Skip to content

Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eleftherias opened this issue Jul 7, 2020 · 2 comments · Fixed by #8805
Closed

Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804

eleftherias opened this issue Jul 7, 2020 · 2 comments · Fixed by #8805
Assignees
@eleftherias
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.4.0-RC1

Comments

@eleftherias
Copy link
Contributor

Expected Behavior

Similar to the WebFlux security configuration, we should add the capability to configure HTTP Security by registering a SecurityFilterChain bean, in Servlet applications.

@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
	return http
			.antMatcher("/**")
			.authorizeRequests(authorize -> authorize
					.anyRequest().authenticated()
			)
			.build();
}

Current Behavior

The equivalent configuration by extending the WebSecurityConfigurerAdapter looks like this

@Configuration
static class SecurityConfig extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.antMatcher("/**")
			.authorizeRequests(authorize -> authorize
					.anyRequest().authenticated()
			);
	}
}
@eleftherias eleftherias added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Jul 7, 2020
@eleftherias eleftherias added this to the 5.4.0-RC1 milestone Jul 7, 2020
@eleftherias eleftherias self-assigned this Jul 7, 2020
@eleftherias eleftherias mentioned this issue Jul 7, 2020
Merged
eleftherias added a commit to eleftherias/spring-security that referenced this issue Jul 13, 2020
@eleftherias
Remove need for WebSecurityConfigurerAdapter
43e3763 
Closes spring-projectsgh-8804
@eleftherias eleftherias mentioned this issue Aug 5, 2020
Closed
eleftherias added a commit that referenced this issue Aug 5, 2020
@eleftherias
Remove need for WebSecurityConfigurerAdapter
aeafe04 
Closes gh-8804
@eleftherias eleftherias mentioned this issue Aug 21, 2020
Closed
@eleftherias eleftherias mentioned this issue Sep 28, 2020
Closed
@cnry1
Copy link

cnry1 commented Nov 3, 2020

this good

@gbaso
Copy link
Contributor

gbaso commented Nov 14, 2020

What about the AuthenticationManagerBuilder configuration? Suppose I need to conditionally register additional authentication providers. Do I still need to extend WebSecurityConfigurerAdapter? Exposing a AuthenticationManager bean by calling build on the builder throws an exception at startup:

[...]
Caused by: java.lang.IllegalStateException: Cannot apply org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer@7c7d3134 to already built object
        at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.add(AbstractConfiguredSecurityBuilder.java:182) ~[spring-security-config-5.4.1.jar:5.4.1]
        at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.apply(AbstractConfiguredSecurityBuilder.java:138) ~[spring-security-config-5.4.1.jar:5.4.1]
        at org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration.getAuthenticationManager(AuthenticationConfiguration.java:119) ~[spring-security-config-5.4.1.jar:5.4.1]
        at org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.authenticationManager(HttpSecurityConfiguration.java:106) ~[spring-security-config-5.4.1.jar:5.4.1]
        at org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.httpSecurity(HttpSecurityConfiguration.java:85) ~[spring-security-config-5.4.1.jar:5.4.1]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.1.jar:5.3.1]
        ... 54 common frames omitted

sample project: https://github.com/gbaso/spring-security-auth-config

@eleftherias eleftherias mentioned this issue Feb 15, 2021
Closed
@eleftherias eleftherias mentioned this issue Feb 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-RC1
Development

Successfully merging a pull request may close this issue.

Remove need for WebSecurityConfigurerAdapter eleftherias/spring-security
3 participants
@eleftherias @gbaso @cnry1