tessl/maven-org-springframework-security--spring-security-config
Spring Security configuration module providing comprehensive declarative security configuration capabilities for Spring applications
—
Pending
core-annotations.mddocs/
Core Security Annotations
Spring Security Config provides several key annotations that enable and configure security features in Spring applications. These annotations serve as entry points to the security configuration system and automatically import necessary configuration classes.
Web Security Annotations
@EnableWebSecurity
The primary annotation for enabling Spring Security web security configuration.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class, HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
public @interface EnableWebSecurity {
/**
* Controls debugging support for Spring Security.
* @return true if debugging is enabled, false otherwise. Default is false.
*/
boolean debug() default false;
}This annotation:
- Imports essential Spring Security configuration classes
- Enables web security filter chain processing
- Automatically configures security infrastructure
- Provides optional debug mode for troubleshooting
Usage Example:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authz -> authz.anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.build();
}
}@EnableGlobalAuthentication
Enables global authentication configuration capabilities.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(AuthenticationConfiguration.class)
public @interface EnableGlobalAuthentication {
}This annotation is typically used internally by other security annotations but can be used independently to enable authentication infrastructure.
Method Security Annotations
@EnableMethodSecurity
Modern method-level security configuration annotation (Spring Security 5.6+).
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(MethodSecurityConfiguration.class)
public @interface EnableMethodSecurity {
/**
* Determines if Spring Security's pre/post annotations should be enabled.
* @return true if pre/post annotations are enabled, false otherwise. Default is true.
*/
boolean prePostEnabled() default true;
/**
* Determines if Spring Security's @Secured annotation should be enabled.
* @return true if @Secured is enabled, false otherwise. Default is false.
*/
boolean securedEnabled() default false;
/**
* Determines if JSR-250 annotations should be enabled.
* @return true if JSR-250 annotations are enabled, false otherwise. Default is false.
*/
boolean jsr250Enabled() default false;
/**
* Indicate whether subclass-based (CGLIB) proxies are to be created as opposed
* to standard Java interface-based proxies.
* @return true to use CGLIB proxies, false for JDK proxies. Default is false.
*/
boolean proxyTargetClass() default false;
/**
* Indicate how security advice should be applied.
* @return the advice mode. Default is PROXY.
*/
AdviceMode mode() default AdviceMode.PROXY;
/**
* Indicate the order in which the SecurityMethodInterceptor should be applied.
* @return the order value. Default is LOWEST_PRECEDENCE.
*/
int order() default Ordered.LOWEST_PRECEDENCE;
}Usage Example:
@Configuration
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class MethodSecurityConfig {
@Service
public class UserService {
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long userId) {
// Implementation
}
@PostAuthorize("returnObject.owner == authentication.name")
public User getUserById(Long id) {
// Implementation
}
}
}@EnableGlobalMethodSecurity (Deprecated)
Legacy method-level security configuration annotation.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(GlobalMethodSecurityConfiguration.class)
@Deprecated
public @interface EnableGlobalMethodSecurity {
boolean prePostEnabled() default false;
boolean securedEnabled() default false;
boolean jsr250Enabled() default false;
boolean proxyTargetClass() default false;
AdviceMode mode() default AdviceMode.PROXY;
int order() default Ordered.LOWEST_PRECEDENCE;
}Migration Note: Use @EnableMethodSecurity instead for new applications.
@EnableReactiveMethodSecurity
Reactive method security configuration for WebFlux applications.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(ReactiveMethodSecurityConfiguration.class)
public @interface EnableReactiveMethodSecurity {
/**
* Indicate whether subclass-based (CGLIB) proxies are to be created as opposed
* to standard Java interface-based proxies.
* @return true to use CGLIB proxies, false for JDK proxies. Default is false.
*/
boolean proxyTargetClass() default false;
/**
* Indicate how security advice should be applied.
* @return the advice mode. Default is PROXY.
*/
AdviceMode mode() default AdviceMode.PROXY;
/**
* Indicate the order in which the SecurityMethodInterceptor should be applied.
* @return the order value. Default is LOWEST_PRECEDENCE.
*/
int order() default Ordered.LOWEST_PRECEDENCE;
/**
* Indicate whether to use AuthorizationManager for reactive method security.
* @return true to use AuthorizationManager, false for legacy approach. Default is true.
*/
boolean useAuthorizationManager() default true;
}Usage Example:
@Configuration
@EnableReactiveMethodSecurity
public class ReactiveSecurityConfig {
@Service
public class ReactiveUserService {
@PreAuthorize("hasRole('ADMIN')")
public Mono<Void> deleteUser(String userId) {
return userRepository.deleteById(userId);
}
@PostAuthorize("returnObject.owner == authentication.name")
public Mono<User> getUserById(String id) {
return userRepository.findById(id);
}
}
}Specialized Protocol Annotations
@EnableRSocketSecurity
Enables RSocket security support for reactive messaging applications.
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(RSocketSecurityConfiguration.class)
public @interface EnableRSocketSecurity {
}Usage Example:
@Configuration
@EnableRSocketSecurity
public class RSocketSecurityConfig {
@Bean
public PayloadSocketAcceptorInterceptor rsocketInterceptor(RSocketSecurity rsocket) {
return rsocket
.authorizePayload(authorize -> authorize
.setup().hasRole("SETUP")
.route("user.*").hasRole("USER")
.anyRequest().authenticated()
)
.simpleAuthentication(Customizer.withDefaults())
.build();
}
}Common Patterns
Combining Annotations
Multiple security annotations can be combined on the same configuration class:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class ComprehensiveSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authz -> authz
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.build();
}
}Custom Configuration Classes
Annotations can be applied to custom configuration classes that extend base configuration classes:
@Configuration
@EnableWebSecurity
public class CustomSecurityConfig extends WebSecurityConfigurerAdapter {
// Custom configuration methods
}Environment-Specific Configuration
Use Spring profiles to conditionally enable security features:
@Configuration
@EnableWebSecurity
@Profile("!test")
public class ProductionSecurityConfig {
// Production security configuration
}
@Configuration
@EnableWebSecurity(debug = true)
@Profile("development")
public class DevelopmentSecurityConfig {
// Development security configuration with debug enabled
}Install with Tessl CLI
npx tessl i tessl/maven-org-springframework-security--spring-security-config