Package org.springframework.security.config.annotation.web.configuration

Class WebSecurityConfigurerAdapter

java.lang.Object

org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

All Implemented Interfaces:

SecurityConfigurer<javax.servlet.Filter,WebSecurity>, WebSecurityConfigurer<WebSecurity>

@Order(100)
@Deprecated
public abstract class WebSecurityConfigurerAdapter
extends Object
implements WebSecurityConfigurer<WebSecurity>

Deprecated.

Use a SecurityFilterChain Bean to configure HttpSecurity or a WebSecurityCustomizer Bean to configure WebSecurity.

     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
             .authorizeHttpRequests((authz) ->
                 authz.anyRequest().authenticated()
             );
             // ...
         return http.build();
     }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().antMatchers("/resources/**");
    }
 

See the Spring Security without WebSecurityConfigurerAdapter for more details.

Provides a convenient base class for creating a WebSecurityConfigurer instance. The implementation allows customization by overriding methods.

Will automatically apply the result of looking up AbstractHttpConfigurer from SpringFactoriesLoader to allow developers to extend the defaults. To do this, you must create a class that extends AbstractHttpConfigurer and then create a file in the classpath at "META-INF/spring.factories" that looks something like:

 org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer
 

If you have multiple classes that should be added you can use "," to separate the values. For example:

 org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer, sample.OtherThatExtendsAbstractHttpConfigurer
 

See Also:

• EnableWebSecurity

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	WebSecurityConfigurerAdapter()	Deprecated. Creates an instance with the default configuration enabled.
protected	WebSecurityConfigurerAdapter(boolean disableDefaults)	Deprecated. Creates an instance which allows specifying if the default configuration should be enabled.

Method Summary

Modifier and Type	Method	Description
protected AuthenticationManager	authenticationManager()	Deprecated. Gets the AuthenticationManager to use.
AuthenticationManager	authenticationManagerBean()	Deprecated. Override this method to expose the AuthenticationManager from configure(AuthenticationManagerBuilder) to be exposed as a Bean.
protected void	configure(AuthenticationManagerBuilder auth)	Deprecated. Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager.
protected void	configure(HttpSecurity http)	Deprecated. Override this method to configure the HttpSecurity.
void	configure(WebSecurity web)	Deprecated. Override this method to configure WebSecurity.
protected final org.springframework.context.ApplicationContext	getApplicationContext()	Deprecated. Gets the ApplicationContext
protected final HttpSecurity	getHttp()	Deprecated. Creates the HttpSecurity or returns the current instance
void	init(WebSecurity web)	Deprecated. Initialize the SecurityBuilder.
void	setApplicationContext(org.springframework.context.ApplicationContext context)	Deprecated.
void	setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)	Deprecated.
void	setContentNegotationStrategy(org.springframework.web.accept.ContentNegotiationStrategy contentNegotiationStrategy)	Deprecated.
void	setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)	Deprecated.
void	setTrustResolver(AuthenticationTrustResolver trustResolver)	Deprecated.
protected UserDetailsService	userDetailsService()	Deprecated. Allows modifying and accessing the UserDetailsService from userDetailsServiceBean() without interacting with the ApplicationContext.
UserDetailsService	userDetailsServiceBean()	Deprecated. Override this method to expose a UserDetailsService created from configure(AuthenticationManagerBuilder) as a bean.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

WebSecurityConfigurerAdapter

protected WebSecurityConfigurerAdapter()

Deprecated.

Creates an instance with the default configuration enabled.

WebSecurityConfigurerAdapter

protected WebSecurityConfigurerAdapter(boolean disableDefaults)

Deprecated.

Creates an instance which allows specifying if the default configuration should be enabled. Disabling the default configuration should be considered more advanced usage as it requires more understanding of how the framework is implemented.

Parameters:

disableDefaults - true if the default configuration should be disabled, else false

Method Details

configure

protected void configure(AuthenticationManagerBuilder auth)
                  throws Exception

Deprecated.

Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager. If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager.

