Spring Security Configuration Kotlin DSL

Question

So, I have this java code inside my configurer adapter:

http.cors().and().csrf().disable()
    .authorizeRequests().antMatchers(HttpMethod.POST, Constants.CREATE_USER_URL).permitAll()
    .and().authorizeRequests().antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui/**", "/swagger-ui.html**", "/webjars/**", "favicon.ico").permitAll().anyRequest().authenticated()
    .and().addFilter(new JwtAuthenticationFilter(authenticationManager())).addFilter(new BasicJwtAuthenticationFilter(authenticationManager()))
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

And I try using the new Kotlin DSL:

http {
  cors { disable() }
  csrf { disable() }
  authorizeRequests {
    authorize(AntPathRequestMatcher(createUserUrl, HttpMethod.POST.name), permitAll)
    authorize(AntPathRequestMatcher("favicon.ico", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/v2/api-docs", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/swagger-resources/**", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/swagger-ui/**", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/webjars/**", HttpMethod.GET.name), permitAll)
    authorize(anyRequest, authenticated)
  }
  addFilterAt(JwtAuthenticationFilter(authenticationManager()), AuthenticationFilter::class.java)
  addFilterAt(BasicJwtAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter::class.java)
  sessionManagement { SessionCreationPolicy.STATELESS }
}

Is this kotlin dsl have the same functionality with the java code? Is there no addFilter for kotlin dsl?

Could I reduce redundant authorize (on the Java Code, it used antMatchers which accept multiple patterns) that have similar code (permitAll HTTP GET)??

Answer 1

Your Kotlin configuration is not equivalent to the Java configuration that you shared.

First, the CORS configuration

http
    .cors()
    .and()
    // ...

Below is the equivalent Kotlin configuration, since you are enabling CORS rather than disabling it.

http {
    cors { }
}

Second, the session management configuration

http
    // ...
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Below is the equivalent Kotlin configuration, where you want to assign the SessionCreationPolicy.

http {
    sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
    }
}

Regarding the addFilter method, in the Javadoc it states

Adds Filter that must be an instance of or extend one of the Filters provided within the Security framework.

If your custom filter BasicJwtAuthenticationFilter is an instance of BasicAuthenticationFilter, then the Kotlin configuration is correct.

Adding all of this together, you get the following Kotlin configuration

http {
    cors { }
    csrf { disable() }
    authorizeRequests {
        authorize(AntPathRequestMatcher(createUserUrl, HttpMethod.POST.name), permitAll)
        authorize(AntPathRequestMatcher("favicon.ico", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/v2/api-docs", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/swagger-resources/**", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/swagger-ui/**", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/webjars/**", HttpMethod.GET.name), permitAll)
        authorize(anyRequest, authenticated)
    }
    addFilterAt(JwtAuthenticationFilter(authenticationManager()), AuthenticationFilter::class.java)
    addFilterAt(BasicJwtAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter::class.java)
    sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
    }
}