I recently updated the spring bot versions and noticed that the WebSecurityConfigurerAdapter class has been deprecated and I am going to make changes however I have a problem how can I make changes in my code.
And my question is how can I refactor such a piece of code
#Configuration
public class MyAutoConfiguration {
#Bean
#ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
public WebSecurityConfigurerAdapter myService() {
...
}
}
As you can see here I am using WebSecurityConfigurerAdapter 2 times,and what method could I use to make it work properly in the current version of Spring Configuring WebSecurity?
The recommended way of doing this is registering a SecurityFilterChain bean
you can find detailed information on how to do this in Spring Documentation.
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
Related
How to do the same that I pointed using Spring Boot (+Security)? Implementation of WebMvcConfigurer interface resets a lots settings, which were performed by Spring BOOT did automatically. For example, setting in application.properties "spring.mvc.hiddenmethod.filter.enabled=true" stopped to work. Question in that how to setting a binding of multiple ResourceHandler:ResourceLocation pairs without configuring the extra.
I don't know how to make things right.
#Configuration
#EnableWebMvc
public class MvcConfig implements WebMvcConfigurer {
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/css/**")
.addResourceLocations("classpath:/static/assets/css/");
registry.addResourceHandler("/images/**")
.addResourceLocations("classpath:/static/assets/images/");
registry.addResourceHandler("/js/**")
.addResourceLocations("classpath:/static/assets/js/");
registry.addResourceHandler("/person-storage/**")
.addResourceLocations("classpath:/storage/person-images/");
}
}
I tried to use settings in application.properties for spring boot. I tried to create #Bean of "addResourceHandler" to I won't implement interface WebMvcConfigurer fully.
I am trying to extend GlobalMethodSecurityConfiguration with the #EnableGlobalMethodSecurity annotation. I have a separate configuration class that extends WebSecurityConfigurerAdapter with the #EnableWebSecurity annotation.
If I place the #EnableGlobalMethodSecurity on my WebSecurityConfigurerAdapter and not on my GlobalMethodSecurityConfiguration class I am able to see in CglibAopProxy that the method is being intercepted and then invoked. If I remove #EnableGlobalMethodSecurity from WebSecurityConfigurerAdapter and place it on GlobalMethodSecurityConfiguration I no longer see any method interception.
Are the two configurations conflicting? Does anyone have any idea why my methods are no longer properly being invoked after configuring GlobalMethodSecurityConfiguration. I hope to implement method security by extending GlobalMethodSecurityConfiguration so I can provide my own handler and expression root.
I can provide code snippets if needed.
Thanks,
Civerooni
This was solved by the answer in the question Spring Boot: Configure custom MethodSecurityExpressionOperations?. I am not 100% sure why Autowiring my own services, registering them as beans was preventing the method intercept for happening. I suspect it was because it was using different application contexts.
These two classes:
WebSecurityConfigurerAdapter
GlobalAuthenticationConfigurerAdapter
seem to do the same thing to me. They both provide different methods configure(...) to customize WebSecurity, such as to configure UserDetailsService. In some examples found on the internet, I saw that both classes are extended (like this one, http://ryanjbaxter.com/2015/01/06/securing-rest-apis-with-spring-boot/):
#Configuration
class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {...}
and
#EnableWebSecurity
#Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}
but in some example, only WebSecurityConfigurerAdapter was needed (extended).
I am not sure about the difference between the two? What one can do that the other cannot? Or if they are both needed, then which of them is for what aspect of Spring security?
The only difference I've seen is that #EnableWebSecurity is often annotated above class that extends WebSecurityConfigurerAdapter, but not in the class that extends GlobalAuthenticationConfigurerAdapter
=============EXPERIMENT==================
I tried deleting the class that extends GlobalAuthenticationConfigurerAdapter, and carrying the code related to UserDetailsService to the class that extends WebSecurityConfigurerAdapter (See the link above for the actual code), and it still works.
Basically WebSecurityConfigurerAdapter is used to create the FilterChainProxy
refer to this docs as to GlobalAuthenticationConfigurerAdapter is used as SecurityConfigurerthat can be used to easily build in memory authentication, LDAP authentication, JDBC based authentication, adding UserDetailsService, and adding AuthenticationProvider's. refer to this docs hope this helps!
