Skip to content
Advertisement

SecurityFilterChain Bean doesn’t protect app

I am in the middle of process of mirgation my Spring Security Configuration from WebSecurityConfigurerAdapter (deprecated) to configuration with beans.

My config class now looks like

@EnableWebSecurity
public class Config {

    @Bean
    protected SecurityFilterChain configure(HttpSecurity http) throws Exception {
        return http.build();
    }

}

I understand that this configuration doesn’t make any behavior settings, but shouldn’t it return a SecurityFilterChain bean that will act like the default SecurityFilterChain (as if no configuration was specified)? When I start my app no controllers are secured.

Advertisement

Answer

To add security rules and form for endpoints simply add .authorizeRequests() block:

@Configuration
public class Config {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/unprotected", "/endpoints/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin();
        return http.build();
    }
}

Also read Spring Security without the WebSecurityConfigurerAdapter

2 People found this is helpful
Advertisement