tessl/maven-org-springframework-security--spring-security-config
Spring Security configuration module providing comprehensive declarative security configuration capabilities for Spring applications
—
Pending
security-builders.mddocs/
Security Builder Classes
Spring Security Config provides fluent API builders that enable declarative configuration of security components. These builders use the builder pattern to construct complex security objects through method chaining.
Core Security Builders
HttpSecurity
The primary builder for configuring HTTP security policies and filter chains.
public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain, HttpSecurity>
implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity> {
// Authorization Configuration
public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests();
public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests();
// Authentication Configuration
public FormLoginConfigurer<HttpSecurity> formLogin();
public FormLoginConfigurer<HttpSecurity> formLogin(Customizer<FormLoginConfigurer<HttpSecurity>> formLoginCustomizer);
public HttpBasicConfigurer<HttpSecurity> httpBasic();
public HttpBasicConfigurer<HttpSecurity> httpBasic(Customizer<HttpBasicConfigurer<HttpSecurity>> httpBasicCustomizer);
public OAuth2LoginConfigurer<HttpSecurity> oauth2Login();
public OAuth2LoginConfigurer<HttpSecurity> oauth2Login(Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginCustomizer);
public Saml2LoginConfigurer<HttpSecurity> saml2Login();
public Saml2LoginConfigurer<HttpSecurity> saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> saml2LoginCustomizer);
public X509Configurer<HttpSecurity> x509();
public X509Configurer<HttpSecurity> x509(Customizer<X509Configurer<HttpSecurity>> x509Customizer);
public JeeConfigurer<HttpSecurity> jee();
public JeeConfigurer<HttpSecurity> jee(Customizer<JeeConfigurer<HttpSecurity>> jeeCustomizer);
public RememberMeConfigurer<HttpSecurity> rememberMe();
public RememberMeConfigurer<HttpSecurity> rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> rememberMeCustomizer);
public AnonymousConfigurer<HttpSecurity> anonymous();
public AnonymousConfigurer<HttpSecurity> anonymous(Customizer<AnonymousConfigurer<HttpSecurity>> anonymousCustomizer);
// Session Management
public SessionManagementConfigurer<HttpSecurity> sessionManagement();
public SessionManagementConfigurer<HttpSecurity> sessionManagement(Customizer<SessionManagementConfigurer<HttpSecurity>> sessionManagementCustomizer);
public SecurityContextConfigurer<HttpSecurity> securityContext();
public SecurityContextConfigurer<HttpSecurity> securityContext(Customizer<SecurityContextConfigurer<HttpSecurity>> securityContextCustomizer);
// Security Protection
public CsrfConfigurer<HttpSecurity> csrf();
public CsrfConfigurer<HttpSecurity> csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer);
public CorsConfigurer<HttpSecurity> cors();
public CorsConfigurer<HttpSecurity> cors(Customizer<CorsConfigurer<HttpSecurity>> corsCustomizer);
public HeadersConfigurer<HttpSecurity> headers();
public HeadersConfigurer<HttpSecurity> headers(Customizer<HeadersConfigurer<HttpSecurity>> headersCustomizer);
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling();
public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer);
// Logout Configuration
public LogoutConfigurer<HttpSecurity> logout();
public LogoutConfigurer<HttpSecurity> logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer);
public OidcLogoutConfigurer<HttpSecurity> oidcLogout();
public OidcLogoutConfigurer<HttpSecurity> oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcLogoutCustomizer);
// OAuth2 Configuration
public OAuth2ClientConfigurer<HttpSecurity> oauth2Client();
public OAuth2ClientConfigurer<HttpSecurity> oauth2Client(Customizer<OAuth2ClientConfigurer<HttpSecurity>> oauth2ClientCustomizer);
public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer();
public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer);
// Modern Authentication
public OneTimeTokenLoginConfigurer<HttpSecurity> oneTimeTokenLogin();
public OneTimeTokenLoginConfigurer<HttpSecurity> oneTimeTokenLogin(Customizer<OneTimeTokenLoginConfigurer<HttpSecurity>> oneTimeTokenLoginCustomizer);
public WebAuthnConfigurer<HttpSecurity> webAuthn(Customizer<WebAuthnConfigurer<HttpSecurity>> webAuthnCustomizer);
// Filter Management
public HttpSecurity addFilter(Filter filter);
