Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge branch '5.8.x' into 6.0.x

Closes gh-12932
Josh Cummings 2 years ago
parent
97b53f0472 6bda1d2bf3
commit
834e361898
1 changed files with 43 additions and 0 deletions
Split View Show Diff Stats
  1. 43 0
      docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc

+ 43 - 0
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File 

@@ -408,3 +408,46 @@ open class SecurityConfig {
 
 <3> Allow access to URLs that start with `/user/` to users with the `USER` role, using `AntPathRequestMatcher`
 
 <4> Allow access to URLs that start with `/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
 
 <5> Allow access to URLs that match the `MyCustomRequestMatcher` to users with the `SUPERVISOR` role, using a custom `RequestMatcher`
 
+
 
+== Expressions
 
+
 
+It is recommended that you use type-safe authorization managers instead of SpEL.
 
+However, `WebExpressionAuthorizationManager` is available to help migrate legacy SpEL.
 
+
 
+To use `WebExpressionAuthorizationManager`, you can construct one with the expression you are trying to migrate, like so:
 
+
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+.requestMatchers("/test/**").access(new WebExpressionAuthorizationManager("hasRole('ADMIN') && hasRole('USER')"))
 
+----
 
+
 
+.Kotlin
 
+[source,kotlin,role="secondary"]
 
+----
 
+.requestMatchers("/test/**").access(WebExpressionAuthorizationManager("hasRole('ADMIN') && hasRole('USER')"))
 
+----
 
+====
 
+
 
+If you are referring to a bean in your expression like so: `@webSecurity.check(authentication, request)`, it's recommended that you instead call the bean directly, which will look something like the following:
 
+
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+.requestMatchers("/test/**").access((authentication, context) ->
 
+    new AuthorizationDecision(webSecurity.check(authentication.get(), context.getRequest())))
 
+----
 
+
 
+.Kotlin
 
+[source,kotlin,role="secondary"]
 
+----
 
+.requestMatchers("/test/**").access((authentication, context): AuthorizationManager<RequestAuthorizationContext> ->
 
+    AuthorizationDecision(webSecurity.check(authentication.get(), context.getRequest())))
 
+----
 
+====
 
+
 
+For complex instructions that include bean references as well as other expressions, it is recommended that you change those to implement `AuthorizationManager` and refer to them by calling `.access(AuthorizationManager)`.
 
+
 
+If you are not able to do that, you can configure a `DefaultHttpSecurityExpressionHandler` with a bean resolver and supply that to `WebExpressionAuthorizationManager#setExpressionhandler`.