Spring/spring-boot
Spring/spring-boot
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-boot.git synced 2024-08-29 03:06:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Switch to lambda style security configuration

Browse Source 
Closes gh-17525
This commit is contained in:
Madhura Bhave 2019-07-26 14:41:49 -07:00
parent ed0f6e66ca
commit 39a7b9da38
20 changed files with 133 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java
View File

@ -32,6 +32,7 @@ import org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.
import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration; import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
@ -56,9 +57,16 @@ import org.springframework.security.web.server.WebFilterChainProxy;
public class ReactiveManagementWebSecurityAutoConfiguration { public class ReactiveManagementWebSecurityAutoConfiguration {
@Bean @Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange().matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) // @formatter:off
.permitAll().anyExchange().authenticated().and().httpBasic().and().formLogin().and().build(); http.authorizeExchange((exchanges) ->
exchanges
.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll()
.anyExchange().authenticated())
.httpBasic(Customizer.withDefaults())
.formLogin(Customizer.withDefaults());
// @formatter:on
return http.build();
} }
} }

11
spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java
View File

@ -19,6 +19,7 @@ package org.springframework.boot.actuate.autoconfigure.security.servlet;
import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint; import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@ -39,8 +40,14 @@ class ManagementWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapte
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) // @formatter:off
.permitAll().anyRequest().authenticated().and().formLogin().and().httpBasic(); http.authorizeRequests((requests) ->
requests
.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll()
.anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.httpBasic(Customizer.withDefaults());
// @formatter:on
} }
} }

18
spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java
View File

@ -47,6 +47,7 @@ import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.http.server.reactive.MockServerHttpResponse; import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
import org.springframework.security.authentication.ReactiveAuthenticationManager; import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterChainProxy; import org.springframework.security.web.server.WebFilterChainProxy;
@ -163,9 +164,11 @@ class ReactiveManagementWebSecurityAutoConfigurationTests {
static class CustomSecurityConfiguration { static class CustomSecurityConfiguration {
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange().pathMatchers("/foo").permitAll().anyExchange().authenticated().and() return http
.formLogin().and().build(); .authorizeExchange(
(exchanges) -> exchanges.pathMatchers("/foo").permitAll().anyExchange().authenticated())
.formLogin(Customizer.withDefaults()).build();
} }
} }
@ -179,7 +182,7 @@ class ReactiveManagementWebSecurityAutoConfigurationTests {
} }
@Bean @Bean
WebFilterChainProxy webFilterChainProxy(ServerHttpSecurity http) { WebFilterChainProxy webFilterChainProxy(ServerHttpSecurity http) throws Exception {
return new WebFilterChainProxy(getFilterChains(http)); return new WebFilterChainProxy(getFilterChains(http));
} }
@ -190,9 +193,10 @@ class ReactiveManagementWebSecurityAutoConfigurationTests {
return httpSecurity; return httpSecurity;
} }
private List<SecurityWebFilterChain> getFilterChains(ServerHttpSecurity http) { private List<SecurityWebFilterChain> getFilterChains(ServerHttpSecurity http) throws Exception {
return Collections.singletonList( return Collections
http.authorizeExchange().anyExchange().authenticated().and().formLogin().and().build()); .singletonList(http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
.formLogin(Customizer.withDefaults()).build());
} }
static class TestServerHttpSecurity extends ServerHttpSecurity implements ApplicationContextAware { static class TestServerHttpSecurity extends ServerHttpSecurity implements ApplicationContextAware {

8
spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java
View File

@ -167,10 +167,14 @@ abstract class AbstractEndpointRequestIntegrationTests {
return new WebSecurityConfigurerAdapter() { return new WebSecurityConfigurerAdapter() {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toLinks()).permitAll() // @formatter:off
http.authorizeRequests((requests) -> requests
.requestMatchers(EndpointRequest.toLinks()).permitAll()
.requestMatchers(EndpointRequest.to(TestEndpoint1.class)).permitAll() .requestMatchers(EndpointRequest.to(TestEndpoint1.class)).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest() .requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest()
.hasRole("ADMIN").and().httpBasic(); .hasRole("ADMIN"))
.httpBasic();
// @formatter:on
} }
}; };
} }

