diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/index.adoc index f64ea177248..fa8d861b0bd 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/index.adoc @@ -20,6 +20,8 @@ include::integrations/index.adoc[leveloffset=+1] include::java-configuration/index.adoc[leveloffset=+1] +include::kotlin-configuration/index.adoc[leveloffset=+1] + include::namespace/index.adoc[leveloffset=+1] include::test/index.adoc[leveloffset=+1] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc new file mode 100644 index 00000000000..ad02b592fec --- /dev/null +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc @@ -0,0 +1,99 @@ + +[[kotlin-config]] += Kotlin Configuration +Spring Security Kotlin Configuration support has been available since Spring Security 5.3. +It enables users to easily configure Spring Security using a native Kotlin DSL. + +NOTE: Spring Security provides https://github.com/spring-projects/spring-security/tree/master/samples/boot/kotlin[a sample applications] which demonstrates the use of Spring Security Kotlin Configuration. + +[[kotlin-config-httpsecurity]] +== HttpSecurity + +How does Spring Security know that we want to require all users to be authenticated? +How does Spring Security know we want to support form based authentication? +There is a configuration class that is being invoked behind the scenes called `WebSecurityConfigurerAdapter`. +It has a method called `configure` with the following default implementation: + +[source,kotlin] +---- +fun configure(http: HttpSecurity) { + http { + authorizeRequests { + authorize(anyRequest, authenticated) + } + formLogin { } + httpBasic { } + } +} +---- + +The default configuration above: + +* Ensures that any request to our application requires the user to be authenticated +* Allows users to authenticate with form based login +* Allows users to authenticate with HTTP Basic authentication + +You will notice that this configuration is quite similar the XML Namespace configuration: + +[source,xml] +---- + + + + + +---- + +== Multiple HttpSecurity + +We can configure multiple HttpSecurity instances just as we can have multiple `` blocks. +The key is to extend the `WebSecurityConfigurerAdapter` multiple times. +For example, the following is an example of having a different configuration for URL's that start with `/api/`. + +[source,kotlin] +---- +@EnableWebSecurity +class MultiHttpSecurityConfig { + @Bean <1> + public fun userDetailsService(): UserDetailsService { + val users: User.UserBuilder = User.withDefaultPasswordEncoder() + val manager = InMemoryUserDetailsManager() + manager.createUser(users.username("user").password("password").roles("USER").build()) + manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build()) + return manager + } + + @Configuration + @Order(1) <2> + class ApiWebSecurityConfigurationAdapter: WebSecurityConfigurerAdapter() { + override fun configure(http: HttpSecurity) { + http { + securityMatcher("/api/**") <3> + authorizeRequests { + authorize(anyRequest, hasRole("ADMIN")) + } + httpBasic { } + } + } + } + + @Configuration <4> + class FormLoginWebSecurityConfigurerAdapter: WebSecurityConfigurerAdapter() { + override fun configure(http: HttpSecurity) { + http { + authorizeRequests { + authorize(anyRequest, authenticated) + } + formLogin { } + } + } + } +} +---- + +<1> Configure Authentication as normal +<2> Create an instance of `WebSecurityConfigurerAdapter` that contains `@Order` to specify which `WebSecurityConfigurerAdapter` should be considered first. +<3> The `http.antMatcher` states that this `HttpSecurity` will only be applicable to URLs that start with `/api/` +<4> Create another instance of `WebSecurityConfigurerAdapter`. +If the URL does not start with `/api/` this configuration will be used. +This configuration is considered after `ApiWebSecurityConfigurationAdapter` since it has an `@Order` value after `1` (no `@Order` defaults to last).