I have XML config for Spring Security, that I've made through tonnes of guides. It supposed to intercepts url and with custom filters provide authentication with ldap authentication manager.
So here it is:
<http create-session="stateless" auto-config='false' use-expressions="true">
<anonymous enabled="true"/>
<intercept-url pattern="/index.html" access="permitAll()" method="GET"/>
<intercept-url pattern="/login" access="permitAll()" method="GET"/>
<custom-filter before="LAST" ref="statelessLoginFilter"/>
<custom-filter before="PRE_AUTH_FILTER" ref="statelessAuthFilter"/>
<intercept-url pattern="/one*" access="hasRole('ROLE_ONE')" method="GET"/>
<intercept-url pattern="/two*" access="hasRole('ROLE_TWO')" method="GET"/>
<!-- another intercept-url stuff -->
<csrf disabled="true"/>
<!-- authentication manager and stuff -->
</http>
Right now I'm trying to rewrite it with Java Config. But I can't get how to use custom filters in there. There's .addFilterBefore but I can't just put before="LAST" or before="PRE_AUTH_FILTER" there. Because there's no such thing. How can I rewrite this?
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
GenericFilterBean statelessAuthFilter;
@Autowired
AbstractAuthenticationProcessingFilter statelessLoginFilter;
public SecurityConfig(){
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/one**", "/two**").access("hasRole('ONE')")
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(statelessAuthFilter, GenericFilterBean.class)
.addFilterBefore(statelessLoginFilter, BasicAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().anonymous()
.and().csrf().disable();
}}