5
spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java
View File

@ -37,6 +37,7 @@ import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext; import org.springframework.mock.web.MockServletContext;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.FilterChainProxy;
@ -126,8 +127,8 @@ class ManagementWebSecurityAutoConfigurationTests {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/foo").permitAll().anyRequest().authenticated().and().formLogin() http.authorizeRequests((requests) -> requests.antMatchers("/foo").permitAll().anyRequest().authenticated())
.and().httpBasic(); .formLogin(Customizer.withDefaults()).httpBasic();
} }
} }

4
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java
View File

@ -20,6 +20,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService; import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
@ -56,7 +57,8 @@ class OAuth2WebSecurityConfiguration {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().oauth2Login().and().oauth2Client(); http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
.oauth2Login(Customizer.withDefaults()).oauth2Client();
} }
} }

7
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java
View File

@ -89,9 +89,10 @@ class ReactiveOAuth2ResourceServerJwkConfiguration {
@Bean @Bean
@ConditionalOnBean(ReactiveJwtDecoder.class) @ConditionalOnBean(ReactiveJwtDecoder.class)
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ReactiveJwtDecoder jwtDecoder) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ReactiveJwtDecoder jwtDecoder)
http.authorizeExchange().anyExchange().authenticated().and().oauth2ResourceServer().jwt() throws Exception {
.jwtDecoder(jwtDecoder); http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
.oauth2ResourceServer((server) -> server.jwt((jwt) -> jwt.jwtDecoder(jwtDecoder)));
return http.build(); return http.build();
} }

5
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java
View File

@ -57,8 +57,9 @@ class ReactiveOAuth2ResourceServerOpaqueTokenConfiguration {
@Bean @Bean
@ConditionalOnBean(ReactiveOAuth2TokenIntrospectionClient.class) @ConditionalOnBean(ReactiveOAuth2TokenIntrospectionClient.class)
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.authorizeExchange().anyExchange().authenticated().and().oauth2ResourceServer().opaqueToken(); http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken);
return http.build(); return http.build();
} }

4
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java
View File

@ -31,6 +31,7 @@ import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders; import org.springframework.security.oauth2.jwt.JwtDecoders;
@ -95,7 +96,8 @@ class OAuth2ResourceServerJwtConfiguration {
return new WebSecurityConfigurerAdapter() { return new WebSecurityConfigurerAdapter() {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().jwt(); http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
} }
}; };
} }

4
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java
View File

@ -23,6 +23,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient; import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient;
import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient;
@ -60,7 +61,8 @@ class OAuth2ResourceServerOpaqueTokenConfiguration {
return new WebSecurityConfigurerAdapter() { return new WebSecurityConfigurerAdapter() {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().opaqueToken(); http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
} }
}; };
} }

5
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java
View File

@ -375,8 +375,9 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests {
static class SecurityWebFilterChainConfig { static class SecurityWebFilterChainConfig {
@Bean @Bean
SecurityWebFilterChain testSpringSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain testSpringSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.authorizeExchange().pathMatchers("/message/**").hasRole("ADMIN").anyExchange().authenticated().and() http.authorizeExchange(
(exchanges) -> exchanges.pathMatchers("/message/**").hasRole("ADMIN").anyExchange().authenticated())
.httpBasic(); .httpBasic();
return http.build(); return http.build();
} }

10
spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
View File

@ -396,9 +396,9 @@ A typical Spring Security configuration might look something like the following
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() http.requestMatcher(EndpointRequest.toAnyEndpoint())
.anyRequest().hasRole("ENDPOINT_ADMIN") .authorizeRequests((requests) ->
.and() requests.anyRequest().hasRole("ENDPOINT_ADMIN"))
.httpBasic(); .httpBasic();
} }
@ -432,8 +432,8 @@ following example:
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
.anyRequest().permitAll(); .anyRequest().permitAll());
} }
} }

4
spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/web/reactive/webclient/WebTestClientSpringBootTestIntegrationTests.java
View File

@ -67,8 +67,8 @@ class WebTestClientSpringBootTestIntegrationTests {
static class TestConfiguration { static class TestConfiguration {
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange().anyExchange().permitAll().and().build(); return http.authorizeExchange((exchanges) -> exchanges.anyExchange().permitAll()).build();
} }
} }

