Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Improve docs on dispatcherTypeMatcher

Closes gh-11467
Marcus Da Coregio 3 years ago
parent
7df9c6eba5
commit
64ba31aebb
2 changed files with 115 additions and 0 deletions
Split View Show Diff Stats
  1. 75 0
      docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
  2. 40 0
      docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc

+ 75 - 0
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File 

@@ -205,3 +205,78 @@ open fun web(http: HttpSecurity): SecurityFilterChain {
 
 }
 
 ----
 
 ====
 
+
 
+Now with the authorization rules applying to all dispatcher types, you have more control of the authorization on them.
 
+For example, you may want to configure `shouldFilterAllDispatcherTypes` to `true` but not apply authorization on requests with dispatcher type `ASYNC` or `FORWARD`.
 
+
 
+.Permit ASYNC and FORWARD dispatcher type
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+@Bean
 
+SecurityFilterChain web(HttpSecurity http) throws Exception {
 
+    http
 
+        .authorizeHttpRequests((authorize) -> authorize
 
+            .shouldFilterAllDispatcherTypes(true)
 
+            .dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.FORWARD).permitAll()
 
+            .anyRequest().authenticated()
 
+        )
 
+        // ...
 
+
 
+    return http.build();
 
+}
 
+----
 
+.Kotlin
 
+[source,kotlin,role="secondary"]
 
+----
 
+@Bean
 
+open fun web(http: HttpSecurity): SecurityFilterChain {
 
+    http {
 
+        authorizeHttpRequests {
 
+            shouldFilterAllDispatcherTypes = true
 
+            authorize(DispatcherTypeRequestMatcher(DispatcherType.ASYNC, DispatcherType.FORWARD), permitAll)
 
+            authorize(anyRequest, authenticated)
 
+        }
 
+    }
 
+    return http.build()
 
+}
 
+----
 
+====
 
+
 
+You can also customize it to require a specific role for a dispatcher type:
 
+
 
+.Require ADMIN for Dispatcher Type ERROR
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+@Bean
 
+SecurityFilterChain web(HttpSecurity http) throws Exception {
 
+    http
 
+        .authorizeHttpRequests((authorize) -> authorize
 
+            .shouldFilterAllDispatcherTypes(true)
 
+            .dispatcherTypeMatchers(DispatcherType.ERROR).hasRole("ADMIN")
 
+            .anyRequest().authenticated()
 
+        )
 
+        // ...
 
+
 
+    return http.build();
 
+}
 
+----
 
+.Kotlin
 
+[source,kotlin,role="secondary"]
 
+----
 
+@Bean
 
+open fun web(http: HttpSecurity): SecurityFilterChain {
 
+    http {
 
+        authorizeHttpRequests {
 
+            shouldFilterAllDispatcherTypes = true
 
+            authorize(DispatcherTypeRequestMatcher(DispatcherType.ERROR), hasRole("ADMIN"))
 
+            authorize(anyRequest, authenticated)
 
+        }
 
+    }
 
+    return http.build()
 
+}
 
+----
 
+====

+ 40 - 0
docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
View File 

@@ -129,6 +129,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 
     return http.build()
 
 }
 
 ----
 
+====
 
 <1> There are multiple authorization rules specified.
 
 Each rule is considered in the order they were declared.
 
 <2> We specified multiple URL patterns that any user can access.
 
@@ -141,3 +142,42 @@ You will notice that since we are using the `hasRole` expression we do not need
 
 This is a good strategy if you do not want to accidentally forget to update your authorization rules.
 
 ====
 
 
+
 
+[[filtersecurityinterceptor-every-request]]
 
+== Configure FilterSecurityInterceptor with Dispatcher Types
 
+
 
+By default, the `FilterSecurityInterceptor` applies to every request.
 
+This means that if a request is dispatched from a request that was already filtered, the `FilterSecurityInterceptor` will perform the same authorization checks on the dispatched request.
 
+In some scenarios, you may not want to apply authorization on some dispatcher types:
 
+
 
+.Permit ASYNC and ERROR dispatcher types
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+@Bean
 
+SecurityFilterChain web(HttpSecurity http) throws Exception {
 
+    http
 
+        .authorizeRequests((authorize) -> authorize
 
+            .dispatcherTypeMatchers(DispatcherType.ASYNC, DispatcherType.ERROR).permitAll()
 
+            .anyRequest.authenticated()
 
+        )
 
+        // ...
 
+
 
+    return http.build();
 
+}
 
+----
 
+.XML
 
+[source,xml]
 
+----
 
+<http auto-config="true">
 
+    <intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
 
+    <intercept-url pattern="/**" access="authenticated"/>
 
+</http>
 
+
 
+<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
 
+    <b:constructor-arg value="ASYNC"/>
 
+    <b:constructor-arg value="ERROR"/>
 
+</b:bean>
 
+----
 
+====