Closed
Description
authorizeHttpRequests
replaces authorizeRequests
. Specifically, it presents applications with the option to use a simplified API for programmatic authorization through AuthorizationManager
.
It would be nice to pick up authorization manager @Bean
s and apply them by default. This would simplify constructs like:
@Bean
SecurityFilterChain web(HttpSecurity http, AuthorizationManager<RequestAuthorizationContext> manager) throws Exception {
http
.authorizeRequests((authorize) -> authorize
.anyRequest().access(manager)
)
// ...
}
@Bean
AuthorizationManager<RequestAuthorizationContext> manager() {
return AuthorityAuthorizationManager.hasRole("USER");
}
to become:
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeRequests(Customizer.withDefaults())
// ...
}
@Bean
AuthorizationManager<HttpServletRequest> manager() {
return AuthorityAuthorizationManager.hasRole("USER");
}
Then, applications can specify the authorization subsystem simply by publishing a bean.