Interface SecurityEnhancer
HttpSecurity setup before a ResourceServerConfigurerAdapter is invoked
for final endpoint security configuration. This is especially useful with request matchers for
authentication requirements. For example, often the configuration extending from an adapter
implementation like ResourceServerConfigurerAdapter (e.g. Broadleaf's OAuth2SecurityConfig)
includes a blanket request security requirement like:
http.authorizeHttpRequests(authorize -> authorize.requestMatchers("/**").authenticated());
However, an individual resource tier service may want to allow a certain endpoint call to utilize anonymous authentication. A bean class implementing SecurityEnhancer could achieve this goal by providing configuration like so:
http.authorizeHttpRequests(authorize -> authorize.requestMatchers("/content/**").permitAll());
The SecurityEnhancer's configuration will be put into place before the adapter's configuration, and will therefore take precedence.
Note, SecurityEnhancer is useful when you want to contribute tweaks to an otherwise configured
security system. If you prefer to configure security from scratch, you can omit the
out-of-the-box Broadleaf security library dependency, or configure the Broadleaf security
autoconfiguration to be ignored. Moreover, if Broadleaf has included a SecurityEnhancer component
that you wish to override, you may simply introduce a new SecurityEnhancer bean with the
different, desired configuration and use a Order annotation of higher precedence.
Finally, note that Spring Security itself is unaware of SecurityEnhancer. To take advantage of SecurityEnhancer, a ResourceServerConfigurerAdapter style component must be present that utilizes any SecurityEnhancer beans currently available. Broadleaf's OAuth2SecurityConfig is an example of this for the out-of-the-box OAuth2 security configuration.
- Author:
- Jeff Fischer
-
Method Summary
Modifier and TypeMethodDescriptionvoidconfigure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)