diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
index 21bc5d22a3..cf31cfeadc 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -1294,6 +1294,36 @@ public final class HttpSecurity extends
return getOrApply(new ServletApiConfigurer<>());
}
+ /**
+ * Integrates the {@link HttpServletRequest} methods with the values found on the
+ * {@link SecurityContext}. This is automatically applied when using
+ * {@link WebSecurityConfigurerAdapter}. You can disable it using:
+ *
+ *
+ * @Configuration
+ * @EnableWebSecurity
+ * public class ServletApiSecurityConfig extends WebSecurityConfigurerAdapter {
+ *
+ * @Override
+ * protected void configure(HttpSecurity http) throws Exception {
+ * http
+ * .servletApi(servletApi ->
+ * servletApi.disable()
+ * );
+ * }
+ * }
+ *
+ *
+ * @param servletApiCustomizer the {@link Customizer} to provide more options for
+ * the {@link ServletApiConfigurer}
+ * @return the {@link HttpSecurity} for further customizations
+ * @throws Exception
+ */
+ public HttpSecurity servletApi(Customizer> servletApiCustomizer) throws Exception {
+ servletApiCustomizer.customize(getOrApply(new ServletApiConfigurer<>()));
+ return HttpSecurity.this;
+ }
+
/**
* Adds CSRF support. This is activated by default when using
* {@link WebSecurityConfigurerAdapter}'s default constructor. You can disable it
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
index dcf96fa2d8..b390d00493 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
@@ -47,6 +47,7 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
+import static org.springframework.security.config.Customizer.withDefaults;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
@@ -230,6 +231,53 @@ public class ServletApiConfigurerTests {
}
}
+ @Test
+ public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception {
+ this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire();
+
+ this.mvc.perform(get("/admin")
+ .with(user("user").authorities(AuthorityUtils.createAuthorityList("ROLE_ADMIN"))))
+ .andExpect(status().isOk());
+ }
+
+ @EnableWebSecurity
+ static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ // @formatter:off
+ http
+ .servletApi(withDefaults());
+ // @formatter:on
+ }
+ }
+
+ @Test
+ public void requestWhenRolePrefixInLambdaThenUsesCustomRolePrefix() throws Exception {
+ this.spring.register(RolePrefixInLambdaConfig.class, AdminController.class).autowire();
+
+ this.mvc.perform(get("/admin")
+ .with(user("user").authorities(AuthorityUtils.createAuthorityList("PERMISSION_ADMIN"))))
+ .andExpect(status().isOk());
+
+ this.mvc.perform(get("/admin")
+ .with(user("user").authorities(AuthorityUtils.createAuthorityList("ROLE_ADMIN"))))
+ .andExpect(status().isForbidden());
+ }
+
+ @EnableWebSecurity
+ static class RolePrefixInLambdaConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ // @formatter:off
+ http
+ .servletApi(servletApi ->
+ servletApi
+ .rolePrefix("PERMISSION_")
+ );
+ // @formatter:on
+ }
+ }
+
@RestController
static class AdminController {
@GetMapping("/admin")