I am in the middle of process of mirgation my Spring Security Configuration from WebSecurityConfigurerAdapter (deprecated) to configuration with beans.
My config class now looks like
JavaScript
x
@EnableWebSecuritypublic class Config { @Bean protected SecurityFilterChain configure(HttpSecurity http) throws Exception { return http.build(); }}I understand that this configuration doesn’t make any behavior settings, but shouldn’t it return a SecurityFilterChain bean that will act like the default SecurityFilterChain (as if no configuration was specified)? When I start my app no controllers are secured.
Advertisement
Answer
To add security rules and form for endpoints simply add .authorizeRequests() block:
JavaScript
@Configurationpublic class Config { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/unprotected", "/endpoints/**").permitAll() .anyRequest().authenticated() .and() .formLogin(); return http.build(); }}Also read Spring Security without the WebSecurityConfigurerAdapter