Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between WebMvcConfigurer and WebSecurityConfigurerAdapter

Tags:

spring-security

What is the difference between those two? When do I use one over the other?

In the Spring Security Documentation it says that, among other things, WebMvcConfigurer has the following feature:

Require authentication to every URL in your application

The WebSecurityConfigurerAdapter example shown in HttpSecurity says:

Ensures that any request to our application requires the user to be authenticated.

Isn't that the same?

EDIT

These two types of configs seem to serve different purposes, I just don't quite understand yet, when to use which: What are the two distinct scenarios for each of the config types?

In the introduction to the HttpSecuriy section, it says

How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know we want to support form based authentication?

So right now I am thinking: the first one says what should happen when authenticating a user and the second says in what cases do users need to be authenticated. Is that correct?

E.g., the first config "Generate a login form for you" and the second determines, when that login form should be shown?

like image 845
user3629892 Avatar asked Dec 22 '18 09:12

user3629892

People also ask

What should I use instead of WebSecurityConfigurerAdapter?

You need to declare SecurityFilterChain and WebSecurityCustomizer beans instead of overriding methods of WebSecurityConfigurerAdapter class.

What is the use of WebSecurityConfigurerAdapter?

It allows configuring things that impact all of web security. WebSecurityConfigurerAdapter is a convenience class that allows customization to both WebSecurity and HttpSecurity. We can extend WebSecurityConfigurerAdapter multiple times (in distinct objects) to replicate the behavior of having multiple http elements.

What is the use of WebSecurityConfigurerAdapter in spring boot?

configure. Deprecated. Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager . If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager .

Why do we use Webmvcconfigurer?

configureDefaultServletHandling. Configure a handler to delegate unhandled requests by forwarding to the Servlet container's "default" servlet. A common use case for this is when the DispatcherServlet is mapped to "/" thus overriding the Servlet container's default handling of static resources.

1 Answers

This does appear to be a documentation bug (https://github.com/spring-projects/spring-security/issues/6809):

This raises confusion about the role of WebMvcConfigurer in Spring Security and the use cases for WebMvcConfigurer vs WebSecurityConfigurerAdapter.

Most likely the intention in the example was:

@EnableWebSecurity
public class WebSecurityConfig implements WebSecurityConfigurerAdapter {

instead of

@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer {
like image 195
peater Avatar answered Sep 21 '22 12:09

peater
Sign in to Comment

Related questions

Change login page for spring security plugin in grails
Enabling WebSecurityConfigurer via @Profile does not work
Spring Security Authentication using RestTemplate
Spring 3.2: Filtering Jackson JSON output based on Spring Security role
Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/tx]
remember-me and authentication-success-handler
Equivalent to the deprecated <sec:authorize> ifNotGranted attribute
Spring Boot Security with Vaadin Login
authorizationGrantType cannot be null in Spring Security 5 OAuth Client and Spring Boot 2.0
How to set redirection after successful login?
Spring Security Role Hierarchy not working using Java Config
Spring security shows 'Your login attempt was not successful due to' for custom membership
Get java annotation attribute value on Spring SpEL expression
Spring RestController returning error as html instead of json
db level ACL filtering
Spring boot, disable security for tests
Authenticating By IP Address In Spring 3.1: Smartest Way To Do That?
/api-url has an empty filter list in Spring Boot Security

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!