I have upgraded my Spring Boot application from version 2.6.15 to version 3.1.12. But it appears that some methods have been renamed and their positions are changed. For example antMatcher() doesn't exist anymore. I found out that there is requestMatchers() within authorizeHttpRequests() but then access() doesn't accept string. And also I don't know where I should put oauth2ResourceServer() and jwt().
The following is my current code which doesn't work because antMatcher() does not exist anymore:
import .springframework.beans.factory.annotation.Value;
import .springframework.context.annotation.Bean;
import .springframework.context.annotation.Configuration;
import .springframework.security.config.annotation.web.builders.HttpSecurity;
import .springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import .springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import .springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import .springframework.security.core.Authentication;
import .springframework.security.oauth2.jwt.Jwt;
import .springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class ResourceServerConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.antMatcher("/**") // <----- the method no longer exists
.authorizeRequests().anyRequest()
.access("@webSecurityAccess.hasAccess(authentication)")
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
WebSecurityAccess webSecurityAccess() {
return new WebSecurityAccess();
}
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().requestMatchers("/**/actuator/health");
}
public static class WebSecurityAccess {
@Value("${om.test.app.client-id}")
private String omTestAppClientId;
public boolean hasAccess(Authentication authentication) {
return authentication.isAuthenticated() && authentication.getPrincipal() instanceof Jwt
&& omTestAppClientId.equals(((Jwt) authentication.getPrincipal()).getClaims().get("clientId"));
}
}
}
How I should fix this problem with antMatcher() and access()? Or are there any good tutorials?
I have upgraded my Spring Boot application from version 2.6.15 to version 3.1.12. But it appears that some methods have been renamed and their positions are changed. For example antMatcher() doesn't exist anymore. I found out that there is requestMatchers() within authorizeHttpRequests() but then access() doesn't accept string. And also I don't know where I should put oauth2ResourceServer() and jwt().
The following is my current code which doesn't work because antMatcher() does not exist anymore:
import .springframework.beans.factory.annotation.Value;
import .springframework.context.annotation.Bean;
import .springframework.context.annotation.Configuration;
import .springframework.security.config.annotation.web.builders.HttpSecurity;
import .springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import .springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import .springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import .springframework.security.core.Authentication;
import .springframework.security.oauth2.jwt.Jwt;
import .springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class ResourceServerConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.antMatcher("/**") // <----- the method no longer exists
.authorizeRequests().anyRequest()
.access("@webSecurityAccess.hasAccess(authentication)")
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
WebSecurityAccess webSecurityAccess() {
return new WebSecurityAccess();
}
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().requestMatchers("/**/actuator/health");
}
public static class WebSecurityAccess {
@Value("${om.test.app.client-id}")
private String omTestAppClientId;
public boolean hasAccess(Authentication authentication) {
return authentication.isAuthenticated() && authentication.getPrincipal() instanceof Jwt
&& omTestAppClientId.equals(((Jwt) authentication.getPrincipal()).getClaims().get("clientId"));
}
}
}
How I should fix this problem with antMatcher() and access()? Or are there any good tutorials?
Share Improve this question asked Apr 1 at 10:42 ilhanilhan 9,00335 gold badges127 silver badges214 bronze badges 3 |1 Answer
Reset to default 0Although there is no good tutorial, I have made a usable example with OAuth for you to consider. I have tried all the steps described below.
The repository is here. I have tested the code, and I logged in via OAuth Apps.
To try the application, you need
git clone https://github/Hdvlp/SpringBootSecurityFilterChainMigration.git
and other steps in developing a Spring Boot application. (not a complete tutorial here)
To create your OAuth Apps, you need these:
Fill in:
Your client-id and client-secret in application.yml.
Homepage URL:
http://127.0.0.1:8080
Authorization callback URL:
http://127.0.0.1:8080/login/oauth2/code/github
After running the Spring Boot application locally, open in the browser:
http://127.0.0.1:8080
You may try other paths in the browser to see the effect before and after logging in, e.g.
http://127.0.0.1:8080/member/area
http://127.0.0.1:8080/actuator/health/servicea
As illustrated below, you need to decide what paths are in what order.
This is what I tried: The logic of evaluation is like...
The @Order which is smaller in number wins. The path matching matchedPaths wins.
If you have two @Order annotations with the same matchedPaths, and one @Order contains a smaller value, the latter wins. (The SecurityFilterChain with the larger @Order annotation produces no effect.) You can try different values of @Order annotations to verify this.
If you have two SecurityFilterChains with different matchedPaths, and one of these SecurityFilterChains is marked with an @Order(100) annotation, and the other one with an @Order(200) annotation, both SecurityFilterChains are valid and work when matching the matchedPaths respectively.
As far as I tried, matching "/actuator/health/**" left prefix works, whereas matching "/**/actuator/health" right suffix does not work (easily). You may need to change your paths accordingly.
@Bean
@Order(400)
SecurityFilterChain securityFilterChainPermitAll(HttpSecurity http) throws Exception {
String[] matchedPaths = { "/permit", "/permit/**" };
http
.csrf(AbstractHttpConfigurer::disable)
.securityMatcher(matchedPaths)
.authorizeHttpRequests(
auth ->
auth
.requestMatchers(matchedPaths)
.permitAll()
);
return http.build();
}
@Bean
@Order(500)
SecurityFilterChain securityFilterChainActuator(HttpSecurity http) throws Exception {
String[] matchedPaths = { "/actuator/health/**" };
http
.csrf(AbstractHttpConfigurer::disable)
.securityMatcher(matchedPaths)
.authorizeHttpRequests(
auth ->
auth
.requestMatchers(matchedPaths)
.permitAll()
);
return http.build();
}
Using @Order(500) with three digits is a nice thing to do because when you need to insert another SecurityFilterChain before this one, you can use @Order(499). You can insert another SecurityFilterChain below this one by adding a SecurityFilterChain marked with @Order(501). To keep the same order you would have to change many numbers if the annotations were @Order(1), @Order(2), @Order(3), @Order(4), @Order(5)... Using three digits will save you some time.
are there any good tutorialsno but there are docs – Toerktumlare Commented Apr 1 at 11:08requestMatchersmethods"). – Mark Rotteveel Commented Apr 1 at 11:12