public final class WebSecurity extends AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity> implements SecurityBuilder<javax.servlet.Filter>, ApplicationContextAware
The WebSecurity is created by WebSecurityConfiguration to create the
FilterChainProxy known as the Spring Security Filter Chain
(springSecurityFilterChain). The springSecurityFilterChain is the Filter that
the DelegatingFilterProxy delegates to.
Customizations to the WebSecurity can be made by creating a
WebSecurityConfigurer or more likely by overriding
WebSecurityConfigurerAdapter.
EnableWebSecurity,
WebSecurityConfiguration| Modifier and Type | Class and Description |
|---|---|
class |
WebSecurity.IgnoredRequestConfigurer
Allows registering
RequestMatcher instances that should be ignored by
Spring Security. |
| Constructor and Description |
|---|
WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
WebSecurity |
addSecurityFilterChainBuilder(SecurityBuilder<? extends org.springframework.security.web.SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create
SecurityFilterChain instances. |
WebSecurity |
debug(boolean debugEnabled)
Controls debugging support for Spring Security.
|
WebSecurity |
expressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.FilterInvocation> expressionHandler)
Set the
SecurityExpressionHandler to be used. |
org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.FilterInvocation> |
getExpressionHandler()
Gets the
SecurityExpressionHandler to be used. |
org.springframework.security.web.access.WebInvocationPrivilegeEvaluator |
getPrivilegeEvaluator()
Gets the
WebInvocationPrivilegeEvaluator to be used. |
WebSecurity |
httpFirewall(org.springframework.security.web.firewall.HttpFirewall httpFirewall)
Allows customizing the
HttpFirewall. |
WebSecurity.IgnoredRequestConfigurer |
ignoring()
Allows adding
RequestMatcher instances that should that Spring Security
should ignore. |
protected javax.servlet.Filter |
performBuild()
Subclasses must implement this method to build the object that is being returned.
|
WebSecurity |
postBuildAction(Runnable postBuildAction)
Executes the Runnable immediately after the build takes place
|
WebSecurity |
privilegeEvaluator(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator privilegeEvaluator)
Set the
WebInvocationPrivilegeEvaluator to be used. |
WebSecurity |
securityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor securityInterceptor)
Sets the
FilterSecurityInterceptor. |
void |
setApplicationContext(ApplicationContext applicationContext) |
apply, apply, beforeConfigure, beforeInit, doBuild, getConfigurer, getConfigurers, getOrBuild, getSharedObject, getSharedObjects, objectPostProcessor, postProcess, removeConfigurer, removeConfigurers, setSharedObjectbuild, getObjectclone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitbuildpublic WebSecurity(ObjectPostProcessor<Object> objectPostProcessor)
objectPostProcessor - the ObjectPostProcessor to useWebSecurityConfigurationpublic WebSecurity.IgnoredRequestConfigurer ignoring()
Allows adding RequestMatcher instances that should that Spring Security
should ignore. Web Security provided by Spring Security (including the
SecurityContext) will not be available on HttpServletRequest that
match. Typically the requests that are registered should be that of only static
resources. For requests that are dynamic, consider mapping the request to allow all
users instead.
webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/ or /static/
.antMatchers("/resources/**", "/static/**");
Alternatively this will accomplish the same result:
webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/ or /static/
.antMatchers("/resources/**").antMatchers("/static/**");
Multiple invocations of ignoring() are also additive, so the following is also
equivalent to the previous two examples:
webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/
.antMatchers("/resources/**");
webSecurityBuilder.ignoring()
// ignore all URLs that start with /static/
.antMatchers("/static/**");
// now both URLs that start with /resources/ and /static/ will be ignored
WebSecurity.IgnoredRequestConfigurer to use for registering request that
should be ignoredpublic WebSecurity httpFirewall(org.springframework.security.web.firewall.HttpFirewall httpFirewall)
HttpFirewall. The default is
DefaultHttpFirewall.httpFirewall - the custom HttpFirewallWebSecurity for further customizationspublic WebSecurity debug(boolean debugEnabled)
debugEnabled - if true, enables debug support with Spring Security. Default is
false.WebSecurity for further customization.EnableWebSecurity.debug()public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends org.springframework.security.web.SecurityFilterChain> securityFilterChainBuilder)
Adds builders to create SecurityFilterChain instances.
Typically this method is invoked automatically within the framework from
WebSecurityConfigurerAdapter.init(WebSecurity)
securityFilterChainBuilder - the builder to use to create the
SecurityFilterChain instancesWebSecurity for further customizationspublic WebSecurity privilegeEvaluator(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator privilegeEvaluator)
WebInvocationPrivilegeEvaluator to be used. If this is null, then a
DefaultWebInvocationPrivilegeEvaluator will be created when
securityInterceptor(FilterSecurityInterceptor) is non null.privilegeEvaluator - the WebInvocationPrivilegeEvaluator to useWebSecurity for further customizationspublic WebSecurity expressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.FilterInvocation> expressionHandler)
SecurityExpressionHandler to be used. If this is null, then a
DefaultWebSecurityExpressionHandler will be used.expressionHandler - the SecurityExpressionHandler to useWebSecurity for further customizationspublic org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.FilterInvocation> getExpressionHandler()
SecurityExpressionHandler to be used.public org.springframework.security.web.access.WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()
WebInvocationPrivilegeEvaluator to be used.public WebSecurity securityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor securityInterceptor)
FilterSecurityInterceptor. This is typically invoked by
WebSecurityConfigurerAdapter.securityInterceptor - the FilterSecurityInterceptor to useWebSecurity for further customizationspublic WebSecurity postBuildAction(Runnable postBuildAction)
postBuildAction - WebSecurity for further customizationsprotected javax.servlet.Filter performBuild()
throws Exception
AbstractConfiguredSecurityBuilderperformBuild in class AbstractConfiguredSecurityBuilder<javax.servlet.Filter,WebSecurity>Exceptionpublic void setApplicationContext(ApplicationContext applicationContext) throws BeansException
setApplicationContext in interface ApplicationContextAwareBeansException