The authenticationManagerBean() method can be used to expose the resulting AuthenticationManager as a Bean. The userDetailsServiceBean() can be used to expose the last populated UserDetailsService that is created with the AuthenticationManagerBuilder as a Bean. The UserDetailsService will also automatically be populated on AbstractConfiguredSecurityBuilder.getSharedObject(Class) for use with other SecurityContextConfigurer (i.e. RememberMeConfigurer )

For example, the following configuration could be used to register in memory authentication that exposes an in memory UserDetailsService:

 @Override
 protected void configure(AuthenticationManagerBuilder auth) {
        auth
        // enable in memory based authentication with a user named
        // "user" and "admin"
        .inMemoryAuthentication().withUser("user").password("password").roles("USER").and()
                        .withUser("admin").password("password").roles("USER", "ADMIN");
 }

 // Expose the UserDetailsService as a Bean
 @Bean
 @Override
 public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
 }

 

Parameters:

auth - the AuthenticationManagerBuilder to use

Throws:

Exception

getHttp

protected final HttpSecurity getHttp()
                              throws Exception

Deprecated.

Creates the HttpSecurity or returns the current instance

Returns:

the HttpSecurity

Throws:

Exception

authenticationManagerBean

public AuthenticationManager authenticationManagerBean()
                                                throws Exception

Deprecated.

Override this method to expose the AuthenticationManager from configure(AuthenticationManagerBuilder) to be exposed as a Bean. For example:

 @Bean(name name="myAuthenticationManager")
 @Override
 public AuthenticationManager authenticationManagerBean() throws Exception {
     return super.authenticationManagerBean();
 }
 

Returns:

the AuthenticationManager

Throws:

Exception

authenticationManager

protected AuthenticationManager authenticationManager()
                                               throws Exception

Deprecated.

Gets the AuthenticationManager to use. The default strategy is if configure(AuthenticationManagerBuilder) method is overridden to use the AuthenticationManagerBuilder that was passed in. Otherwise, autowire the AuthenticationManager by type.

Returns:

the AuthenticationManager to use

Throws:

Exception

userDetailsServiceBean

public UserDetailsService userDetailsServiceBean()
                                          throws Exception

Deprecated.

Override this method to expose a UserDetailsService created from configure(AuthenticationManagerBuilder) as a bean. In general only the following override should be done of this method:

 @Bean(name = "myUserDetailsService")
 // any or no name specified is allowed
 @Override
 public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
 }
 

To change the instance returned, developers should change userDetailsService() instead

Returns:

the UserDetailsService

Throws:

Exception

See Also:

• userDetailsService()

userDetailsService

protected UserDetailsService userDetailsService()

Deprecated.

Allows modifying and accessing the UserDetailsService from userDetailsServiceBean() without interacting with the ApplicationContext. Developers should override this method when changing the instance of userDetailsServiceBean().

Returns:

the UserDetailsService to use

init

public void init(WebSecurity web)
          throws Exception

Deprecated.

Description copied from interface: SecurityConfigurer

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.

Specified by:

init in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>

Throws:

Exception

configure

public void configure(WebSecurity web)
               throws Exception

Deprecated.

Override this method to configure WebSecurity. For example, if you wish to ignore certain requests. Endpoints specified in this method will be ignored by Spring Security, meaning it will not protect them from CSRF, XSS, Clickjacking, and so on. Instead, if you want to protect endpoints against common vulnerabilities, then see configure(HttpSecurity) and the HttpSecurity.authorizeRequests() configuration method.

Specified by:

configure in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>

Throws:

Exception

configure

protected void configure(HttpSecurity http)
                  throws Exception

Deprecated.

Override this method to configure the HttpSecurity. Typically subclasses should not invoke this method by calling super as it may override their configuration. The default configuration is:

 http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
 

Any endpoint that requires defense against common vulnerabilities can be specified here, including public ones. See HttpSecurity.authorizeRequests() and the `permitAll()` authorization rule for more details on public endpoints.

Parameters:

http - the HttpSecurity to modify

Throws:

Exception - if an error occurs

getApplicationContext

protected final org.springframework.context.ApplicationContext getApplicationContext()

Deprecated.

Gets the ApplicationContext

Returns:

the context

setApplicationContext

@Autowired
public void setApplicationContext(org.springframework.context.ApplicationContext context)

Deprecated.

setTrustResolver

@Autowired(required=false)
public void setTrustResolver(AuthenticationTrustResolver trustResolver)

Deprecated.

setContentNegotationStrategy

@Autowired(required=false)
public void setContentNegotationStrategy(org.springframework.web.accept.ContentNegotiationStrategy contentNegotiationStrategy)

Deprecated.

setObjectPostProcessor

@Autowired
public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)

Deprecated.

setAuthenticationConfiguration

@Autowired
public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)

Deprecated.