20
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java
View File

@ -21,6 +21,7 @@ import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest; import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;
@ -43,16 +44,15 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
// @formatter:off // @formatter:off
http.authorizeRequests() http.authorizeRequests((requests) ->
.mvcMatchers("/actuator/beans").hasRole("BEANS") requests
.requestMatchers(EndpointRequest.to("health", "info")).permitAll() .mvcMatchers("/actuator/beans").hasRole("BEANS")
.requestMatchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") .requestMatchers(EndpointRequest.to("health", "info")).permitAll()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR")
.antMatchers("/foo").permitAll() .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.antMatchers("/**").hasRole("USER") .antMatchers("/foo").permitAll()
.and() .antMatchers("/**").hasRole("USER"))
.cors() .cors(Customizer.withDefaults())
.and()
.httpBasic(); .httpBasic();
// @formatter:on // @formatter:on
} }

17
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java
View File

@ -90,11 +90,18 @@ class ManagementPortSampleSecureWebFluxTests {
static class SecurityConfiguration { static class SecurityConfiguration {
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange().matchers(EndpointRequest.to("health", "info")).permitAll() // @formatter:off
.matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") http.authorizeExchange((exchanges) ->
.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll().pathMatchers("/login") exchanges
.permitAll().anyExchange().authenticated().and().httpBasic().and().build(); .matchers(EndpointRequest.to("health", "info")).permitAll()
.matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR")
.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.pathMatchers("/login").permitAll()
.anyExchange().authenticated())
.httpBasic();
// @formatter:on
return http.build();
} }
} }

18
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java
View File

@ -29,6 +29,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService; import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;
@ -114,11 +115,18 @@ class SampleSecureWebFluxCustomSecurityTests {
} }
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange().matchers(EndpointRequest.to("health", "info")).permitAll() // @formatter:off
.matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR") http.authorizeExchange((exchanges) ->
.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll().pathMatchers("/login") exchanges
.permitAll().anyExchange().authenticated().and().httpBasic().and().build(); .matchers(EndpointRequest.to("health", "info")).permitAll()
.matchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR")
.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.pathMatchers("/login").permitAll()
.anyExchange().authenticated())
.httpBasic(Customizer.withDefaults());
// @formatter:off
return http.build();
} }
} }

24
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java
View File

@ -73,15 +73,13 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
// @formatter:off // @formatter:off
http.authorizeRequests() http.authorizeRequests((requests) ->
.antMatchers("/login").permitAll() requests
.anyRequest().fullyAuthenticated() .antMatchers("/login").permitAll()
.and() .anyRequest().fullyAuthenticated())
.formLogin().loginPage("/login").failureUrl("/login?error") .formLogin((form) -> form.loginPage("/login").failureUrl("/login?error"))
.and() .logout((logout) -> logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout")))
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access?error"));
.and()
.exceptionHandling().accessDeniedPage("/access?error");
// @formatter:on // @formatter:on
} }
@ -93,12 +91,8 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
// @formatter:off http.requestMatcher(EndpointRequest.toAnyEndpoint())
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() .authorizeRequests((requests) -> requests.anyRequest().authenticated()).httpBasic();
.anyRequest().authenticated()
.and()
.httpBasic();
// @formatter:on
} }
} }

10
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java
View File

@ -24,6 +24,7 @@ import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -61,8 +62,13 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated().and() // @formatter:off
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll().and().logout().permitAll(); http.authorizeRequests((requests) ->
requests
.antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated())
.formLogin((form) -> form.loginPage("/login").failureUrl("/login?error").permitAll())
.logout(LogoutConfigurer::permitAll);
// @formatter:on
} }
} }

9
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java
View File

@ -27,6 +27,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.provisioning.JdbcUserDetailsManager; import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
@ -65,8 +66,12 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated().and() // @formatter:off
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll().and().logout().permitAll(); http.authorizeRequests(
(requests) -> requests.antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated())
.formLogin((form) -> form.loginPage("/login").failureUrl("/login?error").permitAll())
.logout(LogoutConfigurer::permitAll);
// @formatter:on
} }
@Bean @Bean

15
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java
View File

@ -25,6 +25,7 @@ import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -63,13 +64,13 @@ public class SampleWebSecureApplication implements WebMvcConfigurer {
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
// @formatter:off // @formatter:off
http.authorizeRequests() http.authorizeRequests((requests) ->
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() requests
.anyRequest().fullyAuthenticated() .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.and() .anyRequest().fullyAuthenticated())
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll() .formLogin((form) ->
.and() form.loginPage("/login").failureUrl("/login?error").permitAll())
.logout().permitAll(); .logout(LogoutConfigurer::permitAll);
// @formatter:on // @formatter:on
} }