Update security config in samples

vpavic · rwinch · commit e5eeacec5ffb · 2022-10-25T14:27:39.000-05:00
This commit updates security configuration in samples to:

- use AuthorizationFilter instead of FilterSecurityInterceptor
- update session creation policy in REST sample
diff --git a/spring-session-core/src/main/java/org/springframework/session/web/http/HeaderHttpSessionIdResolver.java b/spring-session-core/src/main/java/org/springframework/session/web/http/HeaderHttpSessionIdResolver.java
@@ -98,6 +98,7 @@ public HeaderHttpSessionIdResolver(String headerName) {
 	@Override
 	public List<String> resolveSessionIds(HttpServletRequest request) {
 		String headerValue = request.getHeader(this.headerName);
+		System.out.println(headerValue);
 		return (headerValue != null) ? Collections.singletonList(headerValue) : Collections.emptyList();
 	}
 
diff --git a/spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfiguration.java b/spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfiguration.java
@@ -51,7 +51,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
 		return http
 			.formLogin(Customizer.withDefaults())
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.anyRequest().authenticated()
 			).build();
 	}
diff --git a/spring-session-samples/spring-session-sample-boot-findbyusername/src/main/java/sample/config/SecurityConfig.java b/spring-session-samples/spring-session-sample-boot-findbyusername/src/main/java/sample/config/SecurityConfig.java
@@ -36,7 +36,7 @@ public class SecurityConfig {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
 				.anyRequest().authenticated()
 			)
diff --git a/spring-session-samples/spring-session-sample-boot-hazelcast/src/main/java/sample/config/SecurityConfig.java b/spring-session-samples/spring-session-sample-boot-hazelcast/src/main/java/sample/config/SecurityConfig.java
@@ -35,7 +35,7 @@ public class SecurityConfig {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
 				.anyRequest().authenticated()
 			)
diff --git a/spring-session-samples/spring-session-sample-boot-jdbc/src/main/java/sample/config/SecurityConfig.java b/spring-session-samples/spring-session-sample-boot-jdbc/src/main/java/sample/config/SecurityConfig.java
@@ -45,7 +45,7 @@ WebSecurityCustomizer ignoringCustomizer() {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
 				.anyRequest().authenticated()
 			)
diff --git a/spring-session-samples/spring-session-sample-boot-redis-json/src/main/java/sample/config/SecurityConfig.java b/spring-session-samples/spring-session-sample-boot-redis-json/src/main/java/sample/config/SecurityConfig.java
@@ -35,7 +35,7 @@ public class SecurityConfig {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
 				.anyRequest().authenticated()
 			)
diff --git a/spring-session-samples/spring-session-sample-boot-redis/src/main/java/sample/config/SecurityConfig.java b/spring-session-samples/spring-session-sample-boot-redis/src/main/java/sample/config/SecurityConfig.java
@@ -36,7 +36,7 @@ public class SecurityConfig {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
 				.anyRequest().authenticated()
 			)
diff --git a/spring-session-samples/spring-session-sample-boot-websocket/src/main/java/sample/config/WebSecurityConfig.java b/spring-session-samples/spring-session-sample-boot-websocket/src/main/java/sample/config/WebSecurityConfig.java
@@ -54,7 +54,7 @@ WebSecurityCustomizer ignoringCustomizer() {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
 				.anyRequest().authenticated()
 			)
diff --git a/spring-session-samples/spring-session-sample-javaconfig-rest/src/main/java/sample/SecurityConfig.java b/spring-session-samples/spring-session-sample-javaconfig-rest/src/main/java/sample/SecurityConfig.java
@@ -23,6 +23,7 @@
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.savedrequest.NullRequestCache;
@@ -35,13 +36,15 @@ public class SecurityConfig {
 	@Bean
 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		return http
-			.authorizeRequests((authorize) -> authorize
+			.authorizeHttpRequests((authorize) -> authorize
 				.anyRequest().authenticated()
 			)
 			.requestCache((requestCache) -> requestCache
 				.requestCache(new NullRequestCache())
 			)
 			.httpBasic(Customizer.withDefaults())
+			.sessionManagement((sessionManagement) -> sessionManagement
+				.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED))
 			.build();
 	}
 	// @formatter:on

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,7 @@ public HeaderHttpSessionIdResolver(String headerName) {`
`98`	`98`	`@Override`
`99`	`99`	`public List<String> resolveSessionIds(HttpServletRequest request) {`
`100`	`100`	`String headerValue = request.getHeader(this.headerName);`
	`101`	`+ System.out.println(headerValue);`
`101`	`102`	`return (headerValue != null) ? Collections.singletonList(headerValue) : Collections.emptyList();`
`102`	`103`	`}`
`103`	`104`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {`
`51`	`51`
`52`	`52`	`return http`
`53`	`53`	`.formLogin(Customizer.withDefaults())`
`54`		`- .authorizeRequests((authorize) -> authorize`
	`54`	`+ .authorizeHttpRequests((authorize) -> authorize`
`55`	`55`	`.anyRequest().authenticated()`
`56`	`56`	`).build();`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public class SecurityConfig {`
`36`	`36`	`@Bean`
`37`	`37`	`SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {`
`38`	`38`	`return http`
`39`		`- .authorizeRequests((authorize) -> authorize`
	`39`	`+ .authorizeHttpRequests((authorize) -> authorize`
`40`	`40`	`.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()`
`41`	`41`	`.anyRequest().authenticated()`
`42`	`42`	`)`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public class SecurityConfig {`
`35`	`35`	`@Bean`
`36`	`36`	`SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {`
`37`	`37`	`return http`
`38`		`- .authorizeRequests((authorize) -> authorize`
	`38`	`+ .authorizeHttpRequests((authorize) -> authorize`
`39`	`39`	`.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()`
`40`	`40`	`.anyRequest().authenticated()`
`41`	`41`	`)`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ WebSecurityCustomizer ignoringCustomizer() {`
`45`	`45`	`@Bean`
`46`	`46`	`SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {`
`47`	`47`	`return http`
`48`		`- .authorizeRequests((authorize) -> authorize`
	`48`	`+ .authorizeHttpRequests((authorize) -> authorize`
`49`	`49`	`.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()`
`50`	`50`	`.anyRequest().authenticated()`
`51`	`51`	`)`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ WebSecurityCustomizer ignoringCustomizer() {`
`54`	`54`	`@Bean`
`55`	`55`	`SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {`
`56`	`56`	`return http`
`57`		`- .authorizeRequests((authorize) -> authorize`
	`57`	`+ .authorizeHttpRequests((authorize) -> authorize`
`58`	`58`	`.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()`
`59`	`59`	`.anyRequest().authenticated()`
`60`	`60`	`)`