Skip to content

Introduce a Security DSL to allow it nest in BeanDefinitionDSL #7961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hantsy opened this issue Feb 9, 2020 · 2 comments
Closed

Introduce a Security DSL to allow it nest in BeanDefinitionDSL #7961

hantsy opened this issue Feb 9, 2020 · 2 comments
Assignees
@eleftherias
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement

Comments

@hantsy
Copy link

hantsy commented Feb 9, 2020

I have tried the Spring Security Kotlin DSL feature introduced in Spring Security 5.3.

The example is here.

Currently, I have to define a WebSecurityConfigurerAdapter like this.

bean<WebSecurityConfigurerAdapter> {
        val config = object : WebSecurityConfigurerAdapter() {
            override fun configure(http: HttpSecurity?) {
                http {
                    csrf { disable() }
                    httpBasic { }
                    securityMatcher("/**")
                    authorizeRequests {
                        authorize("/auth/**", authenticated)
                        authorize(AntPathRequestMatcher("/posts/**", HttpMethod.GET.name), permitAll)
                        authorize(AntPathRequestMatcher("/posts/**", HttpMethod.DELETE.name), "hasRole('ADMIN')")
                        authorize("/posts/**", authenticated)
                        authorize(anyRequest, permitAll)
                    }
                }
            }
        }
        config
    }

The RouterFunctionDSL can be nested in BeanDefinitionDSL directly.

bean {
        val postHandler = ref<PostHandler>()
        val userInfoHandler = ref<UserInfoHandler>()
        router {
            "posts".nest {
                GET("", postHandler::all)
                GET("count", postHandler::count)
                GET("{id}", postHandler::get)
                POST("", postHandler::create)
                PUT("{id}", postHandler::update)
                PATCH("{id}", postHandler::updateStatus)
                DELETE("{id}", postHandler::delete)

                //comments
                "{id}/comments".nest {
                    GET("count", postHandler::countCommentsOfPost)
                    GET("", postHandler::getCommentsOfPost)
                    POST("", postHandler::createComment)
                }
            }
            //get user info
            "/auth".nest {
                GET("/user", userInfoHandler::userInfo)
                GET("/logout", userInfoHandler::logout)
            }
        }
    }

Is it possible to add another DSL to make the security config nested in BeanDefinitionDSL, like the router config? eg.

bean{
       security{
             http{}
             websocket{}
             rsocket{}
      }
}
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 9, 2020
@eleftherias eleftherias self-assigned this Feb 14, 2020
@eleftherias eleftherias added in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 14, 2020
@eleftherias eleftherias added this to the 5.4.x milestone Feb 14, 2020
@jgrandja jgrandja changed the title Introduce a Secuirty DSL to allow it nest in BeanDefinitionDSL Introduce a Security DSL to allow it nest in BeanDefinitionDSL Mar 12, 2020
@jgrandja jgrandja modified the milestones: 5.4.x, 5.5.x Sep 9, 2020
@eleftherias eleftherias removed this from the 5.5.x milestone Sep 28, 2020
@eleftherias
Copy link
Contributor

@hantsy In Spring Security 5.4.0, we added the ability to configure HttpSecurity by exposing a bean, instead of extending WebSecurityConfigurerAdapter (see #8804).

This means you can nest the SecurityFilterChain bean in the BeanDefinitionDsl

val beans = beans {
    bean {
        val httpSecurity = ref<HttpSecurity>()
        httpSecurity {
            authorizeRequests {
                authorize("/css/**", permitAll)
                authorize("/user/**", hasAuthority("ROLE_USER"))
            }
            formLogin {
                loginPage = "/log-in"
            }
        }
        httpSecurity.build()
    }
}

If you're using Spring Boot, make sure to use the latest 2.4.0 milestone (2.4.0-M3 at this moment).

@eleftherias
Copy link
Contributor

I'm going to close this issue, if you run into any problems feel free to continue the conversation here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hantsy @eleftherias @jgrandja @spring-projects-issues