public HttpSecurity addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter);
public HttpSecurity addFilterAfter(Filter filter, Class<? extends Filter> afterFilter);
public HttpSecurity addFilterAt(Filter filter, Class<? extends Filter> atFilter);
// Security Infrastructure
public HttpSecurity authenticationManager(AuthenticationManager authenticationManager);
public HttpSecurity authenticationProvider(AuthenticationProvider authenticationProvider);
public HttpSecurity userDetailsService(UserDetailsService userDetailsService);
// Request Matching
public HttpSecurity securityMatchers(Customizer<RequestMatcherConfigurer> requestMatcherCustomizer);
public HttpSecurity securityMatcher(String pattern);
public HttpSecurity securityMatcher(RequestMatcher requestMatcher);
// Build Configuration
public DefaultSecurityFilterChain build() throws Exception;
}Usage Example:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authz -> authz
.requestMatchers("/admin/**").hasRole("ADMIN")
.requestMatchers("/user/**").hasRole("USER")
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.defaultSuccessUrl("/dashboard")
.failureUrl("/login?error")
)
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.invalidateHttpSession(true)
)
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
)
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
)
.build();
}WebSecurity
Global web security configuration builder for application-wide settings.
public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter, WebSecurity>
implements SecurityBuilder<Filter> {
// Ignoring Configuration
public IgnoredRequestConfigurer ignoring();
// Firewall Configuration
public WebSecurity httpFirewall(HttpFirewall httpFirewall);
// Debugging
public WebSecurity debug(boolean debugEnabled);
// Security Evaluation
public WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator);
public WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler);
// Filter Chain Management
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder);
// Request Rejection Handling
public WebSecurity requestRejectedHandler(RequestRejectedHandler requestRejectedHandler);
// Post-Build Actions
public WebSecurity postBuildAction(Runnable postBuildAction);
// Build Configuration
public Filter build() throws Exception;
}Usage Example:
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web
.ignoring()
.requestMatchers("/css/**", "/js/**", "/images/**", "/webjars/**")
.and()
.debug(false)
.httpFirewall(new StrictHttpFirewall());
}AuthenticationManagerBuilder
Builder for configuring AuthenticationManager with multiple authentication providers.
public class AuthenticationManagerBuilder
extends AbstractConfiguredSecurityBuilder<AuthenticationManager, AuthenticationManagerBuilder>
implements ProviderManagerBuilder<AuthenticationManagerBuilder> {
// User Details Services
public InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthentication() throws Exception;
public JdbcUserDetailsManagerConfigurer<AuthenticationManagerBuilder> jdbcAuthentication() throws Exception;
public LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthentication() throws Exception;
// Custom Authentication
public DaoAuthenticationConfigurer<AuthenticationManagerBuilder, InMemoryUserDetailsManager> userDetailsService(UserDetailsService userDetailsService) throws Exception;
public AuthenticationManagerBuilder authenticationProvider(AuthenticationProvider authenticationProvider);
// Parent Authentication Manager
public AuthenticationManagerBuilder parentAuthenticationManager(AuthenticationManager authenticationManager);
// Authentication Events
public AuthenticationManagerBuilder authenticationEventPublisher(AuthenticationEventPublisher eventPublisher);
// Security Configuration
public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials);
// Build Configuration
public AuthenticationManager build() throws Exception;
}Usage Example:
@Bean
public AuthenticationManager authenticationManager(
UserDetailsService userDetailsService,
PasswordEncoder passwordEncoder) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder =
new AuthenticationManagerBuilder(objectPostProcessor);
return authenticationManagerBuilder
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder)
.and()
.authenticationProvider(customAuthenticationProvider())
.build();
}RSocketSecurity
RSocket security configuration builder for reactive messaging.
