|
|
@@ -0,0 +1,116 @@
|
|
|
+= Configuration Migrations
|
|
|
+
|
|
|
+The following steps relate to changes around how to configure `HttpSecurity`, `WebSecurity` and related components.
|
|
|
+
|
|
|
+== Use the Lambda DSL
|
|
|
+
|
|
|
+The Lambda DSL is present in Spring Security since version 5.2, and it allows HTTP security to be configured using lambdas.
|
|
|
+
|
|
|
+The prior configuration style will not be valid in Spring Security 7 where the usage of the Lambda DSL will be required.
|
|
|
+
|
|
|
+You may have seen this style of configuration in the Spring Security documentation or samples.
|
|
|
+Let us take a look at how a lambda configuration of HTTP security compares to the previous configuration style.
|
|
|
+
|
|
|
+====
|
|
|
+[source,java]
|
|
|
+.Configuration using lambdas
|
|
|
+----
|
|
|
+@Configuration
|
|
|
+@EnableWebSecurity
|
|
|
+public class SecurityConfig {
|
|
|
+
|
|
|
+ @Bean
|
|
|
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
|
+ http
|
|
|
+ .authorizeHttpRequests(authorize -> authorize
|
|
|
+ .requestMatchers("/blog/**").permitAll()
|
|
|
+ .anyRequest().authenticated()
|
|
|
+ )
|
|
|
+ .formLogin(formLogin -> formLogin
|
|
|
+ .loginPage("/login")
|
|
|
+ .permitAll()
|
|
|
+ )
|
|
|
+ .rememberMe(Customizer.withDefaults());
|
|
|
+
|
|
|
+ return http.build();
|
|
|
+ }
|
|
|
+}
|
|
|
+----
|
|
|
+====
|
|
|
+
|
|
|
+====
|
|
|
+[source,java]
|
|
|
+.Equivalent configuration without using lambdas
|
|
|
+----
|
|
|
+@Configuration
|
|
|
+@EnableWebSecurity
|
|
|
+public class SecurityConfig {
|
|
|
+
|
|
|
+ @Bean
|
|
|
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
|
+ http
|
|
|
+ .authorizeHttpRequests()
|
|
|
+ .requestMatchers("/blog/**").permitAll()
|
|
|
+ .anyRequest().authenticated()
|
|
|
+ .and()
|
|
|
+ .formLogin()
|
|
|
+ .loginPage("/login")
|
|
|
+ .permitAll()
|
|
|
+ .and()
|
|
|
+ .rememberMe();
|
|
|
+
|
|
|
+ return http.build();
|
|
|
+ }
|
|
|
+}
|
|
|
+----
|
|
|
+====
|
|
|
+
|
|
|
+=== Lambda DSL Configuration Tips
|
|
|
+
|
|
|
+When comparing the two samples above, you will notice some key differences:
|
|
|
+
|
|
|
+- In the Lambda DSL there is no need to chain configuration options using the `.and()` method.
|
|
|
+The `HttpSecurity` instance is automatically returned for further configuration after the call to the lambda method.
|
|
|
+
|
|
|
+- `Customizer.withDefaults()` enables a security feature using the defaults provided by Spring Security.
|
|
|
+This is a shortcut for the lambda expression `it -> {}`.
|
|
|
+
|
|
|
+=== WebFlux Security
|
|
|
+
|
|
|
+You may also configure WebFlux security using lambdas in a similar manner.
|
|
|
+Below is an example configuration using lambdas.
|
|
|
+
|
|
|
+====
|
|
|
+[source,java]
|
|
|
+.WebFlux configuration using lambdas
|
|
|
+----
|
|
|
+@Configuration
|
|
|
+@EnableWebFluxSecurity
|
|
|
+public class SecurityConfig {
|
|
|
+
|
|
|
+ @Bean
|
|
|
+ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
|
+ http
|
|
|
+ .authorizeExchange(exchanges -> exchanges
|
|
|
+ .pathMatchers("/blog/**").permitAll()
|
|
|
+ .anyExchange().authenticated()
|
|
|
+ )
|
|
|
+ .httpBasic(Customizer.withDefaults())
|
|
|
+ .formLogin(formLogin -> formLogin
|
|
|
+ .loginPage("/login")
|
|
|
+ );
|
|
|
+
|
|
|
+ return http.build();
|
|
|
+ }
|
|
|
+
|
|
|
+}
|
|
|
+----
|
|
|
+====
|
|
|
+
|
|
|
+=== Goals of the Lambda DSL
|
|
|
+
|
|
|
+The Lambda DSL was created to accomplish to following goals:
|
|
|
+
|
|
|
+- Automatic indentation makes the configuration more readable.
|
|
|
+- The is no need to chain configuration options using `.and()`
|
|
|
+- The Spring Security DSL has a similar configuration style to other Spring DSLs such as Spring Integration and Spring Cloud Gateway.
|
Marcus Da Coregio