tessl/maven-org-springframework-security--spring-security-config
Spring Security configuration module providing comprehensive declarative security configuration capabilities for Spring applications
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-springframework-security--spring-security-config@6.5.0index.mddocs/
Spring Security Config
Spring Security Config provides comprehensive declarative security configuration capabilities for Spring applications. It offers annotation-based configuration, fluent builders, and specialized configurers to define authentication, authorization, and security policies without programmatic filter chain construction.
Package Information
- Package Name: org.springframework.security:spring-security-config
- Package Type: Maven/Gradle
- Language: Java
- Version: 6.5.1
- Installation:
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>6.5.1</version> </dependency>
Core Imports
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;Basic Usage
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authz -> authz
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.permitAll()
)
.logout(logout -> logout.permitAll())
.build();
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}Architecture
Spring Security Config uses a layered architecture:
- Annotations - Enable security features and import configuration classes
- Builders - Provide fluent APIs for constructing security objects
- Configurers - Specialized components for specific security features
- Infrastructure - Base classes and utilities supporting the configuration system
The module integrates with Spring's dependency injection container and follows the builder pattern for configuration flexibility.
Capabilities
Core Security Annotations
Essential annotations for enabling and configuring Spring Security features.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class, HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
public @interface EnableWebSecurity {
boolean debug() default false;
}@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import(MethodSecurityConfiguration.class)
public @interface EnableMethodSecurity {
boolean prePostEnabled() default true;
boolean securedEnabled() default false;
boolean jsr250Enabled() default false;
boolean proxyTargetClass() default false;
AdviceMode mode() default AdviceMode.PROXY;
int offset() default 0;
}@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import(ReactiveMethodSecurityConfiguration.class)
public @interface EnableReactiveMethodSecurity {
boolean proxyTargetClass() default false;
AdviceMode mode() default AdviceMode.PROXY;
int order() default Ordered.LOWEST_PRECEDENCE;
boolean useAuthorizationManager() default true;
}@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import({ServerHttpSecurityConfiguration.class, WebFluxSecurityConfiguration.class,
ReactiveOAuth2ClientImportSelector.class, ReactiveObservationImportSelector.class})
public @interface EnableWebFluxSecurity {
}@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import({WebSocketMessageBrokerSecurityConfiguration.class, WebSocketObservationImportSelector.class})
public @interface EnableWebSocketSecurity {
}@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import({RSocketSecurityConfiguration.class, SecuritySocketAcceptorInterceptorConfiguration.class,
ReactiveObservationImportSelector.class})
public @interface EnableRSocketSecurity {
}/** @deprecated Use @EnableMethodSecurity instead */
@Deprecated
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import(GlobalMethodSecurityConfiguration.class)
public @interface EnableGlobalMethodSecurity {
boolean prePostEnabled() default false;
boolean securedEnabled() default false;
boolean jsr250Enabled() default false;
boolean proxyTargetClass() default false;
AdviceMode mode() default AdviceMode.PROXY;
int order() default Ordered.LOWEST_PRECEDENCE;
}Security Builder Classes
Fluent API builders for constructing security configuration objects.
