Skip to content

Commit f1725b2

Browse files
committed
Remove authorizeRequests
Closes gh-15174
1 parent 2c87270 commit f1725b2

File tree

14 files changed

+4
-3886
lines changed

14 files changed

+4
-3886
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

Lines changed: 0 additions & 126 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,6 @@
5353
import org.springframework.security.config.annotation.web.configurers.CorsConfigurer;
5454
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
5555
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
56-
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
5756
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
5857
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
5958
import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
@@ -613,125 +612,6 @@ public HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> re
613612
return HttpSecurity.this;
614613
}
615614

616-
/**
617-
* Allows restricting access based upon the {@link HttpServletRequest} using
618-
* {@link RequestMatcher} implementations (i.e. via URL patterns).
619-
*
620-
* <h2>Example Configurations</h2>
621-
*
622-
* The most basic example is to configure all URLs to require the role "ROLE_USER".
623-
* The configuration below requires authentication to every URL and will grant access
624-
* to both the user "admin" and "user".
625-
*
626-
* <pre>
627-
* &#064;Configuration
628-
* &#064;EnableWebSecurity
629-
* public class AuthorizeUrlsSecurityConfig {
630-
*
631-
* &#064;Bean
632-
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
633-
* http
634-
* .authorizeRequests((authorizeRequests) -&gt;
635-
* authorizeRequests
636-
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
637-
* )
638-
* .formLogin(withDefaults());
639-
* return http.build();
640-
* }
641-
*
642-
* &#064;Bean
643-
* public UserDetailsService userDetailsService() {
644-
* UserDetails user = User.withDefaultPasswordEncoder()
645-
* .username(&quot;user&quot;)
646-
* .password(&quot;password&quot;)
647-
* .roles(&quot;USER&quot;)
648-
* .build();
649-
* UserDetails admin = User.withDefaultPasswordEncoder()
650-
* .username(&quot;admin&quot;)
651-
* .password(&quot;password&quot;)
652-
* .roles(&quot;ADMIN&quot;, &quot;USER&quot;)
653-
* .build();
654-
* return new InMemoryUserDetailsManager(user, admin);
655-
* }
656-
* }
657-
* </pre>
658-
*
659-
* We can also configure multiple URLs. The configuration below requires
660-
* authentication to every URL and will grant access to URLs starting with /admin/ to
661-
* only the "admin" user. All other URLs either user can access.
662-
*
663-
* <pre>
664-
* &#064;Configuration
665-
* &#064;EnableWebSecurity
666-
* public class AuthorizeUrlsSecurityConfig {
667-
*
668-
* &#064;Bean
669-
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
670-
* http
671-
* .authorizeRequests((authorizeRequests) -&gt;
672-
* authorizeRequests
673-
* .requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
674-
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
675-
* )
676-
* .formLogin(withDefaults());
677-
* return http.build();
678-
* }
679-
*
680-
* &#064;Bean
681-
* public UserDetailsService userDetailsService() {
682-
* UserDetails user = User.withDefaultPasswordEncoder()
683-
* .username(&quot;user&quot;)
684-
* .password(&quot;password&quot;)
685-
* .roles(&quot;USER&quot;)
686-
* .build();
687-
* UserDetails admin = User.withDefaultPasswordEncoder()
688-
* .username(&quot;admin&quot;)
689-
* .password(&quot;password&quot;)
690-
* .roles(&quot;ADMIN&quot;, &quot;USER&quot;)
691-
* .build();
692-
* return new InMemoryUserDetailsManager(user, admin);
693-
* }
694-
* }
695-
* </pre>
696-
*
697-
* Note that the matchers are considered in order. Therefore, the following is invalid
698-
* because the first matcher matches every request and will never get to the second
699-
* mapping:
700-
*
701-
* <pre>
702-
* &#064;Configuration
703-
* &#064;EnableWebSecurity
704-
* public class AuthorizeUrlsSecurityConfig {
705-
*
706-
* &#064;Bean
707-
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
708-
* http
709-
* .authorizeRequests((authorizeRequests) -&gt;
710-
* authorizeRequests
711-
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
712-
* .requestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
713-
* );
714-
* return http.build();
715-
* }
716-
* }
717-
* </pre>
718-
* @param authorizeRequestsCustomizer the {@link Customizer} to provide more options
719-
* for the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry}
720-
* @return the {@link HttpSecurity} for further customizations
721-
* @throws Exception
722-
* @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)}
723-
* instead
724-
*/
725-
@Deprecated(since = "6.1", forRemoval = true)
726-
public HttpSecurity authorizeRequests(
727-
Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
728-
throws Exception {
729-
ApplicationContext context = getContext();
730-
authorizeRequestsCustomizer
731-
.customize(getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context)).getRegistry());
732-
return HttpSecurity.this;
733-
}
734-
735615
/**
736616
* Allows restricting access based upon the {@link HttpServletRequest} using
737617
* {@link RequestMatcher} implementations (i.e. via URL patterns).
@@ -1936,12 +1816,6 @@ protected void beforeConfigure() throws Exception {
19361816
@SuppressWarnings("unchecked")
19371817
@Override
19381818
protected DefaultSecurityFilterChain performBuild() {
1939-
ExpressionUrlAuthorizationConfigurer<?> expressionConfigurer = getConfigurer(
1940-
ExpressionUrlAuthorizationConfigurer.class);
1941-
AuthorizeHttpRequestsConfigurer<?> httpConfigurer = getConfigurer(AuthorizeHttpRequestsConfigurer.class);
1942-
boolean oneConfigurerPresent = expressionConfigurer == null ^ httpConfigurer == null;
1943-
Assert.state((expressionConfigurer == null && httpConfigurer == null) || oneConfigurerPresent,
1944-
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
19451819
this.filters.sort(OrderComparator.INSTANCE);
19461820
List<Filter> sortedFilters = new ArrayList<>(this.filters.size());
19471821
for (Filter filter : this.filters) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,6 @@
3636
* @author Rob Winch
3737
* @since 3.2
3838
* @see ChannelSecurityConfigurer
39-
* @see UrlAuthorizationConfigurer
40-
* @see ExpressionUrlAuthorizationConfigurer
4139
* @deprecated In modern Spring Security APIs, each API manages its own configuration
4240
* context. As such there is no direct replacement for this interface. In the case of
4341
* method security, please see {@link SecurityAnnotationScanner} and

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

Lines changed: 0 additions & 196 deletions
This file was deleted.

0 commit comments

Comments
 (0)