root
/
spring-boot
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Merge branch '2.7.x'

Browse Source 
Closes gh-31355
pull/31400/head
Stephane Nicoll 2 years ago
parent 42e8f65b80 72dd51ae0b
commit 365d96daf6
10 changed files with 43 additions and 27 deletions
Show Stats Download Patch File Download Diff File

2
spring-boot-project/spring-boot-docs/src/docs/asciidoc/data/sql.adoc
Unescape Escape View File

@ -337,7 +337,7 @@ More information on {spring-security-docs}/features/exploits/csrf.html[CSRF] and
In simple setups, a `SecurityFilterChain` like the following can be used:
include::code:DevProfileSecurityConfiguration[]
include::code:DevProfileSecurityConfiguration[tag=!customizer]
WARNING: The H2 console is only intended for use during development.
In production, disabling CSRF protection or allowing frames for a website may create severe security risks.

6
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/exposeall/MySecurityConfiguration.java
Unescape Escape View File

@ -1,5 +1,5 @@
/*
* Copyright 2012-2021 the original author or authors.
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -27,8 +27,8 @@ public class MySecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests((requests) -> requests.anyRequest().permitAll());
http.requestMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}

10
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.java
Unescape Escape View File

@ -1,5 +1,5 @@
/*
* Copyright 2012-2021 the original author or authors.
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -22,14 +22,16 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MySecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic();
http.requestMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic(withDefaults());
return http.build();
}

20
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java
Unescape Escape View File

@ -22,6 +22,7 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@ -32,13 +33,18 @@ public class DevProfileSecurityConfiguration {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http.requestMatcher(PathRequest.toH2Console())
// ... configuration for authorization
.csrf().disable()
.headers().frameOptions().sameOrigin().and()
.build();
// @formatter:on
http.requestMatcher(PathRequest.toH2Console());
http.authorizeRequests(yourCustomAuthorization());
http.csrf((csrf) -> csrf.disable());
http.headers((headers) -> headers.frameOptions().sameOrigin());
return http.build();
}
// tag::customizer[]
<T> Customizer<T> yourCustomAuthorization() {
return (t) -> {
};
}
// end::customizer[]
}

4
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/howto/security/enablehttps/MySecurityConfig.java
Unescape Escape View File

@ -1,5 +1,5 @@
/*
* Copyright 2012-2021 the original author or authors.
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -27,7 +27,7 @@ public class MySecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// Customize the application security ...
http.requiresChannel().anyRequest().requiresSecure();
http.requiresChannel((channel) -> channel.anyRequest().requiresSecure());
return http.build();
}

2
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/howto/testing/slicetests/MyConfiguration.java
Unescape Escape View File

@ -30,7 +30,7 @@ public class MyConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
return http.build();
}

2
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/howto/testing/slicetests/MySecurityConfiguration.java
Unescape Escape View File

@ -26,7 +26,7 @@ public class MySecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
return http.build();
}

4
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/oauth2/client/MyOAuthClientConfiguration.java
Unescape Escape View File

@ -26,8 +26,8 @@ public class MyOAuthClientConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
http.oauth2Login().redirectionEndpoint().baseUri("custom-callback");
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2Login((login) -> login.redirectionEndpoint().baseUri("custom-callback"));
return http.build();
}

10
spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.java
Unescape Escape View File

@ -22,16 +22,18 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MyWebFluxSecurityConfiguration {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange((spec) -> {
spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
spec.pathMatchers("/foo", "/bar").authenticated();
http.authorizeExchange((exchange) -> {
exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
exchange.pathMatchers("/foo", "/bar").authenticated();
});
http.formLogin();
http.formLogin(withDefaults());
return http.build();
}

10
spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.kt
Unescape Escape View File

@ -16,12 +16,12 @@
package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity
import org.springframework.boot.autoconfigure.security.servlet.PathRequest
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.context.annotation.Profile
import org.springframework.core.Ordered
import org.springframework.core.annotation.Order
import org.springframework.security.config.Customizer
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.web.SecurityFilterChain
@ -32,10 +32,16 @@ class DevProfileSecurityConfiguration {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
fun h2ConsoleSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
return http.requestMatcher(PathRequest.toH2Console())
return http.authorizeHttpRequests(yourCustomAuthorization())
.csrf().disable()
.headers().frameOptions().sameOrigin().and()
.build()
}
// tag::customizer[]
private fun <T> yourCustomAuthorization(): Customizer<T> {
return Customizer.withDefaults<T>()
}
// end::customizer[]
}
Write Preview
Loading…
Cancel
Save