Package org.springframework.security.config.annotation.web.builders

Class WebSecurity

java.lang.Object
org.springframework.security.config.annotation.AbstractSecurityBuilder<O>
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>
org.springframework.security.config.annotation.web.builders.WebSecurity
All Implemented Interfaces:
org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware, SecurityBuilder<jakarta.servlet.Filter>, org.springframework.web.context.ServletContextAware
public final class WebSecurity extends AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity> implements SecurityBuilder<jakarta.servlet.Filter>, org.springframework.context.ApplicationContextAware, org.springframework.web.context.ServletContextAware

The WebSecurity is created by WebSecurityConfiguration to create the FilterChainProxy known as the Spring Security Filter Chain (springSecurityFilterChain). The springSecurityFilterChain is the Filter that the DelegatingFilterProxy delegates to.

Customizations to the WebSecurity can be made by creating a WebSecurityConfigurer or exposing a WebSecurityCustomizer bean.

Since:
3.2
See Also:

  • Constructor Details

  • Method Details

    • ignoring

      public WebSecurity.IgnoredRequestConfigurer ignoring()

      Allows adding RequestMatcher instances that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.

      Example Usage: 
       webSecurityBuilder.ignoring()
 // ignore all URLs that start with /resources/ or /static/
                .requestMatchers("/resources/**", "/static/**");
      Alternatively this will accomplish the same result: 
       webSecurityBuilder.ignoring()
 // ignore all URLs that start with /resources/ or /static/
                .requestMatchers("/resources/**").requestMatchers("/static/**");
      Multiple invocations of ignoring() are also additive, so the following is also equivalent to the previous two examples: 
       webSecurityBuilder.ignoring()
 // ignore all URLs that start with /resources/
                .requestMatchers("/resources/**");
 webSecurityBuilder.ignoring()
 // ignore all URLs that start with /static/
                .requestMatchers("/static/**");
 // now both URLs that start with /resources/ and /static/ will be ignored
      Returns:
      the WebSecurity.IgnoredRequestConfigurer to use for registering request that should be ignored

    • httpFirewall

      public WebSecurity httpFirewall(org.springframework.security.web.firewall.HttpFirewall httpFirewall)
      Allows customizing the HttpFirewall. The default is StrictHttpFirewall.
      Parameters:
      httpFirewall - the custom HttpFirewall
      Returns:
      the WebSecurity for further customizations

    • debug

      public WebSecurity debug(boolean debugEnabled)
      Controls debugging support for Spring Security.
      Parameters:
      debugEnabled - if true, enables debug support with Spring Security. Default is false.
      Returns:
      the WebSecurity for further customization.
      See Also:

    • addSecurityFilterChainBuilder

      public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends org.springframework.security.web.SecurityFilterChain> securityFilterChainBuilder)

      Adds builders to create SecurityFilterChain instances.

      Typically this method is invoked automatically within the framework from WebSecurityConfiguration.springSecurityFilterChain()

      Parameters:
      securityFilterChainBuilder - the builder to use to create the SecurityFilterChain instances
      Returns:
      the WebSecurity for further customizations

    • privilegeEvaluator

      public WebSecurity privilegeEvaluator(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator privilegeEvaluator)
      Set the WebInvocationPrivilegeEvaluator to be used. If this is not specified, then a RequestMatcherDelegatingWebInvocationPrivilegeEvaluator will be created based on the list of SecurityFilterChain.
      Parameters:
      privilegeEvaluator - the WebInvocationPrivilegeEvaluator to use
      Returns:
      the WebSecurity for further customizations

    • expressionHandler

      public WebSecurity expressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.FilterInvocation> expressionHandler)
      Set the SecurityExpressionHandler to be used. If this is not specified, then a DefaultWebSecurityExpressionHandler will be used.
      Parameters:
      expressionHandler - the SecurityExpressionHandler to use
      Returns:
      the WebSecurity for further customizations

    • getExpressionHandler

      public org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.FilterInvocation> getExpressionHandler()
      Gets the SecurityExpressionHandler to be used.
      Returns:
      the SecurityExpressionHandler for further customizations

    • getPrivilegeEvaluator

      public org.springframework.security.web.access.WebInvocationPrivilegeEvaluator getPrivilegeEvaluator()
      Gets the WebInvocationPrivilegeEvaluator to be used.
      Returns:
      the WebInvocationPrivilegeEvaluator for further customizations

    • postBuildAction

      public WebSecurity postBuildAction(Runnable postBuildAction)
      Executes the Runnable immediately after the build takes place
      Parameters:
      postBuildAction -
      Returns:
      the WebSecurity for further customizations

    • requestRejectedHandler

      public WebSecurity requestRejectedHandler(org.springframework.security.web.firewall.RequestRejectedHandler requestRejectedHandler)
      Sets the handler to handle RequestRejectedException
      Parameters:
      requestRejectedHandler -
      Returns:
      the WebSecurity for further customizations
      Since:
      5.7

    • performBuild

      protected jakarta.servlet.Filter performBuild() throws Exception
      Description copied from class: AbstractConfiguredSecurityBuilder
      Subclasses must implement this method to build the object that is being returned.
      Specified by:
      performBuild in class AbstractConfiguredSecurityBuilder<jakarta.servlet.Filter,WebSecurity>
      Returns:
      the Object to be buit or null if the implementation allows it
      Throws:
      Exception

    • setApplicationContext

      public void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException
      Specified by:
      setApplicationContext in interface org.springframework.context.ApplicationContextAware
      Throws:
      org.springframework.beans.BeansException

    • setServletContext

      public void setServletContext(jakarta.servlet.ServletContext servletContext)
      Specified by:
      setServletContext in interface org.springframework.web.context.ServletContextAware