In the previous post, I showed you how to configure Spring Security using the WebSecurityConfigurerAdapter class. From Spring Security version 5.7.0 onwards, Spring deprecated this class and recommend us to configure Spring Security with a bean of SecurityFilterChain and Spring Security Lambda DSL. How is it in detail? In this tutorial, we will find out together!
I will clone the example project in the previous post to compare how the configuration between the two solutions is different!
If now, you increase the version of Spring Security to version 5.7.0-M2, you will see that the WebSecurityConfigurerAdapter class is deprecated as follows:
Now we will replace it with SecurityFilterChain and Spring Security Lambda DSL!
The main class that we will work with is SpringSecurityConfiguration, I will remove all unnecessary code, annotate this class with the @EnableWebSecurity annotation as follows:
1 2 3 4 5 6 7 8 |
package com.huongdanjava.springsecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @EnableWebSecurity public class SpringSecurityConfiguration { } |
Now we will configure the authorization part to use the SecurityFilterChain class with the HttpSecurity class first.
I will declare the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeHttpRequests((authz) -> authz .antMatchers("/").hasRole("USER") .antMatchers("/admin/**").hasRole("ADMIN") ) .formLogin(withDefaults()); // @formatter:on return http.build(); } |
As you can see, I use another method of the HttpSecurity class to configure the permission to access to the application’s request URLs, the authorizeHttpRequests() method. There is another overloading of this method that takes no parameters to apply the default configurations that Spring Security provides.
The parameter of the authorizeHttpRequests() method in this example is the Customizer interface defined with a generic type so that we can configure this authorization part to our liking.
Customizer interface is a Functional Interface and so we can use Java Lambda Expression to write code for this method. Spring calls this writing is Lambda DSL. In short, Spring supports Lambda DSL to make our code easier to read, we don’t need to use and() method to configure different parts of Spring Security anymore.
The type of the Customizer interface for this authorization is the AuthorizationManagerRequestMatcherRegistry class that defines the request URL information and which roles are allowed to access.
The formLogin() method also supports Lambda DSL, allowing us to configure the login page, using Spring Security’s default (withDefaults() method) or you can also customize it to your liking. The type of the Customizer interface in this case is the FormLoginConfigurer class.
For the management of user login information in the application, you can declare a bean of the InMemoryUserDetailsManager class to add user information in memory, as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
@Bean public UserDetailsManager userDetailsService() { UserDetails user1 = User.withDefaultPasswordEncoder() .username("khanh") .password("123456") .roles("USER") .build(); UserDetails user2 = User.withDefaultPasswordEncoder() .username("thanh") .password("123456") .roles("ADMIN") .build(); return new InMemoryUserDetailsManager(user1, user2); } |
To ignore security for requests to application resources, we can declare a bean of the WebSecurityCustomizer class with the following configuration example:
1 2 3 4 |
@Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers("/resources/**"); } |
WebSecurityCustomizer is a Functional Interface with a method customize(). The parameter of this method is the WebSecurity class so we can define the resource that we want to ignore!
At this point, we have finished configuring Spring Security using SecurityFilterChain and Lambda DSL.
Run the example again and you will see that everything is the same as we did in the article Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer