public final class WebSecurity extends AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity> implements SecurityBuilder<javax.servlet.Filter>, ApplicationContextAware
The WebSecurity is created by WebSecurityConfiguration
to create the FilterChainProxy known as the Spring Security Filter
Chain (springSecurityFilterChain). The springSecurityFilterChain is the
Filter that the DelegatingFilterProxy delegates to.
Customizations to the WebSecurity can be made by creating a
WebSecurityConfigurer or more likely by overriding
WebSecurityConfigurerAdapter.
EnableWebSecurity,
WebSecurityConfiguration| Modifier and Type | Class and Description |
|---|---|
class |
WebSecurity.IgnoredRequestConfigurer
Allows registering
RequestMatcher instances that should be
ignored by Spring Security. |
| Constructor and Description |
|---|
WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)
Creates a new instance
|
apply, apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObjectbuild, getObjectclone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitbuildpublic WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)
objectPostProcessor - the ObjectPostProcessor to useWebSecurityConfigurationpublic WebSecurity.IgnoredRequestConfigurer ignoring()
Allows adding RequestMatcher instances that should that Spring
Security should ignore. Web Security provided by Spring Security
(including the SecurityContext) will not be available on
HttpServletRequest that match. Typically the requests that are
registered should be that of only static resources. For requests that are
dynamic, consider mapping the request to allow all users instead.
webSecurityBuilder
.ignoring()
// ignore all URLs that start with /resources/ or /static/
.antMatchers("/resources/**", "/static/**");
Alternatively this will accomplish the same result:
webSecurityBuilder
.ignoring()
// ignore all URLs that start with /resources/ or /static/
.antMatchers("/resources/**")
.antMatchers("/static/**");
Multiple invocations of ignoring() are also additive, so the following is
also equivalent to the previous two examples:
Alternatively this will accomplish the same result:
webSecurityBuilder
.ignoring()
// ignore all URLs that start with /resources/
.antMatchers("/resources/**");
webSecurityBuilder
.ignoring()
// ignore all URLs that start with /static/
.antMatchers("/static/**");
// now both URLs that start with /resources/ and /static/ will be ignored
WebSecurity.IgnoredRequestConfigurer to use for registering request
that should be ignoredpublic WebSecurity httpFirewall(HttpFirewall httpFirewall)
HttpFirewall. The default is
DefaultHttpFirewall.httpFirewall - the custom HttpFirewallWebSecurity for further customizationspublic WebSecurity debug(boolean debugEnabled)
debugEnabled - if true, enables debug support with Spring Security. Default
is false.WebSecurity for further customization.EnableWebSecurity.debug()public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create SecurityFilterChain instances.
Typically this method is invoked automatically within the framework from
WebSecurityConfigurerAdapter.init(WebSecurity)
securityFilterChainBuilder - the builder to use to create the SecurityFilterChain
instancesWebSecurity for further customizationspublic WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator)
WebInvocationPrivilegeEvaluator to be used. If this is
null, then a DefaultWebInvocationPrivilegeEvaluator will be
created when securityInterceptor(FilterSecurityInterceptor)
is non null.privilegeEvaluator - the WebInvocationPrivilegeEvaluator to useWebSecurity for further customizationspublic WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)
SecurityExpressionHandler to be used. If this is null,
then a DefaultWebSecurityExpressionHandler will be used.expressionHandler - the SecurityExpressionHandler to useWebSecurity for further customizationspublic SecurityExpressionHandler<FilterInvocation> getExpressionHandler()
SecurityExpressionHandler to be used.public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()
WebInvocationPrivilegeEvaluator to be used.public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor)
FilterSecurityInterceptor. This is typically invoked by WebSecurityConfigurerAdapter.securityInterceptor - the FilterSecurityInterceptor to useWebSecurity for further customizationspublic WebSecurity postBuildAction(Runnable postBuildAction)
postBuildAction - WebSecurity for further customizationsprotected javax.servlet.Filter performBuild()
throws Exception
AbstractConfiguredSecurityBuilderperformBuild in class AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>Exceptionpublic void setApplicationContext(ApplicationContext applicationContext) throws BeansException
setApplicationContext in interface ApplicationContextAwareBeansException