Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security XML Config Vs Java Config

Tags:

java

spring-mvc

spring

xml

spring-security

I have XML config for Spring Security, that I've made through tonnes of guides. It supposed to intercepts url and with custom filters provide authentication with ldap authentication manager.

So here it is: 

   <http create-session="stateless" auto-config='false' use-expressions="true">
    <anonymous enabled="true"/>
    <intercept-url pattern="/index.html" access="permitAll()" method="GET"/>
    <intercept-url pattern="/login" access="permitAll()" method="GET"/>


    <custom-filter before="LAST" ref="statelessLoginFilter"/>
    <custom-filter before="PRE_AUTH_FILTER" ref="statelessAuthFilter"/>

    <intercept-url pattern="/one*" access="hasRole('ROLE_ONE')" method="GET"/>
    <intercept-url pattern="/two*" access="hasRole('ROLE_TWO')" method="GET"/>

    <!-- another intercept-url stuff -->

    <csrf disabled="true"/>

    <!-- authentication manager and stuff -->
</http>

Right now I'm trying to rewrite it with Java Config. But I can't get how to use custom filters in there. There's .addFilterBefore but I can't just put before="LAST" or before="PRE_AUTH_FILTER" there. Because there's no such thing. How can I rewrite this?

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
GenericFilterBean statelessAuthFilter;
@Autowired
AbstractAuthenticationProcessingFilter statelessLoginFilter;

public  SecurityConfig(){

}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/one**", "/two**").access("hasRole('ONE')")
            .antMatchers("/login").permitAll()
            .anyRequest().authenticated()

            .and()
            .addFilterBefore(statelessAuthFilter, GenericFilterBean.class)
            .addFilterBefore(statelessLoginFilter, BasicAuthenticationFilter.class)
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

            .and().anonymous()
            .and().csrf().disable();
}}
like image 974
ottercoder Avatar asked Jan 21 '26 10:01

ottercoder

1 Answers

You have to identify the specific filter classes.

For example, the default LAST filter should be FilterSecurityInterceptor - Filter Ordering.

The PRE_AUTH_FILTER could be anything extending AbstractPreAuthenticatedProcessingFilter, depending on what you've configured.

Basically, the Java Config forces you to be explicit in your ordering, to avoid nasty surprises later.

like image 101
OrangeDog Avatar answered Jan 23 '26 01:01

OrangeDog
Sign in to Comment

Related questions

JTable with ability to filter using swingx-1.6
Java generics Eclipse compiler bug?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!