Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add WebExpressionAuthorizationManager.Builder

Browse Source 
Closes gh-17504
This commit is contained in:
Josh Cummings
2025-07-09 15:54:45 -06:00
parent c312d18191
commit dadf10899c
3 changed files with 181 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
+49 -1
View File
@@ -996,6 +996,29 @@ Kotlin::
----
======
To migrate several, you can use `WebExpressionAuthorizationManager#withDefaults`:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
WebExpressionAuthorizationManager.Builder authz = WebExpressionAuthorizationManager.withDefaults();
.requestMatchers("/test/**").access(authz.expression("hasRole('ADMIN') && hasRole('USER')"))
.requestMatchers("/test/**").access(authz.expression("permitAll"))
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
var authz = WebExpressionAuthorizationManager.withDefaults()
.requestMatchers("/test/**").access(authz.expression("hasRole('ADMIN') && hasRole('USER')"))
.requestMatchers("/test/**").access(authz.expression("permitAll"))
----
======
If you are referring to a bean in your expression like so: `@webSecurity.check(authentication, request)`, it's recommended that you instead call the bean directly, which will look something like the following:
[tabs]
@@ -1019,7 +1042,32 @@ Kotlin::
For complex instructions that include bean references as well as other expressions, it is recommended that you change those to implement `AuthorizationManager` and refer to them by calling `.access(AuthorizationManager)`.
If you are not able to do that, you can configure a javadoc:org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler[] with a bean resolver and supply that to `WebExpressionAuthorizationManager#setExpressionhandler`.
If you are not able to do that, you can publish javadoc:org.springframework.security.web.access.expression.WebExpressionAuthorizationManager$Builder[] as a bean:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
WebExpressionAuthorizationManager.Builder authz() {
return WebExpressionAuthorizationManager.withDefaults();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun authz(): WebExpressionAuthorizationManager.Builder {
return WebExpressionAuthorizationManager.withDefaults()
}
----
======
Then, expressions passed to that builder will be able to refer to beans.
[[security-matchers]]
== Security Matchers