This should be really simple but i cannot figure how to add ProtobufHttpMessageConverter for Spring Controllers while keeping default HttpMessageConverters.
I have setup client side (RestTemplate) but for every request i send there is error 415: content not supported.
Every example i have found so far refers to either Spring Boot or XML configuration, however neither of these work for me.
In the
answer about similar issue,
extending the WebMvcConfigurerAdapter apparently removes default handlers.
It is stated to extend WebMvcConfigurationSupport to keep default handlers, but given implementation doesn't work for Spring 4x as method call super.addDefaultHttpMessageConverters(); requires List of converters.
I have tried variantions on theme but neither seems to work:
#EnableWebMvc
#Configuration
#ComponentScan
public class RestServiceConfiguration extends WebMvcConfigurationSupport {
#Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(new ProtobufHttpMessageConverter());
// getMessageConverters().add(new ProtobufHttpMessageConverter());
// super.configureMessageConverters(getMessageConverters());
super.addDefaultHttpMessageConverters(converters);
}
}
Could somebody help me to add ProtobufHttpMessageConverter while keeping default converters, without xml configuration ?
With your approach you could make it work. However due to the fact that you extended WebMvcConfigurationSupport and used #EnableWebMvc is isn't working. You are basically configuring web support twice now, as #EnableWebMvc is importing WebMvcConfigurationSupport (actually DelegatingWebMvcConfiguration).
To make your current setup work remove the #EnableWebMvc annotation.
#Configuration
#ComponentScan
public class RestServiceConfiguration extends WebMvcConfigurationSupport {
#Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(new ProtobufHttpMessageConverter());
super.addDefaultHttpMessageConverters(converters);
}
}
However there is a better way, instead of extend WebMvcConfigurationSupport you should extend WebMvcConfigurerAdapter and implement the extendMessageConverters method instead of the configureMessageConverters.
#EnableWebMvc
#Configuration
#ComponentScan
public class RestServiceConfiguration extends WebMvcConfigurerAdapter {
#Override
public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(new ProtobufHttpMessageConverter());
}
}
Note: The extendMessageConverters method has been added in Spring 4.1.3 for earlier versions use the first method!
I'm trying to register an instance of HandlerInterceptor in Spring using Java Config without extending WebMvcConfigurationSupport. I'm creating a library with an annotation that, when added to a #Configuration class, registers an interceptor that handles a security annotation.
I had an implementation using WebMvcConfigurationSupport#addInterceptors, but that conflicted with other automatic workings in spring, and overrode some of the application's own logic. It also seems incredibly heavy for something that should be simple. I'm now trying:
#Configuration
public class AnnotationSecurityConfiguration {
#Autowired private RequestMappingHandlerMapping requestMappingHandlerMapping;
#PostConstruct
public void attachInterceptors() {
requestMappingHandlerMapping.setInterceptors(new Object[] {
new SecurityAnnotationHandlerInterceptor()
});
}
}
However, it appears that the interceptor gets registered with a completely different instance of RequestMappingHandlerMapping than the one the application actually uses for web requests. Additionally, when implemeted as a BeanFactoryPostProcessor, I get a NullPointerException in HealthMvcEndpoint when I try beanFactory.getBean(RequestMappingHandlerMapping.class)
Just stating #Blauhirn's comment, WebMvcConfigurerAdapter is deprecated as of version 5.0:
Deprecated as of 5.0 WebMvcConfigurer has default methods (made possible by a Java 8 baseline) and can be implemented directly without the need for this adapter
Refer to the new way to do it:
#Configuration
public class WebMvcConfig implements WebMvcConfigurer {
#Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new MyCustomInterceptor())
// Optional
.addPathPatterns("/myendpoint");
}
}
Plus, as stated here, do not annotate this with #EnableWebMvc, if you want to keep Spring Boot auto configuration for MVC.
Edit: This class has since been deprecated. See #bosco answer below for the Spring 5 equivalent.
Figured it out, the solution is to use, simply:
#Configuration
public class AnnotationSecurityConfiguration extends WebMvcConfigurerAdapter {
#Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new SecurityAnnotationHandlerInterceptor());
}
}
In spring boot, all beans of type WebMvcConfigurer are automatically detected and can modify the MVC context.