diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc index 0225671730..359abb3436 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc @@ -23,12 +23,10 @@ You can easily do this with the following Java Configuration: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .frameOptions(frameOptions -> - frameOptions - .mode(Mode.SAMEORIGIN) - ) + .headers(headers -> headers + .frameOptions(frameOptions -> frameOptions + .mode(Mode.SAMEORIGIN) + ) ); return http.build(); } @@ -46,10 +44,7 @@ An example for both Java configuration is provided below: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .disable() - ); + .headers(headers -> headers.disable()); return http.build(); } ---- @@ -76,9 +71,8 @@ If necessary, you can also disable Spring Security's cache control HTTP response SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .cache(cache -> cache.disable()) + .headers(headers -> headers + .cache(cache -> cache.disable()) ); return http.build(); } @@ -99,9 +93,8 @@ However, you can disable it in Java Configuration with: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable()) + .headers(headers -> headers + .contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable()) ); return http.build(); } @@ -122,14 +115,12 @@ For example, the following is an example of explicitly providing HSTS with Java SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .hsts(hsts -> - hsts - .includeSubdomains(true) - .preload(true) - .maxAge(Duration.ofDays(365)) - ) + .headers(headers -> headers + .hsts(hsts -> hsts + .includeSubdomains(true) + .preload(true) + .maxAge(Duration.ofDays(365)) + ) ); return http.build(); } @@ -150,12 +141,10 @@ You can customize frame options to use the same origin within Java Configuration SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .frameOptions(frameOptions -> - frameOptions - .mode(SAMEORIGIN) - ) + .headers(headers -> headers + .frameOptions(frameOptions -> frameOptions + .mode(SAMEORIGIN) + ) ); return http.build(); } @@ -175,9 +164,8 @@ You can disable `X-XSS-Protection` with the following Java Configuration: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .xssProtection(xssProtection -> xssProtection.disable()) + .headers(headers -> headers + .xssProtection(xssProtection -> xssProtection.disable()) ); return http.build(); } @@ -209,12 +197,10 @@ You can enable the CSP header using Java configuration as shown below: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .contentSecurityPolicy(contentSecurityPolicy -> - contentSecurityPolicy - .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") - ) + .headers(headers -> headers + .contentSecurityPolicy(policy -> policy + .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") + ) ); return http.build(); } @@ -231,13 +217,11 @@ To enable the CSP `report-only` header, provide the following Java configuration SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .contentSecurityPolicy(contentSecurityPolicy -> - contentSecurityPolicy - .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") - .reportOnly() - ) + .headers(headers -> headers + .contentSecurityPolicy(policy -> policy + .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") + .reportOnly() + ) ); return http.build(); } @@ -258,12 +242,10 @@ You can enable the Referrer Policy header using Java configuration as shown belo SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .referrerPolicy(referrerPolicy -> - referrerPolicy - .policy(ReferrerPolicy.SAME_ORIGIN) - ) + .headers(headers -> headers + .referrerPolicy(referrer -> referrer + .policy(ReferrerPolicy.SAME_ORIGIN) + ) ); return http.build(); } @@ -295,9 +277,8 @@ can enable the Feature Policy header using Java configuration as shown below: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .headers(headers -> - headers - .featurePolicy("geolocation 'self'") + .headers(headers -> headers + .featurePolicy("geolocation 'self'") ); return http.build(); } diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc index fbcb56383c..20c36393bc 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc @@ -38,9 +38,8 @@ For example, if the production environment adds a header named `X-Forwarded-Prot SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .redirectToHttps(redirectToHttps -> - redirectToHttps - .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) + .redirectToHttps(redirect -> redirect + .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc index fb32f0e14e..cc60afaffb 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc @@ -88,9 +88,8 @@ public class SecurityConfig { return http // Demonstrate that method security works // Best practice to use both for defense in depth - .authorizeExchange(exchanges -> - exchanges - .anyExchange().permitAll() + .authorizeExchange(exchanges -> exchanges + .anyExchange().permitAll() ) .httpBasic(withDefaults()) .build(); diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc index c0727d8b92..4c4d5483a3 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc @@ -151,12 +151,11 @@ Additional configuration options can be seen below: SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... - .oauth2Login(oauth2Login -> - oauth2Login - .authenticationConverter(converter) - .authenticationManager(manager) - .authorizedClientRepository(authorizedClients) - .clientRegistrationRepository(clientRegistrations) + .oauth2Login(oauth2 -> oauth2 + .authenticationConverter(converter) + .authenticationManager(manager) + .authorizedClientRepository(authorizedClients) + .clientRegistrationRepository(clientRegistrations) ); return http.build(); } diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc index 4379732e40..252aa13fba 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc @@ -129,9 +129,8 @@ The first is a `SecurityWebFilterChain` that configures the app as a resource se @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) .oauth2ResourceServer(OAuth2ResourceServerSpec::jwt) return http.build(); @@ -147,14 +146,12 @@ Replacing this is as simple as exposing the bean within the application: @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .pathMatchers("/message/**").hasAuthority("SCOPE_message:read") - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .pathMatchers("/message/**").hasAuthority("SCOPE_message:read") + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(withDefaults()) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(withDefaults()) ); return http.build(); } @@ -190,16 +187,13 @@ An authorization server's JWK Set Uri can be configured < - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .jwkSetUri("https://idp.example.com/.well-known/jwks.json") - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .jwkSetUri("https://idp.example.com/.well-known/jwks.json") + ) ); return http.build(); } @@ -217,16 +211,13 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .decoder(myCustomDecoder()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .decoder(myCustomDecoder()) + ) ); return http.build(); } @@ -398,7 +389,7 @@ This means that to protect an endpoint or method with a scope derived from a JWT @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges ->exchanges + .authorizeExchange(exchanges -> exchanges .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts") .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages") .anyExchange().authenticated() @@ -430,16 +421,13 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`: @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) + ) ); return http.build(); } @@ -678,9 +666,8 @@ When use Opaque Token, this `SecurityWebFilterChain` looks like: @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken) return http.build(); @@ -698,17 +685,14 @@ public class MyCustomSecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .opaqueToken(opaqueToken -> - opaqueToken - .introspector(myIntrospector()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .opaqueToken(opaqueToken -> opaqueToken + .introspector(myIntrospector()) + ) ); return http.build(); } @@ -745,17 +729,14 @@ public class DirectlyConfiguredIntrospectionUri { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .opaqueToken(opaqueToken -> - opaqueToken - .introspectionUri("https://idp.example.com/introspect") - .introspectionClientCredentials("client", "secret") - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .opaqueToken(opaqueToken -> opaqueToken + .introspectionUri("https://idp.example.com/introspect") + .introspectionClientCredentials("client", "secret") + ) ); return http.build(); } @@ -776,16 +757,13 @@ public class DirectlyConfiguredIntrospector { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .opaqueToken(opaqueToken -> - opaqueToken - .introspector(myCustomIntrospector()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .opaqueToken(opaqueToken -> opaqueToken + .introspector(myCustomIntrospector()) + ) ); return http.build(); } diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc index d5c501acd5..f39c816368 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc @@ -56,9 +56,8 @@ public class HelloWebfluxSecurityConfig { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ) .httpBasic(withDefaults()) .formLogin(withDefaults()); diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc index 0f2bf6e4c5..452c6417f7 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc @@ -10,9 +10,8 @@ Below is an example of a reactive x509 security configuration: public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { http .x509(withDefaults()) - .authorizeExchange(exchanges -> - exchanges - .anyExchange().permitAll() + .authorizeExchange(exchanges -> exchanges + .anyExchange().permitAll() ); return http.build(); } @@ -37,14 +36,12 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { }; http - .x509(x509 -> - x509 - .principalExtractor(principalExtractor) - .authenticationManager(authenticationManager) + .x509(x509 -> x509 + .principalExtractor(principalExtractor) + .authenticationManager(authenticationManager) ) - .authorizeExchange(exchanges -> - exchanges - .anyExchange().authenticated() + .authorizeExchange(exchanges -> exchanges + .anyExchange().authenticated() ); return http.build(); } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/logout.