Class ComponentBasedSecurityConfigurationFix
java.lang.Object
info.ejava.examples.svc.authz.authorities.security.ComponentBasedSecurityConfigurationFix
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprotected static class -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.authentication.AuthenticationManagerauthenticationManager(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.core.userdetails.UserDetailsService jdbcUserDetailsService) org.springframework.security.web.SecurityFilterChainauthzSecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc, org.springframework.security.access.hierarchicalroles.RoleHierarchy roleHierarchy) org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizerauthzStaticResources(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc) org.springframework.security.web.SecurityFilterChainh2SecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc, org.springframework.security.authentication.AuthenticationManager authenticationManager) org.springframework.security.core.userdetails.UserDetailsServicejdbcUserDetailsService(DataSource userDataSource) (package private) static org.springframework.security.access.expression.method.MethodSecurityExpressionHandlermethodSecurityExpressionHandler(org.springframework.security.access.hierarchicalroles.RoleHierarchy roleHierarchy, org.springframework.context.ApplicationContext context) Creates a custom MethodExpressionHandler that will be picked up by Expression-based security to support RoleInheritance.(package private) org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Buildermvc(org.springframework.web.servlet.handler.HandlerMappingIntrospector introspector) https://github.com/jzheaux/cve-2023-34035-mitigations An explicit MvcRequestMatcher.Builder is necessary when mixing SpringMvc with non-SpringMvc Servlets.(package private) static org.springframework.security.access.hierarchicalroles.RoleHierarchyCreates a default RoleHierachy when the examples want straight roles.org.springframework.security.crypto.password.PasswordEncoder(package private) static org.springframework.security.access.hierarchicalroles.RoleHierarchy
-
Constructor Details
-
ComponentBasedSecurityConfigurationFix
public ComponentBasedSecurityConfigurationFix()
-
-
Method Details
-
mvc
@Bean org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc(org.springframework.web.servlet.handler.HandlerMappingIntrospector introspector) https://github.com/jzheaux/cve-2023-34035-mitigations An explicit MvcRequestMatcher.Builder is necessary when mixing SpringMvc with non-SpringMvc Servlets. Enabling the H2 console puts us in that position. Dissabling (spring.h2.console.enabled=false) or being explicit as to which URI apply to SpringMvc avoids the problem.- Parameters:
introspector-- Returns:
-
authzStaticResources
@Bean public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer authzStaticResources(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc) -
authzSecurityFilters
@Bean @Order(0) public org.springframework.security.web.SecurityFilterChain authzSecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc, org.springframework.security.access.hierarchicalroles.RoleHierarchy roleHierarchy) throws Exception - Throws:
Exception
-
authenticationManager
@Bean public org.springframework.security.authentication.AuthenticationManager authenticationManager(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.core.userdetails.UserDetailsService jdbcUserDetailsService) throws Exception - Throws:
Exception
-
h2SecurityFilters
@Bean @Order(500) public org.springframework.security.web.SecurityFilterChain h2SecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc, org.springframework.security.authentication.AuthenticationManager authenticationManager) throws Exception - Throws:
Exception
-
passwordEncoder
@Bean public org.springframework.security.crypto.password.PasswordEncoder passwordEncoder() -
jdbcUserDetailsService
@Bean public org.springframework.security.core.userdetails.UserDetailsService jdbcUserDetailsService(DataSource userDataSource) -
roleHierarchy
@Bean @Profile("roleInheritance") static org.springframework.security.access.hierarchicalroles.RoleHierarchy roleHierarchy() -
nullHierarchy
@Bean @Profile("!roleInheritance") static org.springframework.security.access.hierarchicalroles.RoleHierarchy nullHierarchy()Creates a default RoleHierachy when the examples want straight roles. -
methodSecurityExpressionHandler
@Bean static org.springframework.security.access.expression.method.MethodSecurityExpressionHandler methodSecurityExpressionHandler(org.springframework.security.access.hierarchicalroles.RoleHierarchy roleHierarchy, org.springframework.context.ApplicationContext context) Creates a custom MethodExpressionHandler that will be picked up by Expression-based security to support RoleInheritance. This is required until the the following is resolved.
-