I'm playing around with Spring Security configuration and find out, that the most common way to configure in-memory authentication is using configureGlobal()
method:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth
.inMemoryAuthentication()
.withUser("user").password("userPwd").roles("USER");
}
}
But there is another way, which is less widely used, overriding configure()
method from WebSecurityConfigurerAdapter
:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication(
.withUser("user").password("userPwd").roles("USER");
}
}
I'm just wondering, what's the difference between them and what's the point of usage configureGlobal()
method over configure()
one?
This article is an introduction to Java configuration for Spring Security which enables users to easily configure Spring Security without the use of XML. Java configuration was added to the Spring framework in Spring 3.1 and extended to Spring Security in Spring 3.2 and is defined in a class annotated @Configuration.
anyRequest(). authenticated() is that any request must be authenticated otherwise my Spring app will return a 401 response.13-Apr-2018.
authorizeRequests() method each matcher is considered in the order they were declared. We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
AbstractSecurityWebApplicationInitializer. Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class. For example, a user might create a ContextLoaderListener using a subclass of AbstractContextLoaderInitializer .
This answer helped me.
Difference between registerGlobal(), configure(), configureGlobal(),configureGlobalSecurity in Spring security
If you already extend class like WebMvcConfiguratorAdapter
, you have two choices for security settings.
Using configureGlobal()
method:
@Configuration
class approach.WebMvcConfigurerAdapter
+ @EnableWebSecurity
Overriding configure()
method:
@Configuration
class.WebSecurityConfiguratorAdapter
for security setup.MySecurityConfig
extends WebSecurityConfigurerAdapter
As the spring security doc says:
The name of the
configureGlobal
method is not important. However, it is important to only configureAuthenticationManagerBuilder
in a class annotated with either@EnableWebSecurity
,@EnableGlobalMethodSecurity
, or@EnableGlobalAuthentication
. Doing otherwise has unpredictable results.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With