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/logout.adoc index 4d8cf44b2d..aa806fe295 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/logout.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/logout.adoc @@ -17,17 +17,16 @@ Similar to configuring login capabilities, however, you also have various option [source,java] ---- protected void configure(HttpSecurity http) throws Exception { - http - .logout(logout -> // <1> - logout - .logoutUrl("/my/logout") // <2> - .logoutSuccessUrl("/my/index") // <3> - .logoutSuccessHandler(logoutSuccessHandler) // <4> - .invalidateHttpSession(true) // <5> - .addLogoutHandler(logoutHandler) // <6> - .deleteCookies(cookieNamesToClear) // <7> - ) - ... + http + .logout(logout -> logout // <1> + .logoutUrl("/my/logout") // <2> + .logoutSuccessUrl("/my/index") // <3> + .logoutSuccessHandler(logoutSuccessHandler) // <4> + .invalidateHttpSession(true) // <5> + .addLogoutHandler(logoutHandler) // <6> + .deleteCookies(cookieNamesToClear) // <7> + ) + ... } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/authorize-requests.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/authorize-requests.adoc index 5875bf6fef..1103bf4303 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/authorize-requests.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/authorize-requests.adoc @@ -9,12 +9,11 @@ For example: ---- protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> // <1> - authorizeRequests - .antMatchers("/resources/**", "/signup", "/about").permitAll() // <2> - .antMatchers("/admin/**").hasRole("ADMIN") // <3> - .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4> - .anyRequest().authenticated() // <5> + .authorizeRequests(authorize -> authorize // <1> + .antMatchers("/resources/**", "/signup", "/about").permitAll() // <2> + .antMatchers("/admin/**").hasRole("ADMIN") // <3> + .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4> + .anyRequest().authenticated() // <5> ) .formLogin(withDefaults()); } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc index 40a6003c67..6183551ade 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc @@ -140,10 +140,9 @@ or in Java configuration [source,java] ---- http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .antMatchers("/user/**").access("@webSecurity.check(authentication,request)") - ... + .authorizeRequests(authorize -> authorize + .antMatchers("/user/**").access("@webSecurity.check(authentication,request)") + ... ) ---- @@ -181,10 +180,9 @@ or in Java configuration [source,java] ---- http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)") - ... + .authorizeRequests(authorize -> authorize + .antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)") + ... ); ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc index 4c0464df53..a9933d3666 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc @@ -70,9 +70,8 @@ public class WebSecurityConfig extends @Override protected void configure(HttpSecurity http) { http - .csrf(csrf -> - csrf - .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + .csrf(csrf -> csrf + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) ); } } @@ -119,9 +118,7 @@ public class WebSecurityConfig extends @Override protected void configure(HttpSecurity http) { http - .csrf(csrf -> - csrf.disable() - ); + .csrf(csrf -> csrf.disable()); } } ---- @@ -303,9 +300,8 @@ public class WebSecurityConfig extends @Override protected void configure(HttpSecurity http) { http - .logout(logout -> - logout - .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) + .logout(logout -> logout + .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) ); } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc index 19a7b55e5a..7ed5683dcc 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc @@ -27,11 +27,10 @@ public class WebSecurityConfig extends protected void configure(HttpSecurity http) { http // ... - .headers(headers -> - headers - .frameOptions(frameOptions -> - frameOptions.sameOrigin() - ) + .headers(headers -> headers + .frameOptions(frameOptions -> frameOptions + .sameOrigin() + ) ); } } @@ -69,11 +68,10 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - // do not use any default headers unless explicitly listed - .defaultsDisabled() - .cacheControl(withDefaults()) + .headers(headers -> headers + // do not use any default headers unless explicitly listed + .defaultsDisabled() + .cacheControl(withDefaults()) ); } } @@ -105,9 +103,7 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers.disable() - ); + .headers(headers -> headers.disable()); } } ---- @@ -149,10 +145,8 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http // ... - .headers(headers -> - headers.cacheControl(cache -> - cache.disabled() - ) + .headers(headers -> headers + .cacheControl(cache -> cache.disable()) ); } } @@ -194,10 +188,8 @@ public class WebSecurityConfig extends protected void configure(HttpSecurity http) { http // ... - .headers(headers -> - headers.contentTypeOptions(contentType -> - contentType.disabled() - ) + .headers(headers -> headers + .contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable()) ); } } @@ -239,14 +231,12 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .httpStrictTransportSecurity(hsts -> - hsts - .includeSubDomains(true) - .preload(true) - .maxAgeInSeconds(31536000) - ) + .headers(headers -> headers + .httpStrictTransportSecurity(hsts -> hsts + .includeSubDomains(true) + .preload(true) + .maxAgeInSeconds(31536000) + ) ); } } @@ -291,14 +281,12 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .httpPublicKeyPinning(hpkp -> - hpkp - .includeSubDomains(true) - .reportUri("https://example.net/pkp-report") - .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=") - ) + .headers(headers -> headers + .httpPublicKeyPinning(hpkp -> hpkp + .includeSubDomains(true) + .reportUri("https://example.net/pkp-report") + .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=") + ) ); } } @@ -348,12 +336,10 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .frameOptions(frameOptions -> - frameOptions - .sameOrigin() - ) + .headers(headers -> headers + .frameOptions(frameOptions -> frameOptions + .sameOrigin() + ) ); } } @@ -397,12 +383,10 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .xssProtection(xssProtection -> - xssProtection - .block(false) - ) + .headers(headers -> headers + .xssProtection(xss -> xss + .block(false) + ) ); } } @@ -456,12 +440,10 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http // ... - .headers(headers -> - headers - .contentSecurityPolicy(csp -> - csp - .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") - ) + .headers(headers -> headers + .contentSecurityPolicy(csp -> csp + .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") + ) ); } } @@ -499,13 +481,11 @@ public class WebSecurityConfig extends protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .contentSecurityPolicy(csp -> - csp - .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") - .reportOnly() - ) + .headers(headers -> headers + .contentSecurityPolicy(csp -> csp + .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/") + .reportOnly() + ) ); } } @@ -548,12 +528,10 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http // ... - .headers(headers -> - headers - .referrerPolicy(referrerPolicy -> - referrerPolicy - .policy(ReferrerPolicy.SAME_ORIGIN) - ) + .headers(headers -> headers + .referrerPolicy(referrer -> referrer + .policy(ReferrerPolicy.SAME_ORIGIN) + ) ); } } @@ -605,9 +583,8 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .featurePolicy("geolocation 'self'") + .headers(headers -> headers + .featurePolicy("geolocation 'self'") ); } } @@ -694,9 +671,8 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value")) + .headers(headers -> headers + .addHeaderWriter(new StaticHeadersWriter("X-Custom-Security-Header","header-value")) ); } } @@ -739,9 +715,8 @@ WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http // ... - .headers(headers -> - headers - .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) + .headers(headers -> headers + .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) ); } } @@ -794,12 +769,9 @@ WebSecurityConfigurerAdapter { new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); http // ... - .headers(headers -> - headers - .frameOptions(frameOptions -> - frameOptions.disable() - ) - .addHeaderWriter(headerWriter) + .headers(headers -> headers + .frameOptions(frameOptions -> frameOptions.disable()) + .addHeaderWriter(headerWriter) ); } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/http.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/http.adoc index 18593d83e3..c3e7b8a534 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/http.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/http.adoc @@ -25,9 +25,8 @@ public class WebSecurityConfig extends protected void configure(HttpSecurity http) { http // ... - .requiresChannel(channel -> - channel - .anyRequest().requiresSecure() + .requiresChannel(channel -> channel + .anyRequest().requiresSecure() ); } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/mvc.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/mvc.adoc index 4c779e6408..6b1f36558e 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/mvc.