|
53 | 53 | import org.springframework.security.config.annotation.web.configurers.CorsConfigurer;
|
54 | 54 | import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
|
55 | 55 | import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
|
56 |
| -import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; |
57 | 56 | import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
|
58 | 57 | import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
|
59 | 58 | import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
|
@@ -613,125 +612,6 @@ public HttpSecurity rememberMe(Customizer<RememberMeConfigurer<HttpSecurity>> re
|
613 | 612 | return HttpSecurity.this;
|
614 | 613 | }
|
615 | 614 |
|
616 |
| - /** |
617 |
| - * Allows restricting access based upon the {@link HttpServletRequest} using |
618 |
| - * {@link RequestMatcher} implementations (i.e. via URL patterns). |
619 |
| - * |
620 |
| - * <h2>Example Configurations</h2> |
621 |
| - * |
622 |
| - * The most basic example is to configure all URLs to require the role "ROLE_USER". |
623 |
| - * The configuration below requires authentication to every URL and will grant access |
624 |
| - * to both the user "admin" and "user". |
625 |
| - * |
626 |
| - * <pre> |
627 |
| - * @Configuration |
628 |
| - * @EnableWebSecurity |
629 |
| - * public class AuthorizeUrlsSecurityConfig { |
630 |
| - * |
631 |
| - * @Bean |
632 |
| - * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { |
633 |
| - * http |
634 |
| - * .authorizeRequests((authorizeRequests) -> |
635 |
| - * authorizeRequests |
636 |
| - * .requestMatchers("/**").hasRole("USER") |
637 |
| - * ) |
638 |
| - * .formLogin(withDefaults()); |
639 |
| - * return http.build(); |
640 |
| - * } |
641 |
| - * |
642 |
| - * @Bean |
643 |
| - * public UserDetailsService userDetailsService() { |
644 |
| - * UserDetails user = User.withDefaultPasswordEncoder() |
645 |
| - * .username("user") |
646 |
| - * .password("password") |
647 |
| - * .roles("USER") |
648 |
| - * .build(); |
649 |
| - * UserDetails admin = User.withDefaultPasswordEncoder() |
650 |
| - * .username("admin") |
651 |
| - * .password("password") |
652 |
| - * .roles("ADMIN", "USER") |
653 |
| - * .build(); |
654 |
| - * return new InMemoryUserDetailsManager(user, admin); |
655 |
| - * } |
656 |
| - * } |
657 |
| - * </pre> |
658 |
| - * |
659 |
| - * We can also configure multiple URLs. The configuration below requires |
660 |
| - * authentication to every URL and will grant access to URLs starting with /admin/ to |
661 |
| - * only the "admin" user. All other URLs either user can access. |
662 |
| - * |
663 |
| - * <pre> |
664 |
| - * @Configuration |
665 |
| - * @EnableWebSecurity |
666 |
| - * public class AuthorizeUrlsSecurityConfig { |
667 |
| - * |
668 |
| - * @Bean |
669 |
| - * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { |
670 |
| - * http |
671 |
| - * .authorizeRequests((authorizeRequests) -> |
672 |
| - * authorizeRequests |
673 |
| - * .requestMatchers("/admin/**").hasRole("ADMIN") |
674 |
| - * .requestMatchers("/**").hasRole("USER") |
675 |
| - * ) |
676 |
| - * .formLogin(withDefaults()); |
677 |
| - * return http.build(); |
678 |
| - * } |
679 |
| - * |
680 |
| - * @Bean |
681 |
| - * public UserDetailsService userDetailsService() { |
682 |
| - * UserDetails user = User.withDefaultPasswordEncoder() |
683 |
| - * .username("user") |
684 |
| - * .password("password") |
685 |
| - * .roles("USER") |
686 |
| - * .build(); |
687 |
| - * UserDetails admin = User.withDefaultPasswordEncoder() |
688 |
| - * .username("admin") |
689 |
| - * .password("password") |
690 |
| - * .roles("ADMIN", "USER") |
691 |
| - * .build(); |
692 |
| - * return new InMemoryUserDetailsManager(user, admin); |
693 |
| - * } |
694 |
| - * } |
695 |
| - * </pre> |
696 |
| - * |
697 |
| - * Note that the matchers are considered in order. Therefore, the following is invalid |
698 |
| - * because the first matcher matches every request and will never get to the second |
699 |
| - * mapping: |
700 |
| - * |
701 |
| - * <pre> |
702 |
| - * @Configuration |
703 |
| - * @EnableWebSecurity |
704 |
| - * public class AuthorizeUrlsSecurityConfig { |
705 |
| - * |
706 |
| - * @Bean |
707 |
| - * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { |
708 |
| - * http |
709 |
| - * .authorizeRequests((authorizeRequests) -> |
710 |
| - * authorizeRequests |
711 |
| - * .requestMatchers("/**").hasRole("USER") |
712 |
| - * .requestMatchers("/admin/**").hasRole("ADMIN") |
713 |
| - * ); |
714 |
| - * return http.build(); |
715 |
| - * } |
716 |
| - * } |
717 |
| - * </pre> |
718 |
| - * @param authorizeRequestsCustomizer the {@link Customizer} to provide more options |
719 |
| - * for the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry} |
720 |
| - * @return the {@link HttpSecurity} for further customizations |
721 |
| - * @throws Exception |
722 |
| - * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)} |
723 |
| - * instead |
724 |
| - */ |
725 |
| - @Deprecated(since = "6.1", forRemoval = true) |
726 |
| - public HttpSecurity authorizeRequests( |
727 |
| - Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) |
728 |
| - throws Exception { |
729 |
| - ApplicationContext context = getContext(); |
730 |
| - authorizeRequestsCustomizer |
731 |
| - .customize(getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context)).getRegistry()); |
732 |
| - return HttpSecurity.this; |
733 |
| - } |
734 |
| - |
735 | 615 | /**
|
736 | 616 | * Allows restricting access based upon the {@link HttpServletRequest} using
|
737 | 617 | * {@link RequestMatcher} implementations (i.e. via URL patterns).
|
@@ -1936,12 +1816,6 @@ protected void beforeConfigure() throws Exception {
|
1936 | 1816 | @SuppressWarnings("unchecked")
|
1937 | 1817 | @Override
|
1938 | 1818 | protected DefaultSecurityFilterChain performBuild() {
|
1939 |
| - ExpressionUrlAuthorizationConfigurer<?> expressionConfigurer = getConfigurer( |
1940 |
| - ExpressionUrlAuthorizationConfigurer.class); |
1941 |
| - AuthorizeHttpRequestsConfigurer<?> httpConfigurer = getConfigurer(AuthorizeHttpRequestsConfigurer.class); |
1942 |
| - boolean oneConfigurerPresent = expressionConfigurer == null ^ httpConfigurer == null; |
1943 |
| - Assert.state((expressionConfigurer == null && httpConfigurer == null) || oneConfigurerPresent, |
1944 |
| - "authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one."); |
1945 | 1819 | this.filters.sort(OrderComparator.INSTANCE);
|
1946 | 1820 | List<Filter> sortedFilters = new ArrayList<>(this.filters.size());
|
1947 | 1821 | for (Filter filter : this.filters) {
|
|
0 commit comments