public class RSocketSecurity {
// Authorization Configuration
public AuthorizePayloadsSpec authorizePayload(Customizer<AuthorizePayloadsSpec> payloadsSpecCustomizer);
// Authentication Configuration
public RSocketSecurity simpleAuthentication(Customizer<SimpleAuthenticationSpec> simpleAuthenticationCustomizer);
public RSocketSecurity jwt(Customizer<JwtSpec> jwtCustomizer);
public RSocketSecurity basicAuthentication(Customizer<BasicAuthenticationSpec> basicAuthenticationCustomizer);
// Build Configuration
public PayloadSocketAcceptorInterceptor build();
}Usage Example:
@Bean
public PayloadSocketAcceptorInterceptor rsocketInterceptor(RSocketSecurity rsocket) {
return rsocket
.authorizePayload(authorize -> authorize
.setup().hasRole("SETUP")
.route("user.find").hasRole("USER")
.route("admin.*").hasRole("ADMIN")
.anyRequest().authenticated()
)
.jwt(jwt -> jwt
.authenticationManager(jwtAuthenticationManager())
)
.build();
}Base Builder Infrastructure
SecurityBuilder Interface
Base interface for all security builders.
public interface SecurityBuilder<O> {
/**
* Builds the object and returns it or null.
* @return the built object or null if the implementation allows it
* @throws Exception if an error occurred when building the Object
*/
O build() throws Exception;
}SecurityConfigurer Interface
Interface for configuring SecurityBuilder instances.
public interface SecurityConfigurer<O, B extends SecurityBuilder<O>> {
/**
* Initialize the SecurityBuilder.
* @param builder the SecurityBuilder to use
* @throws Exception if an error occurs
*/
void init(B builder) throws Exception;
/**
* Configure the SecurityBuilder by modifying the SecurityBuilder.
* @param builder the SecurityBuilder to modify
* @throws Exception if an error occurs
*/
void configure(B builder) throws Exception;
}SecurityConfigurerAdapter
Base adapter class providing common configurer functionality.
public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
implements SecurityConfigurer<O, B> {
private B securityBuilder;
private CompositeObjectPostProcessor objectPostProcessor = new CompositeObjectPostProcessor();
public void init(B builder) throws Exception {}
public void configure(B builder) throws Exception {}
/**
* Return the SecurityBuilder when done using the SecurityConfigurer.
* @return the SecurityBuilder for further customizations
*/
public B and() {
return getBuilder();
}
/**
* Gets the SecurityBuilder and automatically applies the ObjectPostProcessor.
*/
protected final B getBuilder() {
if (securityBuilder == null) {
throw new IllegalStateException("securityBuilder cannot be null");
}
return securityBuilder;
}
/**
* Performs post processing of an object using the ObjectPostProcessor.
* @param object the Object to post process
* @return the possibly modified Object to use
*/
protected final <T> T postProcess(T object) {
return (T) objectPostProcessor.postProcess(object);
}
/**
* Sets the SecurityBuilder to be used.
*/
@SuppressWarnings("unchecked")
public void setBuilder(B builder) {
this.securityBuilder = builder;
}
}Builder Configuration Patterns
Method Chaining
All builders support fluent method chaining for readable configuration:
http
.authorizeHttpRequests(authz -> authz.anyRequest().authenticated())
.formLogin(form -> form.loginPage("/login"))
.logout(logout -> logout.logoutSuccessUrl("/"))
.sessionManagement(session -> session.maximumSessions(1))
.build();Customizer Pattern
Builders use the Customizer functional interface for configuration:
http.formLogin(formLogin -> {
formLogin
.loginPage("/custom-login")
.usernameParameter("email")
.passwordParameter("pass")
.defaultSuccessUrl("/dashboard", true);
});Default Configuration
Use Customizer.withDefaults() for default configurations:
http
.formLogin(Customizer.withDefaults())
.httpBasic(Customizer.withDefaults())
.oauth2Login(Customizer.withDefaults());Conditional Configuration
Apply configuration conditionally based on environment or other factors:
if (environment.acceptsProfiles(Profiles.of("development"))) {
http.csrf(csrf -> csrf.disable());
}
// Or using method references
http.csrf(isDevelopment() ? CsrfConfigurer::disable : Customizer.withDefaults());Install with Tessl CLI
npx tessl i tessl/maven-org-springframework-security--spring-security-config