These two classes:
WebSecurityConfigurerAdapter
GlobalAuthenticationConfigurerAdapter
seem to do the same thing to me. They both provide different methods configure(...) to customize WebSecurity, such as to configure UserDetailsService. In some examples found on the internet, I saw that both classes are extended (like this one, http://ryanjbaxter.com/2015/01/06/securing-rest-apis-with-spring-boot/):
#Configuration
class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {...}
and
#EnableWebSecurity
#Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}
but in some example, only WebSecurityConfigurerAdapter was needed (extended).
I am not sure about the difference between the two? What one can do that the other cannot? Or if they are both needed, then which of them is for what aspect of Spring security?
The only difference I've seen is that #EnableWebSecurity is often annotated above class that extends WebSecurityConfigurerAdapter, but not in the class that extends GlobalAuthenticationConfigurerAdapter
=============EXPERIMENT==================
I tried deleting the class that extends GlobalAuthenticationConfigurerAdapter, and carrying the code related to UserDetailsService to the class that extends WebSecurityConfigurerAdapter (See the link above for the actual code), and it still works.
Basically WebSecurityConfigurerAdapter is used to create the FilterChainProxy
refer to this docs as to GlobalAuthenticationConfigurerAdapter is used as SecurityConfigurerthat can be used to easily build in memory authentication, LDAP authentication, JDBC based authentication, adding UserDetailsService, and adding AuthenticationProvider's. refer to this docs hope this helps!
Related
I recently updated the spring bot versions and noticed that the WebSecurityConfigurerAdapter class has been deprecated and I am going to make changes however I have a problem how can I make changes in my code.
And my question is how can I refactor such a piece of code
#Configuration
public class MyAutoConfiguration {
#Bean
#ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
public WebSecurityConfigurerAdapter myService() {
...
}
}
As you can see here I am using WebSecurityConfigurerAdapter 2 times,and what method could I use to make it work properly in the current version of Spring Configuring WebSecurity?
The recommended way of doing this is registering a SecurityFilterChain bean
you can find detailed information on how to do this in Spring Documentation.
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
I am using a WebSecurityConfigurerAdapter annotated with #EnableWebSecurity to handle basic spring web security:
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
}
When I extend this class, the subclass does not get loaded by Spring, nor are its methods invoked, i.e.:
public class CustomSecurityConfig extends SecurityConfig {
...
}
When I add #Primary and #EnableWebSecurity to my subclass, I get this exception:
java.lang.IllegalStateException: #Order on WebSecurityConfigurers must be unique. Order of 100 was already used on...
How do I tell Spring to use my subclass in lieu of its parent when creating the security object?
You will get this exception if there are two or more classes that implement #EnableWebSecurity annotation and they have same priority.
#Order is used to specify priority in which the beans will be loaded or prioritized by Spring. Lower numbers indicate a higher priority.
So you can do something like this:
#Order(2)
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}
and for a subclass :
#Order(1)
#EnableWebSecurity
public class CustomSecurityConfig extends SecurityConfig{
}
In this way, Spring will give priority to the child class when creating a security object since it has higher priority
According to #Configuration documentation:
Indicates that a class declares one or more #Bean methods and may be processed by the Spring container to generate bean definitions and service requests for those beans at runtime, for example:
#Configuration
public class AppConfig {
#Bean
public MyBean myBean() {
//instantiate, configure and return bean ...
}
}
As I remember always I came across classes extending WebSecurityConfigurerAdapter which didn't contain any #Bean methods and were annotated with #Configuration.
It is even in official blog and some examples, see:
https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security
#Configuration
#EnableWebSecurity
public class HelloWebSecurityConfiguration
extends WebSecurityConfigurerAdapter {
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
or here: https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html
#Order(1) 2
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**") 3
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().hasRole("ADMIN")
)
.httpBasic(withDefaults());
}
}
Why this classes are annotated with #Configuration even though there are no #Bean methods?
