Please add support for nested builders in the DSL

[joshlong]

This could take advantage of lambdas in Java 8.

This would mean we could configure things in Spring Security without worrying about indents.

foo 
  .a ( aSpec  ->aSpec.foo() .bar()) 
  .b ( bSpec -> bSpec x().y())

Spring Integration and Spring Cloud Gateway both support similar nested builder style DSLs.

[eleftherias]

This is an example of how to configure HTTP security using lambdas.

@Override
protected void configure(HttpSecurity http) throws Exception {
	http
		.authorizeRequests(authorizeRequests ->
			authorizeRequests
				.antMatchers("/css/**", "/index").permitAll()
				.antMatchers("/user/**").hasRole("USER")
		)
		.formLogin(formLogin ->
			formLogin
				.loginPage("/login")
				.failureUrl("/login-error")
		);
}

[mraible]

@eleftherias Here's a Kotlin-based SecurityConfiguration class. How do I change it to use lambdas?

@Configuration
class SecurityConfiguration : WebSecurityConfigurerAdapter() {
    override fun configure(http: HttpSecurity) {
        //@formatter:off
        http
            .authorizeRequests().anyRequest().authenticated()
                .and()
            .oauth2Login()
                .and()
            .oauth2ResourceServer().jwt()

        http.requiresChannel().anyRequest().requiresSecure(); // <1>

        http.csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); // <2>

        http.headers()
            .contentSecurityPolicy("script-src 'self'; report-uri /csp-report-endpoint/"); // <3>
        //@formatter:on
    }
}

P.S. I enjoyed learning about this feature on the Bootiful Podcast with @joshlong today!

[eleftherias]

@mraible here is the same configuration using lambdas

@Configuration
class SecurityConfiguration : WebSecurityConfigurerAdapter() {
    override fun configure(http: HttpSecurity) {
        http
            .authorizeRequests { requests ->
                requests
                    .anyRequest().authenticated()
            }
            .oauth2Login { }
            .oauth2ResourceServer { oauth2ResourceServer ->
                oauth2ResourceServer
                    .jwt { }
            }
            .requiresChannel { requiresChannel ->
                requiresChannel
                    .anyRequest().requiresSecure() // <1>
            }
            .csrf { csrf ->
                csrf
                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) // <2>
            }
            .headers { headers ->
                headers
                    .contentSecurityPolicy("script-src 'self'; report-uri /csp-report-endpoint/")// <3>
            }
    }
}

In this example, I have chained all the configuration options, but you can separate them like you have done in the non-lambda configuration if you prefer.

Additionally, you could emit the -> and use the it keyword, for example:

http
        .authorizeRequests { 
            it
                .anyRequest().authenticated()
        }

Also, check out the native Kotlin DSL that we've been working on.
It's currently experimental, but we're planning on integrating it into core Spring Security in the near future.