public abstract class WebSecurityConfigurerAdapter extends Object implements WebSecurityConfigurer<WebSecurity>
WebSecurityConfigurer
instance. The implementation allows customization by overriding methods.EnableWebSecurity| Modifier | Constructor and Description |
|---|---|
protected |
WebSecurityConfigurerAdapter()
Creates an instance with the default configuration enabled.
|
protected |
WebSecurityConfigurerAdapter(boolean disableDefaults)
Creates an instance which allows specifying if the default configuration
should be enabled.
|
protected WebSecurityConfigurerAdapter()
protected WebSecurityConfigurerAdapter(boolean disableDefaults)
disableDefaults - true if the default configuration should be enabled, else
falseprotected void configure(AuthenticationManagerBuilder auth) throws Exception
authenticationManager() to
attempt to obtain an AuthenticationManager. If overridden, the
AuthenticationManagerBuilder should be used to specify the
AuthenticationManager.
The authenticationManagerBean() method can be used to expose the
resulting AuthenticationManager as a Bean. The
userDetailsServiceBean() can be used to expose the last
populated UserDetailsService that is created with the
AuthenticationManagerBuilder as a Bean. The
UserDetailsService will also automatically be populated on
AbstractConfiguredSecurityBuilder.getSharedObject(Class) for use with other
SecurityContextConfigurer (i.e. RememberMeConfigurer )
For example, the following configuration could be used to register in
memory authentication that exposes an in memory
UserDetailsService:
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth
// enable in memory based authentication with a user named
// "user" and "admin"
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
// Expose the UserDetailsService as a Bean
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
auth - the AuthenticationManagerBuilder to useExceptionprotected final HttpSecurity getHttp() throws Exception
HttpSecurity or returns the current instanceHttpSecurityExceptionpublic AuthenticationManager authenticationManagerBean() throws Exception
AuthenticationManager from
configure(AuthenticationManagerBuilder) to be exposed as
a Bean. For example:
@Bean(name name="myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
AuthenticationManagerExceptionprotected AuthenticationManager authenticationManager() throws Exception
AuthenticationManager to use. The default strategy is if
configure(AuthenticationManagerBuilder) method is
overridden to use the AuthenticationManagerBuilder that was passed in.
Otherwise, autowire the AuthenticationManager by type.Exceptionpublic UserDetailsService userDetailsServiceBean() throws Exception
UserDetailsService created from
configure(AuthenticationManagerBuilder) as a bean. In
general only the following override should be done of this method:
@Bean(name = "myUserDetailsService") // any or no name specified is allowed
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
To change the instance returned, developers should change
userDetailsService() insteadException#userDetailsService()}protected UserDetailsService userDetailsService()
UserDetailsService from
userDetailsServiceBean()() without interacting with the
ApplicationContext. Developers should override this method when
changing the instance of userDetailsServiceBean().public void init(WebSecurity web) throws Exception
SecurityConfigurerSecurityBuilder. Here only shared state should be
created and modified, but not properties on the SecurityBuilder
used for building the object. This ensures that the
SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared
objects when building.init in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>Exceptionpublic void configure(WebSecurity web) throws Exception
WebSecurity. For
example, if you wish to ignore certain requests.configure in interface SecurityConfigurer<javax.servlet.Filter,WebSecurity>Exceptionprotected void configure(HttpSecurity http) throws Exception
HttpSecurity.
Typically subclasses should not invoke this method by calling super
as it may override their configuration. The default configuration is:
http
.authorizeRequests()
.anyRequest().authenticated().and()
.formLogin().and()
.httpBasic();
http - the HttpSecurity to modifyException - if an error occurs@Autowired public void setApplicationContext(ApplicationContext context)
@Autowired(required=false) public void setTrustResolver(AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setContentNegotationStrategy(ContentNegotiationStrategy contentNegotiationStrategy)
@Autowired public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)
@Autowired public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)