Spring Security Java configuration

Question

I have working XML-based security configuration in my Spring MVC project:

<security:http use-expressions="true"
               authentication-manager-ref="authenticationManager">
    <security:intercept-url pattern="/" access="permitAll"/>
    <security:intercept-url pattern="/dashboard/home/**" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')"/>
    <security:intercept-url pattern="/dashboard/users/**" access="hasRole('ROLE_ADMIN')"/>
    <security:intercept-url pattern="/rest/users/**" access="hasRole('ROLE_ADMIN')"/>
    <security:form-login login-page="/"/>
</security:http>

And I have question: is it possible to fully replace it by Java configuration? What annotations and where should I use for "use-expressions", "intercept-url", etc.?

Answer 1

Yes, if you are using Spring security 3.2 and above, it will be something like this :

@Configuration
@EnableWebSecurity
public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/dashboard/home/**").hasAnyRole("USER", "ADMIN")
                .antMatchers("/dashboard/users/**").hasRole("ADMIN")
                .antMatchers("/rest/users/**").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/")
                .permitAll();
    }

    // Possibly more overridden methods ...
}