Menu
I have a peculiar case where I need to use the Application Server (Weblogic) security context for authentication, but Spring Security for authorization. I am using Spring Boot to create my application.
How can I add a security constraint like follows (which would normally be contained in web.xml):
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<description>This is the protected area of the application.</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Requires users to be authenticated but does not require them to be authorized.</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for this area.</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Remember that I need this to be handled from my Weblogic server and not Spring Security
236
Specifically, you use the @HttpConstraint and, optionally, the @HttpMethodConstraint annotations within the @ServletSecurity annotation to specify a security constraint. If your web application does not use a servlet, however, you must specify a security-constraint element in the deployment descriptor file.
Not even a web. xml file is required! When required, however, we can take control over parts of the configuration and override the conventions that Spring Boot puts in play. We can also, if we really must, use traditional XML configuration files for some parts of the configuration.
The first thing you need to do is add Spring Security to the classpath. The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security's web security support and provide the Spring MVC integration.
You can add web.xml inside WEB-INF with your security constraints. This will work along with spring boot java configuration.
@ComponentScan
@SpringBootApplication
public class Application extends SpringBootServletInitializer implements WebApplicationInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) {
return builder.sources(Application.class);
}
}
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
metadata-complete="false" version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<description>This is the protected area of the application.</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Requires users to be authenticated but does not require them to be authorized.</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for this area.</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
You should extend WebSecurityConfigurerAdapter as follows:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest().requiresSecure();
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
