This article will detail the WebSecurityConfigurerAdapter in security.

Today we are going to further learn how to customize Spring Security. We have mentioned WebSecurityConfigurerAdapter many times, and we know that the automatic configuration in Spring Boot is actually the Spring Boot Web Security imported through the SecurityAutoConfiguration general configuration class under the automatic configuration package. Configuration class SpringBootWebSecurityConfiguration to configure.

SpringBootWebSecurityConfiguration source code

Common method
WebSecurityConfigurerAdapter class diagram

Common configuration
Let's paste the common configuration of WebSecurityConfigurerAdapter in the project

I believe someone has noticed that I have overridden (@Override) three configure methods in the WebSecurityConfigurerAdapter above. We generally customize our security access policy by customizing these three methods.

Authentication Manager Configuration Methods
AuthenticationManagerBuilder (Authentication Manager Builder)

void configure(AuthenticationManagerBuilder auth) is used to configure AuthenticationManager. To put it bluntly, it manages all UserDetails related, including PasswordEncoder passwords, etc. If you are not clear, you can find out through UserDetail in Spring Security. This article does not do a specific analysis and explanation of AuthenticationManager, and there will be a special article about this later.

Common usage

Core filter configuration method
WebSecurity (WEB security)

void configure(WebSecurity web) is used to configure WebSecurity . And WebSecurity is based on Servlet Filter to configure springSecurityFilterChain . The springSecurityFilterChain is delegated to the Spring Security core filter Bean DelegatingFilterProxy . The related logic can be found in WebSecurityConfiguration. We generally don't customize WebSecurity too much, and use more of its ignoring() method to ignore Spring Security's control of static resources.

Security filter chain configuration method
HttpSecurity (HTTP request security processing)

void configure(HttpSecurity http) This is what we use the most to configure HttpSecurity . HttpSecurity is used to build a security filter chain SecurityFilterChain . The SecurityFilterChain is eventually injected into the core filter. HttpSecurity has many configurations that we need. We can use it to customize the security access policy. So we have a separate chapter to explain this stuff.

HttpSecurity configuration
HttpSecurity is the focus of the following articles, and we will actually operate it to achieve some practical functions. So this article will focus on it.

HttpSecurity class diagram

Default Allocation

The above is the default configuration of Spring Security in Spring Boot. Through the above configuration, your application has the following functions:

  • All requested access requires authorization.
  • Use the form form to log in (the default path is /login), which is the login page we saw in the previous articles.
  • Prevent CSRF attack, XSS attack.
  • Enable HTTP Basic Authentication

Summary of this article
This article introduces the knowledge and content related to WebSecurityConfigurerAdapter in detail, and will introduce the knowledge related to HttpSecurity in detail later, which is also the most used place in normal development.

Categories: Java