Configure Spring Security without XML in Spring 4
Solution 1
I am doing something similar now. Someone might find this helpful in the future. Doing an xml to java config translation would make it look like the following:
import javax.servlet.Filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableGlobalMethodSecurity(securedEnabled=true) //<security:global-method-security secured-annotations="enabled" />
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("authenticationTokenProcessingFilter")
private Filter authenticationTokenProcessingFilter;
@Autowired
private AuthenticationEntryPoint entryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http //auto-config="true"
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
http
.authorizeRequests() // use-expressions="true"
.antMatchers("/authenticate").permitAll() //<security:intercept-url pattern="/authenticate" access="permitAll" />
.antMatchers("/secure/**").authenticated() //<security:intercept-url pattern="/secure/**" access="isAuthenticated()" />
.and()
.addFilterBefore(authenticationTokenProcessingFilter, UsernamePasswordAuthenticationFilter.class) // <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html
;
}
}
Solution 2
This should interest you:
Security Method Annotations with Java Configuration and Spring Security 3.2
and
http://spring.io/blog/2013/07/04/spring-security-java-config-preview-method-security/
From what you are doing I dont see this annotation in the code you posted.
**@EnableGlobalMethodSecurity**
jordan.baucke
Software developer, Lately: C++ / Qt, Java, Javascript CTO @ Evasyst.com where we do: WebRTC C++/Qt GPU / Graphics ESports Denver, CO., USA, Hong Kong, P.R.C. San Francisco, CA. Irvine, CA. I am a business, economics, finance enthusiast, and a libertarian. Recruiters here.
Updated on June 26, 2022Comments
-
jordan.baucke almost 2 years
I want to use a
custom authentication filter
that:- captures an encrypted header token
- after validating it, extracts the user's details and adds them to the current request's security context in a stateless way
I want to be able to use this security context holder to get the details about the current requesting user correctly handle their requests.
@RequestMapping(value = "/simple", method = RequestMethod.POST) @ResponseBody @Transactional @Preauthorize(...) public String simple(){ //collect the user's current details from the getPrinciple() and complete the transaction... Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); return "Simple"; }
I have done this before in XML like so:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <security:global-method-security secured-annotations="enabled" /> <security:http pattern="/**" auto-config="true" disable-url-rewriting="true" use-expressions="true"> <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> <security:intercept-url pattern="/authenticate" access="permitAll" /> <security:intercept-url pattern="/secure/**" access="isAuthenticated()" /> </security:http> <bean id="CustomAuthenticationEntryPoint" class="org.foo.CustomAuthenticationEntryPoint" /> <bean class="org.foo.AuthenticationTokenProcessingFilter" id="authenticationTokenProcessingFilter"> <constructor-arg ref="authenticationManager" /> </bean> </beans>
However, I want this to work with a newer
Spring Boot
application in a non-xml WebSecurityConfigurerAdapter like the example in their Spring Boot files:@Bean public ApplicationSecurity applicationSecurity() { return new ApplicationSecurity(); } @Order(Ordered.LOWEST_PRECEDENCE - 8) protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // this is obviously for a simple "login page" not a custom filter! http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin() .loginPage("/login").failureUrl("/login?error").permitAll(); } }
Any advice or similar examples out there?