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/mvc.adoc @@ -102,9 +102,8 @@ If we wanted to restrict access to this controller method to admin users, a deve ---- protected configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .antMatchers("/admin").hasRole("ADMIN") + .authorizeRequests(authorize -> authorize + .antMatchers("/admin").hasRole("ADMIN") ); } ---- @@ -133,9 +132,8 @@ The following configuration will protect the same URLs that Spring MVC will matc ---- protected configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .mvcMatchers("/admin").hasRole("ADMIN") + .authorizeRequests(authorize -> authorize + .mvcMatchers("/admin").hasRole("ADMIN") ); } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc index 1fb7dfd0c6..beb39fa04f 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc @@ -319,18 +319,16 @@ Similarly, you can customize frame options to use the same origin within Java Co public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers(headers -> - headers - .frameOptions(frameOptions -> - frameOptions - .sameOrigin() - ) - ); - } + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers(headers -> headers + .frameOptions(frameOptions -> frameOptions + .sameOrigin() + ) + ); + } } ---- @@ -361,20 +359,17 @@ public class WebSecurityConfig @Override protected void configure(HttpSecurity http) throws Exception { http - .csrf(csrf -> - csrf - // ignore our stomp endpoints since they are protected using Stomp headers - .ignoringAntMatchers("/chat/**") + .csrf(csrf -> csrf + // ignore our stomp endpoints since they are protected using Stomp headers + .ignoringAntMatchers("/chat/**") ) - .headers(headers -> - headers - // allow same origin to frame our site to support iframe SockJS - .frameOptions(frameOptions -> - frameOptions - .sameOrigin() - ) + .headers(headers -> headers + // allow same origin to frame our site to support iframe SockJS + .frameOptions(frameOptions -> frameOptions + .sameOrigin() + ) ) - .authorizeRequests(authorizeRequests -> + .authorizeRequests(authorize -> authorize ... ) ... diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc index c29b009bb8..8792c03432 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc @@ -140,9 +140,8 @@ It has a method called `configure` with the following default implementation: ---- protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .formLogin(withDefaults()) .httpBasic(withDefaults()); @@ -192,9 +191,8 @@ public class MultiHttpSecurityConfig { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") <3> - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().hasRole("ADMIN") + .authorizeRequests(authorize -> authorize + .anyRequest().hasRole("ADMIN") ) .httpBasic(withDefaults()); } @@ -206,9 +204,8 @@ public class MultiHttpSecurityConfig { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .formLogin(withDefaults()); } @@ -326,16 +323,15 @@ For example, if you wanted to configure the `filterSecurityPublishAuthorizationS @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() - .withObjectPostProcessor(new ObjectPostProcessor() { - public O postProcess( - O fsi) { - fsi.setPublishAuthorizationSuccess(true); - return fsi; - } - }) + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() + .withObjectPostProcessor(new ObjectPostProcessor() { + public O postProcess( + O fsi) { + fsi.setPublishAuthorizationSuccess(true); + return fsi; + } + }) ); } ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc index 471b0fe826..b0ec21a87a 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc @@ -27,17 +27,15 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Client(oauth2Client -> - oauth2Client - .clientRegistrationRepository(this.clientRegistrationRepository()) - .authorizedClientRepository(this.authorizedClientRepository()) - .authorizedClientService(this.authorizedClientService()) - .authorizationCodeGrant(authorizationCodeGrant -> - authorizationCodeGrant - .authorizationRequestRepository(this.authorizationRequestRepository()) - .authorizationRequestResolver(this.authorizationRequestResolver()) - .accessTokenResponseClient(this.accessTokenResponseClient()) - ) + .oauth2Client(oauth2 -> oauth2 + .clientRegistrationRepository(this.clientRegistrationRepository()) + .authorizedClientRepository(this.authorizedClientRepository()) + .authorizedClientService(this.authorizedClientService()) + .authorizationCodeGrant(codeGrant -> codeGrant + .authorizationRequestRepository(this.authorizationRequestRepository()) + .authorizationRequestResolver(this.authorizationRequestResolver()) + .accessTokenResponseClient(this.accessTokenResponseClient()) + ) ); } } @@ -465,18 +463,16 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2Login(oauth2Login -> - oauth2Login - .authorizationEndpoint(authorizationEndpoint -> - authorizationEndpoint - .authorizationRequestResolver( - new CustomAuthorizationRequestResolver( - this.clientRegistrationRepository)) <1> + .oauth2Login(oauth2 -> oauth2 + .authorizationEndpoint(authorization -> authorization + .authorizationRequestResolver( + new CustomAuthorizationRequestResolver( + this.clientRegistrationRepository) <1> ) + ) ); } } @@ -595,13 +591,11 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Client(oauth2Client -> - oauth2Client - .authorizationCodeGrant(authorizationCodeGrant -> - authorizationCodeGrant - .authorizationRequestRepository(this.authorizationRequestRepository()) - ... - ) + .oauth2Client(oauth2 -> oauth2 + .authorizationCodeGrant(codeGrant -> codeGrant + .authorizationRequestRepository(this.authorizationRequestRepository()) + ... + ) ); } } @@ -659,13 +653,11 @@ public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Client(oauth2Client -> - oauth2Client - .authorizationCodeGrant(authorizationCodeGrant -> - authorizationCodeGrant - .accessTokenResponseClient(this.accessTokenResponseClient()) - ... - ) + .oauth2Client(oauth2 -> oauth2 + .authorizationCodeGrant(codeGrant -> codeGrant + .accessTokenResponseClient(this.accessTokenResponseClient()) + ... + ) ); } } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc index 1dc66cbae2..7fd9b5a66a 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc @@ -291,9 +291,8 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .oauth2Login(withDefaults()); } @@ -317,9 +316,8 @@ public class OAuth2LoginConfig { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .oauth2Login(withDefaults()); } @@ -366,9 +364,8 @@ public class OAuth2LoginConfig { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .oauth2Login(withDefaults()); } @@ -418,24 +415,19 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .authorizationEndpoint(authorizationEndpoint -> - authorizationEndpoint - ... - ) - .redirectionEndpoint(redirectionEndpoint -> - redirectionEndpoint - ... - ) - .tokenEndpoint(tokenEndpoint -> - tokenEndpoint - ... - ) - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - ... - ) + .oauth2Login(oauth2 -> oauth2 + .authorizationEndpoint(authorization -> authorization + ... + ) + .redirectionEndpoint(redirection -> redirection + ... + ) + .tokenEndpoint(token -> token + ... + ) + .userInfoEndpoint(userInfo -> userInfo + ... + ) ); } } @@ -470,33 +462,28 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .clientRegistrationRepository(this.clientRegistrationRepository()) - .authorizedClientRepository(this.authorizedClientRepository()) - .authorizedClientService(this.authorizedClientService()) - .loginPage("/login") - .authorizationEndpoint(authorizationEndpoint -> - authorizationEndpoint - .baseUri(this.authorizationRequestBaseUri()) - .authorizationRequestRepository(this.authorizationRequestRepository()) - .authorizationRequestResolver(this.authorizationRequestResolver()) - ) - .redirectionEndpoint(redirectionEndpoint -> - redirectionEndpoint - .baseUri(this.authorizationResponseBaseUri()) - ) - .tokenEndpoint(tokenEndpoint -> - tokenEndpoint - .accessTokenResponseClient(this.accessTokenResponseClient()) - ) - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - .userAuthoritiesMapper(this.userAuthoritiesMapper()) - .userService(this.oauth2UserService()) - .oidcUserService(this.oidcUserService()) - .customUserType(GitHubOAuth2User.class, "github") - ) + .oauth2Login(oauth2 -> oauth2 + .clientRegistrationRepository(this.clientRegistrationRepository()) + .authorizedClientRepository(this.authorizedClientRepository()) + .authorizedClientService(this.authorizedClientService()) + .loginPage("/login") + .authorizationEndpoint(authorization -> authorization + .baseUri(this.authorizationRequestBaseUri()) + .authorizationRequestRepository(this.authorizationRequestRepository()) + .authorizationRequestResolver(this.authorizationRequestResolver()) + ) + .redirectionEndpoint(redirection -> redirection + .baseUri(this.authorizationResponseBaseUri()) + ) + .tokenEndpoint(token -> token + .accessTokenResponseClient(this.accessTokenResponseClient()) + ) + .userInfoEndpoint(userInfo -> userInfo + .userAuthoritiesMapper(this.userAuthoritiesMapper()) + .userService(this.oauth2UserService()) + .oidcUserService(this.oidcUserService()) + .customUserType(GitHubOAuth2User.class, "github") + ) ); } } @@ -542,15 +529,13 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .loginPage("/login/oauth2") + .oauth2Login(oauth2 -> oauth2 + .loginPage("/login/oauth2") + ... + .authorizationEndpoint(authorization -> authorization + .baseUri("/login/oauth2/authorization") ... - .authorizationEndpoint(authorizationEndpoint -> - authorizationEndpoint - .baseUri("/login/oauth2/authorization") - ... - ) + ) ); } } @@ -594,13 +579,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .redirectionEndpoint(redirectionEndpoint -> - redirectionEndpoint - .baseUri("/login/oauth2/callback/*") - ... - ) + .oauth2Login(oauth2 -> oauth2 + .redirectionEndpoint(redirection -> redirection + .baseUri("/login/oauth2/callback/*") + ... + ) ); } } @@ -661,13 +644,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - .userAuthoritiesMapper(this.userAuthoritiesMapper()) - ... - ) + .oauth2Login(oauth2 -> oauth2 + .userInfoEndpoint(userInfo -> userInfo + .userAuthoritiesMapper(this.userAuthoritiesMapper()) + ... + ) ); } @@ -740,13 +721,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - .oidcUserService(this.oidcUserService()) - ... - ) + .oauth2Login(oauth2 -> oauth2 + .userInfoEndpoint(userInfo -> userInfo + .oidcUserService(this.oidcUserService()) + ... + ) ); } @@ -791,13 +770,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - .customUserType(GitHubOAuth2User.class, "github") - ... - ) + .oauth2Login(oauth2 -> oauth2 + .userInfoEndpoint(userInfo -> userInfo + .customUserType(GitHubOAuth2User.class, "github") + ... + ) ); } } @@ -909,13 +886,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - .userService(this.oauth2UserService()) - ... - ) + .oauth2Login(oauth2 -> oauth2 + .userInfoEndpoint(userInfo -> userInfo + .userService(this.oauth2UserService()) + ... + ) ); } @@ -945,13 +920,11 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .oauth2Login(oauth2Login -> - oauth2Login - .userInfoEndpoint(userInfoEndpoint -> - userInfoEndpoint - .oidcUserService(this.oidcUserService()) - ... - ) + .oauth2Login(oauth2 -> oauth2 + .userInfoEndpoint(userInfo -> userInfo + .oidcUserService(this.oidcUserService()) + ... + ) ); } @@ -1031,14 +1004,12 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .oauth2Login(withDefaults()) - .logout(logout -> - logout - .logoutSuccessHandler(oidcLogoutSuccessHandler()) + .logout(logout -> logout + .logoutSuccessHandler(oidcLogoutSuccessHandler()) ); } diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc index 03e331d63c..9634a436e6 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc @@ -128,9 +128,8 @@ The first is a `WebSecurityConfigurerAdapter` that configures the app as a resou ---- protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); } @@ -146,17 +145,14 @@ Replacing this is as simple as exposing the bean within the application: public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .jwtAuthenticationConverter(myConverter()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .jwtAuthenticationConverter(myConverter()) + ) ); } } @@ -194,16 +190,13 @@ An authorization server's JWK Set Uri can be configured < - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .jwkSetUri("https://idp.example.com/.well-known/jwks.json") - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .jwkSetUri("https://idp.example.com/.well-known/jwks.json") + ) ); } } @@ -222,16 +215,13 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a public class DirectlyConfiguredJwtDecoder extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .decoder(myCustomDecoder()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .decoder(myCustomDecoder()) + ) ); } } @@ -427,7 +417,7 @@ This means that to protect an endpoint or method with a scope derived from a JWT public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> authorizeRequests + .authorizeRequests(authorize -> authorize .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts") .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages") .anyRequest().authenticated() @@ -460,16 +450,13 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`: public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .jwt(jwt -> - jwt - .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt + .jwtAuthenticationConverter(grantedAuthoritiesExtractor()) + ) ); } } @@ -828,9 +815,8 @@ When use Opaque Token, this `WebSecurityConfigurerAdapter` looks like: ---- protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); } @@ -846,17 +832,14 @@ Replacing this is as simple as exposing the bean within the application: public class MyCustomSecurityConfiguration extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .mvcMatchers("/messages/**").hasAuthority("SCOPE_message:read") + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .opaqueToken(opaqueToken -> - opaqueToken - .introspector(myIntrospector()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .opaqueToken(opaqueToken -> opaqueToken + .introspector(myIntrospector()) + ) ); } } @@ -891,17 +874,14 @@ An authorization server's Introspection Uri can be configured < - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .opaqueToken(opaqueToken -> - opaqueToken - .introspectionUri("https://idp.example.com/introspect") - .introspectionClientCredentials("client", "secret") - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .opaqueToken(opaqueToken -> opaqueToken + .introspectionUri("https://idp.example.com/introspect") + .introspectionClientCredentials("client", "secret") + ) ); } } @@ -920,16 +900,13 @@ More powerful than `introspectionUri()` is `introspector()`, which will complete public class DirectlyConfiguredIntrospector extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .opaqueToken(opaqueToken -> - opaqueToken - .introspector(myCustomIntrospector()) - ) + .oauth2ResourceServer(oauth2 -> oauth2 + .opaqueToken(opaqueToken -> opaqueToken + .introspector(myCustomIntrospector()) + ) ); } } @@ -1220,13 +1197,11 @@ And then specify this `AuthenticationManagerResolver` in the DSL: [source,java] ---- http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .authenticationManagerResolver(this.tokenAuthenticationManagerResolver) + .oauth2ResourceServer(oauth2 -> oauth2 + .authenticationManagerResolver(this.tokenAuthenticationManagerResolver) ); ---- @@ -1253,13 +1228,11 @@ JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIs ("https://idp.example.org/issuerOne", "https://idp.example.org/issuerTwo"); http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .authenticationManagerResolver(authenticationManagerResolver) + .oauth2ResourceServer(oauth2 -> oauth2 + .authenticationManagerResolver(authenticationManagerResolver) ); ---- @@ -1286,13 +1259,11 @@ JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(authenticationManagers::get); http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .authenticationManagerResolver(authenticationManagerResolver) + .oauth2ResourceServer(oauth2 -> oauth2 + .authenticationManagerResolver(authenticationManagerResolver) ); ---- @@ -1443,9 +1414,8 @@ To achieve this, you can wire a `HeaderBearerTokenResolver` instance into the DS [source,java] ---- http - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion")) + .oauth2ResourceServer(oauth2 -> oauth2 + .bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion")) ); ---- @@ -1458,9 +1428,8 @@ Or, you may wish to read the token from a form parameter, which you can do by co DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver(); resolver.setAllowFormEncodedBodyParameter(true); http - .oauth2ResourceServer(oauth2ResourceServer -> - oauth2ResourceServer - .bearerTokenResolver(resolver) + .oauth2ResourceServer(oauth2 -> oauth2 + .bearerTokenResolver(resolver) ); ---- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc index 0a7d504926..55b09bd20d 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc @@ -85,9 +85,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) .saml2Login(withDefaults()) ; @@ -105,13 +104,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .saml2Login(saml2Login -> - saml2Login - .relyingPartyRegistrationRepository(...) + .saml2Login(saml2 -> saml2 + .relyingPartyRegistrationRepository(...) ) ; } @@ -262,13 +259,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { }; http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .saml2Login(saml2Login -> - saml2Login - .addObjectPostProcessor(processor) + .saml2Login(saml2 -> saml2 + .addObjectPostProcessor(processor) ) ; } @@ -291,13 +286,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { authProvider.setAuthoritiesMapper(AUTHORITIES_MAPPER); authProvider.setAuthoritiesExtractor(AUTHORITIES_EXTRACTOR); http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .saml2Login(saml2Login -> - saml2Login - .authenticationManager(new ProviderManager(asList(authProvider))) + .saml2Login(saml2 -> saml2 + .authenticationManager(new ProviderManager(asList(authProvider))) ) ; } @@ -319,13 +312,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { AuthenticationManager authenticationManager = new MySaml2AuthenticationManager(...); http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .anyRequest().authenticated() + .authorizeRequests(authorize -> authorize + .anyRequest().authenticated() ) - .saml2Login(saml2Login -> - saml2Login - .authenticationManager(authenticationManager) + .saml2Login(saml2 -> saml2 + .authenticationManager(authenticationManager) ) ; } diff --git a/samples/boot/hellowebflux-method/src/main/java/sample/SecurityConfig.java b/samples/boot/hellowebflux-method/src/main/java/sample/SecurityConfig.java index 8fe6d52139..cf8cd0e92b 100644 --- a/samples/boot/hellowebflux-method/src/main/java/sample/SecurityConfig.java +++ b/samples/boot/hellowebflux-method/src/main/java/sample/SecurityConfig.java @@ -40,9 +40,8 @@ public class SecurityConfig { return http // Demonstrate that method security works // Best practice to use both for defense in depth - .authorizeExchange(exchanges -> - exchanges - .anyExchange().permitAll() + .authorizeExchange(exchanges -> exchanges + .anyExchange().permitAll() ) .httpBasic(withDefaults()) .build(); diff --git a/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index f8684a2edd..9d7cf4c34c 100644 --- a/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -34,15 +34,13 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests(authorizeRequests -> - authorizeRequests - .antMatchers("/css/**", "/index").permitAll() - .antMatchers("/user/**").hasRole("USER") + .authorizeRequests(authorize -> authorize + .antMatchers("/css/**", "/index").permitAll() + .antMatchers("/user/**").hasRole("USER") ) - .formLogin(formLogin -> - formLogin - .loginPage("/login") - .failureUrl("/login-error") + .formLogin(formLogin -> formLogin + .loginPage("/login") + .failureUrl("/login-error") ); } // @formatter:on