .antMatchers("/foo").permitAll() + .antMatchers("/**").hasRole("USER")) + .cors(Customizer.withDefaults()) .httpBasic(); // @formatter:on } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java index 48885b8c5df..a66476454c5 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java @@ -90,11 +90,18 @@ class ManagementPortSampleSecureWebFluxTests { static class SecurityConfiguration { @Bean - SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - return http.authorizeExchange().matchers(EndpointRequest.to("health", "info")).permitAll() - .matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") - .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll().pathMatchers("/login") - .permitAll().anyExchange().authenticated().and().httpBasic().and().build(); + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception { + // @formatter:off + http.authorizeExchange((exchanges) -> + exchanges + .matchers(EndpointRequest.to("health", "info")).permitAll() + .matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") + .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() + .pathMatchers("/login").permitAll() + .anyExchange().authenticated()) + .httpBasic(); + // @formatter:on + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java index 5152f79a487..16de5894eb9 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java @@ -29,6 +29,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; +import org.springframework.security.config.Customizer; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.userdetails.MapReactiveUserDetailsService; import org.springframework.security.core.userdetails.User; @@ -114,11 +115,18 @@ class SampleSecureWebFluxCustomSecurityTests { } @Bean - SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { - return http.authorizeExchange().matchers(EndpointRequest.to("health", "info")).permitAll() - .matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") - .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll().pathMatchers("/login") - .permitAll().anyExchange().authenticated().and().httpBasic().and().build(); + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception { + // @formatter:off + http.authorizeExchange((exchanges) -> + exchanges + .matchers(EndpointRequest.to("health", "info")).permitAll() + .matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") + .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() + .pathMatchers("/login").permitAll() + .anyExchange().authenticated()) + .httpBasic(Customizer.withDefaults()); + // @formatter:off + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java index e0e11521e68..1047e5af384 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java @@ -73,15 +73,13 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off - http.authorizeRequests() - .antMatchers("/login").permitAll() - .anyRequest().fullyAuthenticated() - .and() - .formLogin().loginPage("/login").failureUrl("/login?error") - .and() - .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")) - .and() - .exceptionHandling().accessDeniedPage("/access?error"); + http.authorizeRequests((requests) -> + requests + .antMatchers("/login").permitAll() + .anyRequest().fullyAuthenticated()) + .formLogin((form) -> form.loginPage("/login").failureUrl("/login?error")) + .logout((logout) -> logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))) + .exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access?error")); // @formatter:on } @@ -93,12 +91,8 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() - .anyRequest().authenticated() - .and() - .httpBasic(); - // @formatter:on + http.requestMatcher(EndpointRequest.toAnyEndpoint()) + .authorizeRequests((requests) -> requests.anyRequest().authenticated()).httpBasic(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java index 74ce785f3c2..e331f1ca95a 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java @@ -24,6 +24,7 @@ import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; @@ -61,8 +62,13 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated().and() - .formLogin().loginPage("/login").failureUrl("/login?error").permitAll().and().logout().permitAll(); + // @formatter:off + http.authorizeRequests((requests) -> + requests + .antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated()) + .formLogin((form) -> form.loginPage("/login").failureUrl("/login?error").permitAll()) + .logout(LogoutConfigurer::permitAll); + // @formatter:on } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java index 57fa6e5c038..0aecccfc5d6 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java @@ -27,6 +27,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; import org.springframework.security.provisioning.JdbcUserDetailsManager; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; @@ -65,8 +66,12 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated().and() - .formLogin().loginPage("/login").failureUrl("/login?error").permitAll().and().logout().permitAll(); + // @formatter:off + http.authorizeRequests( + (requests) -> requests.antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated()) + .formLogin((form) -> form.loginPage("/login").failureUrl("/login?error").permitAll()) + .logout(LogoutConfigurer::permitAll); + // @formatter:on } @Bean diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java index c6cd2a26298..a8ce04c7ff5 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java @@ -25,6 +25,7 @@ import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; @@ -63,13 +64,13 @@ public class SampleWebSecureApplication implements WebMvcConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off - http.authorizeRequests() - .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() - .anyRequest().fullyAuthenticated() - .and() - .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() - .and() - .logout().permitAll(); + http.authorizeRequests((requests) -> + requests + .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() + .anyRequest().fullyAuthenticated()) + .formLogin((form) -> + form.loginPage("/login").failureUrl("/login?error").permitAll()) + .logout(LogoutConfigurer::permitAll); // @formatter:on }