Beans are imported using the secondary "#Enable" annotation
Spring features such as asynchronous method execution, scheduled task execution, annotation driven transaction management, and even Spring MVC can be enabled and configured from #Configuration classes using their respective "#Enable" annotations. See #EnableAsync, #EnableScheduling, #EnableTransactionManagement, #EnableAspectJAutoProxy, and #EnableWebMvc for details.
from EnableWebSecurity:
Add this annotation to an #Configuration class to have the Spring Security configuration defined in any WebSecurityConfigurer or more likely by extending the WebSecurityConfigurerAdapter base class and overriding individual methods:
I am trying to extend GlobalMethodSecurityConfiguration with the #EnableGlobalMethodSecurity annotation. I have a separate configuration class that extends WebSecurityConfigurerAdapter with the #EnableWebSecurity annotation.
If I place the #EnableGlobalMethodSecurity on my WebSecurityConfigurerAdapter and not on my GlobalMethodSecurityConfiguration class I am able to see in CglibAopProxy that the method is being intercepted and then invoked. If I remove #EnableGlobalMethodSecurity from WebSecurityConfigurerAdapter and place it on GlobalMethodSecurityConfiguration I no longer see any method interception.
Are the two configurations conflicting? Does anyone have any idea why my methods are no longer properly being invoked after configuring GlobalMethodSecurityConfiguration. I hope to implement method security by extending GlobalMethodSecurityConfiguration so I can provide my own handler and expression root.
I can provide code snippets if needed.
Thanks,
Civerooni
This was solved by the answer in the question Spring Boot: Configure custom MethodSecurityExpressionOperations?. I am not 100% sure why Autowiring my own services, registering them as beans was preventing the method intercept for happening. I suspect it was because it was using different application contexts.
This should be really simple but i cannot figure how to add ProtobufHttpMessageConverter for Spring Controllers while keeping default HttpMessageConverters.
I have setup client side (RestTemplate) but for every request i send there is error 415: content not supported.
Every example i have found so far refers to either Spring Boot or XML configuration, however neither of these work for me.
In the
answer about similar issue,
extending the WebMvcConfigurerAdapter apparently removes default handlers.
It is stated to extend WebMvcConfigurationSupport to keep default handlers, but given implementation doesn't work for Spring 4x as method call super.addDefaultHttpMessageConverters(); requires List of converters.
I have tried variantions on theme but neither seems to work:
#EnableWebMvc
#Configuration
#ComponentScan
public class RestServiceConfiguration extends WebMvcConfigurationSupport {
#Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(new ProtobufHttpMessageConverter());
// getMessageConverters().add(new ProtobufHttpMessageConverter());
// super.configureMessageConverters(getMessageConverters());
super.addDefaultHttpMessageConverters(converters);
}
}
Could somebody help me to add ProtobufHttpMessageConverter while keeping default converters, without xml configuration ?
With your approach you could make it work. However due to the fact that you extended WebMvcConfigurationSupport and used #EnableWebMvc is isn't working. You are basically configuring web support twice now, as #EnableWebMvc is importing WebMvcConfigurationSupport (actually DelegatingWebMvcConfiguration).
To make your current setup work remove the #EnableWebMvc annotation.
#Configuration
#ComponentScan
public class RestServiceConfiguration extends WebMvcConfigurationSupport {
#Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(new ProtobufHttpMessageConverter());
super.addDefaultHttpMessageConverters(converters);
}
}
However there is a better way, instead of extend WebMvcConfigurationSupport you should extend WebMvcConfigurerAdapter and implement the extendMessageConverters method instead of the configureMessageConverters.
#EnableWebMvc
#Configuration
#ComponentScan
public class RestServiceConfiguration extends WebMvcConfigurerAdapter {
#Override
public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(new ProtobufHttpMessageConverter());
}
}
Note: The extendMessageConverters method has been added in Spring 4.1.3 for earlier versions use the first method!