spring-security

Spring Security Configuration – HttpSecurity vs WebSecurity

General use of WebSecurity ignoring() method omits Spring Security and none of Spring Security’s features will be available. WebSecurity is based above HttpSecurity. @Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers(“/resources/**”) .antMatchers(“/publics/**”); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(“/admin/**”).hasRole(“ADMIN”) .antMatchers(“/publics/**”).hasRole(“USER”) // no effect .anyRequest().authenticated(); } WebSecurity in … Read more

How To Inject AuthenticationManager using Java Configuration in a Custom Filter

Override method authenticationManagerBean in WebSecurityConfigurerAdapter to expose the AuthenticationManager built using configure(AuthenticationManagerBuilder) as a Spring bean: For example: @Bean(name = BeanIds.AUTHENTICATION_MANAGER) @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }

How to create custom methods for use in spring security expression language annotations

None of the mentioned techniques will work anymore. It seems as though Spring has gone through great lengths to prevent users from overriding the SecurityExpressionRoot. EDIT 11/19/14 Setup Spring to use security annotations: <beans … xmlns:sec=”http://www.springframework.org/schema/security” … > … <sec:global-method-security pre-post-annotations=”enabled” /> Create a bean like this: @Component(“mySecurityService”) public class MySecurityService { public boolean hasPermission(String … Read more

Spring security CORS Filter

Since Spring Security 4.1, this is the proper way to make Spring Security support CORS (also needed in Spring Boot 1.4/1.5): @Configuration public class WebConfig extends WebMvcConfigurerAdapter { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping(“/**”) .allowedMethods(“HEAD”, “GET”, “PUT”, “POST”, “DELETE”, “PATCH”); } } and: @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity … Read more

How to fix role in Spring Security?

Your first matcher anyRequest() is always applied, because the order of matchers is important, see HttpSecurity#authorizeRequests: Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping: http.authorizeRequests().antMatchers(“/**”).hasRole(“USER”).antMatchers(“/admin/**”) .hasRole(“ADMIN”) Your modified and simplified configuration: @Override protected void configure(HttpSecurity … Read more

Serving static web resources in Spring Boot & Spring Security application

There are a couple of things to be aware of: The Ant matchers match against the request path and not the path of the resource on the filesystem. Resources placed in src/main/resources/public will be served from the root of your application. For example src/main/resources/public/hello.jpg would be served from http://localhost:8080/hello.jpg This is why your current matcher … Read more

Spring Security : Multiple HTTP Config not working

Look at the Spring Security Reference: @EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser(“user”).password(“password”).roles(“USER”).and() .withUser(“admin”).password(“password”).roles(“USER”, “ADMIN”); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher(“/api/**”) 3 .authorizeRequests() .anyRequest().hasRole(“ADMIN”) .and() .httpBasic(); } } @Configuration 4 public static class … Read more