Skip to content

Configure WebSecurity using WebSecurityCustomizer #23421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eleftherias opened this issue Sep 21, 2020 · 2 comments
Closed

Configure WebSecurity using WebSecurityCustomizer #23421

eleftherias opened this issue Sep 21, 2020 · 2 comments
Assignees
@philwebb
Labels
type: task A general task
Milestone
2.4.0-RC1

Comments

@eleftherias
Copy link

In Spring Security 5.4 we introduced the WebSecurityCustomizer to allow customizing WebSecurity without needing the WebSecurityConfigurerAdapter.

Any customizations to WebSecurity should be done by exposing a WebSecurityCustomizer bean.

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
	return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
}

See #22739 (comment) for more details around removing the use of WebSecurityConfigurerAdapter.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 21, 2020
@philwebb philwebb added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 21, 2020
@philwebb philwebb added this to the 2.4.x milestone Sep 21, 2020
@wilkinsona
Copy link
Member

Thanks, @eleftherias.

As far as I can tell, all of the WebSecurityConfigurerAdapter sub-classes that we have are configuring HttpSecurity rather than WebSecurity. Am I right in thinking that those should stay as they are?

We do have one WebSecurityConfigurer implementation. Should that be migrated to a WebSecurityCustomizer?

@eleftherias
Copy link
Author

@wilkinsona Yes, the WebSecurityConfigurer should be migrated to a WebSecurityCustomizer.

We also recommend eventually migrating all of the WebSecurityConfigurerAdapter sub-classes that we have are configuring HttpSecurity, since using the SecurityFilterChain bean will be the recommended approach to configure HttpSecurity going forward.

@wilkinsona wilkinsona added the for: team-attention An issue we'd like other members of the team to review label Oct 13, 2020
@philwebb philwebb removed the for: team-attention An issue we'd like other members of the team to review label Oct 14, 2020
@philwebb philwebb self-assigned this Oct 14, 2020
@philwebb philwebb mentioned this issue Oct 27, 2020
Closed
philwebb added a commit that referenced this issue Oct 27, 2020
@philwebb
Add @ConditionalOnDefaultWebSecurity annotation
ef89eb6 
Add a dedicate condition annotation to detect when Spring Security is
available but has not been configured by the user. The new annotation
helps simplify quite a few of our auto-configuration classes.

See gh-23421
@wilkinsona wilkinsona modified the milestones: 2.4.x, 2.4.0-RC1 Oct 27, 2020
@wilkinsona wilkinsona added type: task A general task and removed type: enhancement A general enhancement labels Oct 27, 2020
@wilkinsona wilkinsona mentioned this issue Feb 9, 2021
Closed
@vpavic vpavic mentioned this issue Jun 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

Labels
type: task A general task
Projects
None yet
Milestone
2.4.0-RC1
Development

No branches or pull requests
4 participants
@philwebb @wilkinsona @eleftherias @spring-projects-issues