Search code examples
spring-bootspring-securityspring-boot-3

Spring security migration to spring security 6

I'm getting really confused about the new Spring Security matchers. My current code (SecurityConfiguration extends WebSecurityConfigurerAdapter):

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http.csrf().disable()
        .antMatcher("/some/endpoint")
        .addFilterBefore(new CustomFilter(), BasicAuthenticationFilter.class)
        .authorizeRequests()
            .anyRequest().permitAll()
            .and()
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

What would be the equivolent with SecurityConfiguration? I got this far, but it seems not to work as expected:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
    return http.csrf(AbstractHttpConfigurer::disable)
               .authorizeHttpRequests(authz ->
                    authz.requestMatchers("/some/endpoint").permitAll()
                    .anyRequest().authenticated()
               )
               .addFilterBefore(new CustomFilter(), BasicAuthenticationFilter.class)
               .sessionManagement(sessionManagementConfigurer -> sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
               .build();
}

I see now most of my calls to open URL's like /actuator/health are blocked.

I also read in the migration guide:

In Spring Security 5.8 and earlier, requests with no authorization rule are permitted by default.

What is the best approach?

Solution

  • I needed to switch to make it work:

    authz.requestMatchers("/some/endpoint").permitAll()
     .anyRequest().authenticated()

    to

    authz.requestMatchers("/some/endpoint").authenticated()
     .anyRequest().permitAll()

    A cleaner way (as suggested by @KenS) is to create two security beans:

    @Order(0)
@Bean
public SecurityFilterChain secureEndpoint(HttpSecurity httpSecurity) throws Exception {
    return httpSecurity.csrf(AbstractHttpConfigurer::disable)
            .securityMatcher("/secure-endpoints/**")
            .authorizeHttpRequests(authorize -> authorize
                    .anyRequest()
                    .authenticated()
            )
            .addFilterBefore(new CustomFilter(), BasicAuthenticationFilter.class)
            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .build();
}

@Order(1)
@Bean
public SecurityFilterChain openEndpoints(HttpSecurity http) throws Exception {
    return http.csrf(AbstractHttpConfigurer::disable).securityMatcher("/open-endpoints/**")
            .authorizeHttpRequests(authorize -> authorize.anyRequest().permitAll()
            )
            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .build();
}