New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpSecurity bean has no option to disable defaults #11633
Comments
Hi, @filiphr. Can you share more about the scenario where you need the defaults to be disabled? The @Bean("emptyHttpSecurity")
@Scope("prototype")
HttpSecurity httpSecurity() throws Exception {
WebSecurityConfigurerAdapter.LazyPasswordEncoder passwordEncoder = new WebSecurityConfigurerAdapter.LazyPasswordEncoder(
this.context);
AuthenticationManagerBuilder authenticationBuilder = new WebSecurityConfigurerAdapter.DefaultPasswordEncoderAuthenticationManagerBuilder(
this.objectPostProcessor, passwordEncoder);
authenticationBuilder.parentAuthenticationManager(authenticationManager());
HttpSecurity http = new HttpSecurity(this.objectPostProcessor, authenticationBuilder, createSharedObjects());
return http;
}
@Bean
public SecurityFilterChain filterChain(@Qualifier("emptyHttpSecurity") HttpSecurity http) throws Exception {
...
} |
WebSecurityConfigurerAdapter
with new SecurityFIlterChain
bean approach
On our side we are providing a custom extension of the What you have shared is not possible to be done because In addition to that, the snippet for creating an empty http security is quite verbose and relies on copying things from the Finally, if we expose a custom @Bean
public SecurityFilterChain anotherSecurityFilterChain(@Qualifier(""org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.httpSecurity") HttpSecurity http) {
...
} |
I think what you suggested is valid. If we move the I'll page @rwinch in order to know his input about this, I'm not so sure tho if it is a bug. |
Thanks @marcusdacoregio.
I was not sure which category to use when creating the issue and picked the bug template. Right now, It isn't necessarily a bug since we can still use the |
I have similar needs. I'm creating an internal lib that changes the defaults of @filiphr suggestion looks good as long as Example of potential changes forced through My original post on SO: https://stackoverflow.com/questions/73192974/how-to-remove-abstracthttpconfigurer-from-default-httpsecurity?noredirect=1#comment129274078_73192974 |
How are you doing this right now @mdrg-gh? The I think that what you are looking for is something else. |
Thank you folks for the detailed explanation of your use cases. It is indeed something that we should have. I talked to @rwinch and we are considering this for You can keep track of the tasks of the team on the projects page. |
@marcusdacoregio Thanks for considering this feature, it really is of great benefit the community. Just want to make a small amend to my post. The use case I described maybe would still have a place as an enhancement, but following @filiphr suggestion in my original SO question, I replaced the |
Related to #7449 |
An explicit option to disable defaults is an idea that I'm not convinced of yet. #7449 can achieve this by creating an @Bean
@Primary
HttpSecurity customHttpSecurity(ApplicationContext context) throws Exception {
return new HttpSecurity(context);
} or @Bean
SecurityFilterChain filterChain(ApplicationContext context) throws Exception {
return new HttpSecurity(context).build();
} The defaults can always be disabled by disabling the Configurers themselves, like In order to use Spring Security's @Bean
SecurityFilterChain filterChain(@Qualifier(HttpSecurityConfiguration.HTTPSECURITY_BEAN_NAME) HttpSecurity http) throws Exception {
return http.build();
} |
@marcusdacoregio if we compare the suggested approach vs what it was possible to do previously you can see that it is way more complicated to disable the defaults. Yes it is possible to disable the current defaults, but explicitly doing that. However, what if there is a new feature from Spring Security and a new default is applied, now people will need to know this and disable it again explicitly. I do believe that having the option to disable the defaults that Spring Security applies, like it was done before it is good to do in order to provide the same functionality that already exists / existed prior the deprecation of the |
Starting from 5.7 the
WebSecurityConfigurerAdapter
has been deprecated in favour of using a custom bean for creating aSecurityFilterChain
that will inject anHttpSecurity
and build it.The
WebSecurityConfigurerAdapter
has a constructor fielddisableDefaults
which was used to determine whether defaults should be applied to the configuration or not.When that flag was set to
true
then the default configuration and default configurers would not be applied to it. When using the new recommended approach there is no way to disable these defaults.What would be the recommended approach for disabling the defaults.
Does it perhaps make sense to have an interface like:
Then instead of doing:
we can do:
The approach is only a potential idea. It doesn't have to look like that. However, I do think that it might make sense to expose a functionality that was possible to be used like before.
The text was updated successfully, but these errors were encountered: