How to migrate in web.xml to spring class based configuration (WebApplicationInitializer)

Question

In our current XML based configuration, we have below configuration in web.xml to disable non-ssl(HTTP) protocol access.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SecureConnection</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

I am migrating this XML based configuration to Java configuration. How to setup this configuration in Spring WebApplicationInitializer. I have found same question posted by @ams years ago, but it is without complete/proper answer. How can I achieve this using Java configuration.

score 0 · Answer 1 · answered Dec 17 '19 at 17:50

You create a WebSecurityConfigurerAdapter and configure the HttpSecurity

You should go through the documentation of HttpSecurity to figure out the right configurations you need to apply.

Basic example:

 @Configuration
 @EnableWebSecurity
 public class OpenIDLoginConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) {
                http.authorizeRequests().antMatchers("/**").hasRole("USER").and().openidLogin()
                                .permitAll();
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
                auth.inMemoryAuthentication()
                                .withUser("https://www.google.com/accounts/o8/id?id=lmkCn9xzPdsxVwG")
                                .password("password").roles("USER");
        }
 }

Further reading : https://www.baeldung.com/java-config-spring-security

score 0 · Accepted Answer · answered Dec 23 '19 at 14:46

I found the below solution to access request only through SSL(HTTPS) and disable non-ssl access(HTTP) after gone through the Spring HttpSecurity class. Tested this and working fine. Need to configure this overridden configure() method of WebSecurityConfigurerAdapter

http.requiresChannel().anyRequest().requiresSecure();

How to migrate in web.xml to spring class based configuration (WebApplicationInitializer)

2 Answers2