Rework security request matchers

Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:

http.authorizeRequests()
  .requestMatchers(EndpointRequest.to("status", "info")).permitAll()
  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
  .requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()

Closes gh-7958
This commit is contained in:
Phillip Webb
2017-08-31 16:10:12 -07:00
parent 2e51b48cd9
commit 46dfe38b60
20 changed files with 1294 additions and 29 deletions

View File

@@ -20,6 +20,7 @@ import java.util.Date;
import java.util.Map;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -62,15 +63,14 @@ public class SampleWebSecureApplication implements WebMvcConfigurer {
@Override
protected void configure(HttpSecurity http) throws Exception {
// FIXME
// @formatter:off
// http.authorizeRequests()
// .requestMatchers(staticResources()).permitAll()
// .anyRequest().fullyAuthenticated()
// .and()
// .formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
// .and()
// .logout().permitAll();
http.authorizeRequests()
.requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()
.anyRequest().fullyAuthenticated()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and()
.logout().permitAll();
// @formatter:on
}