public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain, HttpSecurity>
implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity> {
// Authorization Configuration
public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests();
public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests(
Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer);
/** @deprecated Use authorizeHttpRequests() instead */
@Deprecated
public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests();
/** @deprecated Use authorizeHttpRequests() instead */
@Deprecated
public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests(
Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer);
// Authentication Methods
public FormLoginConfigurer<HttpSecurity> formLogin();
public FormLoginConfigurer<HttpSecurity> formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer);
public HttpBasicConfigurer<HttpSecurity> httpBasic();
public HttpBasicConfigurer<HttpSecurity> httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer);
public OAuth2LoginConfigurer<HttpSecurity> oauth2Login();
public OAuth2LoginConfigurer<HttpSecurity> oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer);
public OAuth2ClientConfigurer<HttpSecurity> oauth2Client();
public OAuth2ClientConfigurer<HttpSecurity> oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer);
public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer();
public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer);
public Saml2LoginConfigurer<HttpSecurity> saml2Login();
public Saml2LoginConfigurer<HttpSecurity> saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer);
public Saml2LogoutConfigurer<HttpSecurity> saml2Logout();
public Saml2LogoutConfigurer<HttpSecurity> saml2Logout(Customizer<Saml2LogoutConfigurer<HttpSecurity>> saml2LogoutCustomizer);
public Saml2MetadataConfigurer<HttpSecurity> saml2Metadata();
public Saml2MetadataConfigurer<HttpSecurity> saml2Metadata(Customizer<Saml2MetadataConfigurer<HttpSecurity>> saml2MetadataCustomizer);
public OidcLogoutConfigurer<HttpSecurity> oidcLogout();
public OidcLogoutConfigurer<HttpSecurity> oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcLogoutCustomizer);
public OneTimeTokenLoginConfigurer<HttpSecurity> oneTimeTokenLogin();
public OneTimeTokenLoginConfigurer<HttpSecurity> oneTimeTokenLogin(Customizer<OneTimeTokenLoginConfigurer<HttpSecurity>> oneTimeTokenLoginCustomizer);
public WebAuthnConfigurer<HttpSecurity> webAuthn(Customizer<WebAuthnConfigurer<HttpSecurity>> webAuthnCustomizer);
public X509Configurer<HttpSecurity> x509();
public X509Configurer<HttpSecurity> x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer);
public JeeConfigurer<HttpSecurity> jee();
public JeeConfigurer<HttpSecurity> jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer);
public RememberMeConfigurer<HttpSecurity> rememberMe();
public RememberMeConfigurer<HttpSecurity> rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer);
public AnonymousConfigurer<HttpSecurity> anonymous();
public AnonymousConfigurer<HttpSecurity> anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer);
// Session and Security Context Management
public SessionManagementConfigurer<HttpSecurity> sessionManagement();
public SessionManagementConfigurer<HttpSecurity> sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer);
public SecurityContextConfigurer<HttpSecurity> securityContext();
public SecurityContextConfigurer<HttpSecurity> securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer);
// Security Features
public CsrfConfigurer<HttpSecurity> csrf();
public CsrfConfigurer<HttpSecurity> csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer);
public CorsConfigurer<HttpSecurity> cors();
public CorsConfigurer<HttpSecurity> cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer);
public HeadersConfigurer<HttpSecurity> headers();
public HeadersConfigurer<HttpSecurity> headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer);
public LogoutConfigurer<HttpSecurity> logout();
public LogoutConfigurer<HttpSecurity> logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer);
public RequireChannelConfigurer<HttpSecurity> requiresChannel();
public RequireChannelConfigurer<HttpSecurity> requiresChannel(Customizer<RequireChannelConfigurer<HttpSecurity>> requiresChannelCustomizer);
public HttpSecurity redirectToHttps();
public PasswordManagementConfigurer<HttpSecurity> passwordManagement(Customizer<PasswordManagementConfigurer<HttpSecurity>> passwordManagementCustomizer);
// Exception and Request Handling
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling();
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer);
public RequestCacheConfigurer<HttpSecurity> requestCache();
public RequestCacheConfigurer<HttpSecurity> requestCache(Customizer<RequestCacheConfigurer<HttpSecurity>> requestCacheCustomizer);
// Security Matchers and Configuration
public SecurityMatcher securityMatchers();
public SecurityMatcher securityMatchers(Customizer<SecurityMatcher> securityMatcherCustomizer);
public HttpSecurity securityMatcher(RequestMatcher requestMatcher);
public HttpSecurity securityMatcher(String... patterns);
// Authentication Infrastructure
public HttpSecurity authenticationManager(AuthenticationManager authenticationManager);
public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider);
public HttpSecurity userDetailsService(UserDetailsService userDetailsService);
// Filter Management
public HttpSecurity addFilter(Filter filter);
public HttpSecurity addFilterAfter(Filter filter, Class<? extends Filter> afterFilter);
public HttpSecurity addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter);
public HttpSecurity addFilterAt(Filter filter, Class<? extends Filter> atFilter);
// Final Build
public DefaultSecurityFilterChain build() throws Exception;
}public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter, WebSecurity>
implements SecurityBuilder<Filter> {
public WebSecurity ignoring();
public WebSecurity debug(boolean debugEnabled);
public WebSecurity httpFirewall(HttpFirewall httpFirewall);
public Filter build() throws Exception;
}HTTP Security Configurers
Specialized configurers for authentication, authorization, and security protection.
