A project for Spring Security Java Configuration Support. We plan to release this jar in a number of milestones to be able to iterate quickly. Additionally, this will allow users of Spring Security 3.1.x to use the Java Configuration earlier and give more feedback. Eventually (targeting spring-security-config-3.2.0.RELEASE) we will merge this code in with spring-security-config.
The project is available in the Spring Snapshot Repository. In short ensure you have the following repository in your pom.xml:
<repository>
<id>spring-libs-snapshot</id>
<name>Spring Snapshot Repository</name>
<url>http://repo.springsource.org/snapshot</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
You will then need to include the Spring Security Java Configuration jar.
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-javaconfig</artifactId>
<version>1.0.0.CI-SNAPSHOT</version>
</dependency>
</dependencies>
Below are a few things you can do to get up and running quickly.
The following configuration
@Configuration
@EnableWebSecurity
public class SampleWebSecurityConfigurerAdapater extends WebSecurityConfigurerAdapater {
protected void ignoredRequests(IgnoredRequestRegistry ignoredRequests) {
ignoredRequests
.antMatchers("/resources/**");
}
protected void authorizeUrls(ExpressionUrlAuthorizationRegistry interceptUrls) {
interceptUrls
.antMatchers("/signup","/about").permitAll()
.antMatchers("/**").hasRole("USER");
}
protected void configure(HttpConfiguration http) throws Exception {
http
.formLogin()
// permitAll for any URL used with formLogin
.permitAll();
}
protected void registerAuthentication(AuthenticationRegistry registry) {
registry
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN").and();
}
}
is similar to the following XML configuration:
<http security="none" pattern="/resources/**"/>
<http use-expressions="true">
<intercept-url pattern="/logout" access="permitAll"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/signup" access="permitAll"/>
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<logout
logout-success-url="/login?logout"
logout-url="/logout"
<form-login
authentication-failure-url="/login?error"
login-page="/login"
login-processing-url="/login" <!-- but only POST -->
password-parameter="password"
username-parameter="username"
/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user username="user" password="password" authorities="ROLE_USER"/>
<user username="admin" password="password" authorities="ROLE_USER,ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
Notice that Spring Security uses different defaults that will make your HTTP requests appear more RESTful. For example, the URL /login POST is used to authenticate users. The URL /login GET is used to request the user for credentials (i.e. present a login form).
Global configuration is quite simple. For example, the following Java Configuration:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SampleWebSecurityConfig {
@Bean
public MethodSecurityService methodSecurityService() {
return new MethodSecurityServiceImpl()
}
@Bean
public AuthenticationManager authenticationManager() throws Exception {
return new AuthenticationRegistry()
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN").and()
.build();
}
}
is the equivalent of:
<global-method-security pre-post-annotations="enabled"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user username="user" password="password" authorities="ROLE_USER"/>
<user username="admin" password="password" authorities="ROLE_USER,ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="methodSecuriytService" class="MethodSecurityServiceImpl"/>
There are additional attributes on EnableGlobalMethodSecurity, but in more advanced situations you may want to refer to another object. In order to do this,
override the GlobalMethodSecurityConfiguration class. For example, following Java configuration demonstrates how to override the MethodExpressionHandler to use
CustomPermissionEvaluator.
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class CustomPermissionEvaluatorWebSecurityConfig extends GlobalMethodSecurityConfiguration {
@Bean
public MethodSecurityService methodSecurityService() {
return new MethodSecurityServiceImpl()
}
@Override
protected MethodSecurityExpressionHandler expressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());
return expressionHandler;
}
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return new AuthenticationRegistry()
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN").and()
.build();
}
}
The configuration above is the similar to the following XML configuration:
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<authentication-manager>
<authentication-provider>
<user-service>
<user username="user" password="password" authorities="ROLE_USER"/>
<user username="admin" password="password" authorities="ROLE_USER,ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="methodSecuriytService" class="MethodSecurityServiceImpl"/>
<beans:bean id="expressionHandler" class="CustomExpressionHandler"/>
We include a number of complete Sample Web Applications that use Spring Security Java Configuration. Also refer to the tests for further examples. You will notice a convention of NamespaceTests where is the Security Namespace Element. For example, to learn how the element and its attributes map to Spring Security Java Configuration look in the NamespaceHttpTests
Before contributing or logging an issue please be sure to the issue does not already exist in this project's issue tracking. If one does not exist, please create an issue.
If you see anything you'd like to change we encourage taking advantage of github's social coding features by making the change in a fork of this repository and sending a pull request.
Before we accept a non-trivial patch or pull request we will need you to sign the contributor's agreement. Signing the contributor's agreement does not grant anyone commit rights to the main repository, but it does mean that we can accept your contributions, and you will get an author credit if we do. Active contributors might be asked to join the core team, and given the ability to merge pull requests.
The Spring Security Java Config project is available under version 2.0 of the Apache License.