Skip to content

Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8784

Closed
@romilptl

Description

@romilptl

WebSecurityConfigurerAdapter provide us two methods configure(WebSecurity web) and configure(HttpSecurity http) to configure the security as required.

Let's consider the below code, we can ignore the authentication for the endpoint provided within antMatchers using both the methods. According to the answers on StackOverflow,

  • configure(WebSecurity web)

Endpoint used in configure(WebSecurity web) method ignores the spring security filters, security features (secure headers, csrf protection etc) are also ignored and no security context will be set and can not protect endpoints for Cross Site Scripting, XSS attacks, content-sniffing.

  • configure(HttpSecurity http)

Endpoint used in configure(HttpSecurity http) method ignores the authentication for endpoints used in antMatchers and other security feature will be in effect such as secure headers, csrf protection etc.

  1. Can we add more details on when should someone use WebSecurity and HttpSecurity for endpoints that do not require authentication.
  2. How they actually make a difference and works
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
            .antMatchers("/login", "/register", "/api/public/**");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/login", "/register", "/api/public/**).permitAll()
            .anyRequest().authenticated();
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: docsAn issue in Documentation or samplesstatus: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions