|
|
@@ -1320,7 +1320,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|
|
* @Configuration
|
|
|
* @EnableWebSecurity
|
|
|
* public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
- *
|
|
|
+ *HttpSecurity.java
|
|
|
* @Override
|
|
|
* protected void configure(HttpSecurity http) throws Exception {
|
|
|
* http
|
|
|
@@ -1348,6 +1348,86 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|
|
return HttpSecurity.this;
|
|
|
}
|
|
|
|
|
|
+ /**
|
|
|
+ * Allows restricting access based upon the {@link HttpServletRequest} using
|
|
|
+ * {@link RequestMatcher} implementations (i.e. via URL patterns).
|
|
|
+ *
|
|
|
+ * <h2>Example Configurations</h2>
|
|
|
+ *
|
|
|
+ * The most basic example is to configure all URLs to require the role "ROLE_USER".
|
|
|
+ * The configuration below requires authentication to every URL and will grant access
|
|
|
+ * to both the user "admin" and "user".
|
|
|
+ *
|
|
|
+ * <pre>
|
|
|
+ * @Configuration
|
|
|
+ * @EnableWebSecurity
|
|
|
+ * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
+ *
|
|
|
+ * @Override
|
|
|
+ * protected void configure(HttpSecurity http) throws Exception {
|
|
|
+ * http
|
|
|
+ * .authorizeHttpRequests()
|
|
|
+ * .antMatchers("/**").hasRoles("USER")
|
|
|
+ * .and()
|
|
|
+ * .formLogin();
|
|
|
+ * }
|
|
|
+ * }
|
|
|
+ * </pre>
|
|
|
+ *
|
|
|
+ * We can also configure multiple URLs. The configuration below requires
|
|
|
+ * authentication to every URL and will grant access to URLs starting with /admin/ to
|
|
|
+ * only the "admin" user. All other URLs either user can access.
|
|
|
+ *
|
|
|
+ * <pre>
|
|
|
+ * @Configuration
|
|
|
+ * @EnableWebSecurity
|
|
|
+ * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
+ *
|
|
|
+ * @Override
|
|
|
+ * protected void configure(HttpSecurity http) throws Exception {
|
|
|
+ * http
|
|
|
+ * .authorizeHttpRequests()
|
|
|
+ * .antMatchers("/**").hasRoles("USER")
|
|
|
+ * .and()
|
|
|
+ * .formLogin();
|
|
|
+ * .formLogin(withDefaults());
|
|
|
+ * }
|
|
|
+ * }
|
|
|
+ * </pre>
|
|
|
+ *
|
|
|
+ * Note that the matchers are considered in order. Therefore, the following is invalid
|
|
|
+ * because the first matcher matches every request and will never get to the second
|
|
|
+ * mapping:
|
|
|
+ *
|
|
|
+ * <pre>
|
|
|
+ * @Configuration
|
|
|
+ * @EnableWebSecurity
|
|
|
+ * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
+ *
|
|
|
+ * @Override
|
|
|
+ * protected void configure(HttpSecurity http) throws Exception {
|
|
|
+ * http
|
|
|
+ * .authorizeHttpRequests()
|
|
|
+ * .antMatchers("/**").hasRoles("USER")
|
|
|
+ * .and()
|
|
|
+ * .formLogin();
|
|
|
+ * }
|
|
|
+ * }
|
|
|
+ * </pre>
|
|
|
+ * @return the {@link HttpSecurity} for further customizations
|
|
|
+ * @throws Exception
|
|
|
+ * @since 5.5
|
|
|
+ * @see #requestMatcher(RequestMatcher)
|
|
|
+ */
|
|
|
+ public HttpSecurity authorizeHttpRequests() throws Exception {
|
|
|
+ ApplicationContext applicationContext = getContext();
|
|
|
+ Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer = Customizer
|
|
|
+ .withDefaults();
|
|
|
+ authorizeHttpRequestsCustomizer
|
|
|
+ .customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(applicationContext)).getRegistry());
|
|
|
+ return HttpSecurity.this;
|
|
|
+ }
|
|
|
+
|
|
|
/**
|
|
|
* Allows configuring the Request Cache. For example, a protected page (/protected)
|
|
|
* may be requested prior to authentication. The application will redirect the user to
|
sdratler1