Hi Spring Security Team 🙂
Context
How has this issue affected you?
Just a minor inconvenience when updating to 6.2
What are you trying to accomplish?
Configuring Azure Active Direcory auth using the new lambda dsl
What other alternatives have you considered? & Are you aware of any workarounds?
Wrapping with try/catch - see below
Expected Behavior
I've updated an app to Security 6.2.x and tried to replace HttpSecurity::apply with HttpSecurity::with. The application uses spring-cloud-azure-starter-active-directory (version 5.11.0) where AadWebApplicationHttpSecurityConfigurer.java provides a custom dsl. Looking at the docs for a custom dsl I don't see any "obvious" problems with this configurer.
So ideally my configuration would look like this:
expand example
package example;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadWebApplicationHttpSecurityConfigurer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
class SecurityConfiguration {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.with(AadWebApplicationHttpSecurityConfigurer.aadWebApplication(), aad -> aad
.configure(
http
// does not compile - unreported exception java.lang.Exception; must be caught or declared to be thrown
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/webjars/**", "static/**").permitAll()
.requestMatchers("/actuator/**" ).hasRole("ADMIN")
.anyRequest().authenticated())));
return http.build();
}
}
Current Behavior
Since SecurityConfigurerAdapter::configure is declared to throw an exception but Customizer::customize is not I found no other way but to catch and re-throw it:
expand example
package example;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadWebApplicationHttpSecurityConfigurer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
class SecurityConfiguration {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.with(AadWebApplicationHttpSecurityConfigurer.aadWebApplication(), aad -> {
try {
aad
.configure(
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/webjars/**", "static/**").permitAll()
.requestMatchers("/actuator/**" ).hasRole("ADMIN")
.anyRequest().authenticated()));
} catch (Exception e) {
throw new IllegalStateException(e);
}
});
return http.build();
}
}
While this is certainly possible I personally have the feeling that it is somewhat at odds with the goals of the lambda dsl.
Is this me not fully understanding the lambda-dsl or is there actually something open for improvement here?
Thank you for looking at this!
Comment From: jzheaux
Hi, @jjank! Have you tried this:
http
.with(AadWebApplicationHttpSecurityConfigurer.aadWebApplication(), withDefaults())
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/webjars/**", "static/**").permitAll()
.requestMatchers("/actuator/**" ).hasRole("ADMIN")
.anyRequest().authenticated()))
);
Comment From: jjank
Hi @jzheaux
thank you for your help. That works as expected - very much appreciated 👍