URL Authorization
Example
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http,
HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
http.csrf(AbstractHttpConfigurer::disable);
http.headers(headersConfigurer ->
headersConfigurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));
http.authorizeHttpRequests(auth ->
auth
.requestMatchers(mvcMatcherBuilder.pattern("/user")).hasRole("USER")
.requestMatchers(mvcMatcherBuilder.pattern("/admin")).hasRole("ADMIN")
.requestMatchers(mvcMatcherBuilder.pattern("/nonauth")).permitAll()
.requestMatchers(mvcMatcherBuilder.pattern("/login")).permitAll()
.requestMatchers(mvcMatcherBuilder.pattern("/messages/**")).permitAll()
.anyRequest().authenticated()
);
http.exceptionHandling((exceptionHandling) ->
exceptionHandling
.accessDeniedPage("/access-denied"));
http.formLogin(form -> form
.loginPage("/login")
.permitAll());
return http.build();
}
@Bean
JdbcUserDetailsManager users(
@Autowired DataSource dataSource,
@Autowired PasswordEncoder passwordEncoder) {
UserDetails user = User.builder()
.username("user")
.password(passwordEncoder.encode("user"))
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password(passwordEncoder.encode("admin"))
.roles("ADMIN")
.build();
JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(dataSource);
jdbcUserDetailsManager.createUser(user);
jdbcUserDetailsManager.createUser(admin);
return jdbcUserDetailsManager;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