public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>, UsernamePasswordAuthenticationFilter> {
public FormLoginConfigurer<H> loginPage(String loginPage);
public FormLoginConfigurer<H> defaultSuccessUrl(String defaultSuccessUrl);
public FormLoginConfigurer<H> failureUrl(String authenticationFailureUrl);
public FormLoginConfigurer<H> usernameParameter(String usernameParameter);
public FormLoginConfigurer<H> passwordParameter(String passwordParameter);
}public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractRequestMatcherRegistry<AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry> {
public AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry requestMatchers(String... patterns);
public AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry requestMatchers(HttpMethod method, String... patterns);
public AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry anyRequest();
}OAuth2 and SAML2 Configuration
Modern authentication protocol configuration support.
public final class OAuth2LoginConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractAuthenticationFilterConfigurer<H, OAuth2LoginConfigurer<H>, OAuth2LoginAuthenticationFilter> {
public OAuth2LoginConfigurer<H> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository);
public OAuth2LoginConfigurer<H> authorizedClientService(OAuth2AuthorizedClientService authorizedClientService);
public OAuth2LoginConfigurer<H> userInfoEndpoint(Customizer<UserInfoEndpointConfig> userInfoEndpointCustomizer);
}public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>, H> {
public OAuth2ResourceServerConfigurer<H> jwt(Customizer<JwtConfigurer> jwtCustomizer);
public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OpaqueTokenConfigurer> opaqueTokenCustomizer);
public OAuth2ResourceServerConfigurer<H> bearerTokenResolver(BearerTokenResolver bearerTokenResolver);
}OAuth2 and SAML2 Configuration
Authentication Configuration
User details services, authentication providers, and authentication managers.
public class AuthenticationManagerBuilder
extends AbstractConfiguredSecurityBuilder<AuthenticationManager, AuthenticationManagerBuilder>
implements ProviderManagerBuilder<AuthenticationManagerBuilder> {
public InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthentication();
public JdbcUserDetailsManagerConfigurer<AuthenticationManagerBuilder> jdbcAuthentication();
public LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthentication();
public DaoAuthenticationConfigurer<AuthenticationManagerBuilder, InMemoryUserDetailsManager> userDetailsService(UserDetailsService userDetailsService);
public AuthenticationManagerBuilder authenticationProvider(AuthenticationProvider authenticationProvider);
}Method Security
Annotation-based method-level security configuration.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Import(ReactiveMethodSecurityConfiguration.class)
public @interface EnableReactiveMethodSecurity {
boolean proxyTargetClass() default false;
AdviceMode mode() default AdviceMode.PROXY;
int order() default Ordered.LOWEST_PRECEDENCE;
boolean useAuthorizationManager() default true;
}public abstract class GlobalMethodSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
protected void configure(AuthenticationManagerBuilder auth) throws Exception;
protected AccessDecisionManager accessDecisionManager();
protected MethodSecurityExpressionHandler createExpressionHandler();
}Types
Core Configuration Types
public interface SecurityBuilder<O> {
O build() throws Exception;
}public interface SecurityConfigurer<O, B extends SecurityBuilder<O>> {
void init(B builder) throws Exception;
void configure(B builder) throws Exception;
}public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
implements SecurityConfigurer<O, B> {
public void init(B builder) throws Exception;
public void configure(B builder) throws Exception;
public B and();
protected final O postProcess(O object);
}Customization Support
@FunctionalInterface
public interface Customizer<T> {
void customize(T t);
static <T> Customizer<T> withDefaults() {
return (t) -> {};
}
}public interface ObjectPostProcessor<T> {
<O extends T> O postProcess(O object);
}Constants
public final class BeanIds {
public static final String AUTHENTICATION_MANAGER = "org.springframework.security.authenticationManager";
public static final String SPRING_SECURITY_FILTER_CHAIN = "org.springframework.security.filterChain";
public static final String USER_DETAILS_SERVICE = "org.springframework.security.userDetailsService";
public static final String FILTER_CHAIN_PROXY = "org.springframework.security.web.FilterChainProxy";
}