search

hendisantika / springboot-adminlte3-template

Spring Boot Admin LTE 3 Template
23 stars 21 forks source link

Upgrade to springboot 3.0.5 #5

Closed craph closed 1 year ago

craph commented 1 year ago

Hello,

Is it possible to upgrade your code with springboot in version 3.0.5 ?

Thank you very much. Best regards,

hendisantika commented 1 year ago

Yes, it is. I will upgrade it now.

hendisantika commented 1 year ago

Please pull latest code.

craph commented 1 year ago

Do you know what is the difference between with securityMatcher and requestMatcher in SecurityFilterChain ?

hendisantika commented 1 year ago

In the Spring Security framework, the SecurityFilterChain is responsible for applying a series of security filters to incoming HTTP requests. Two important interfaces that are used to configure a SecurityFilterChain are RequestMatcher and SecurityMatcher.

RequestMatcher is an interface that is used to match incoming HTTP requests against a predefined set of criteria. It is used to determine if a particular request should be processed by a particular SecurityFilterChain. For example, you could define a RequestMatcher that matches all HTTP requests that start with "/api". When a request comes in, Spring Security will use the RequestMatcher to determine if it should be processed by the SecurityFilterChain that matches that criteria.

SecurityMatcher is an interface that is used to match the authentication and authorization requirements for a particular request. It is used to determine if a particular request requires authentication or authorization. For example, you could define a SecurityMatcher that requires all requests to be authenticated with a specific set of credentials before they are processed by the SecurityFilterChain.

So, to summarize, RequestMatcher is used to match incoming requests against a predefined set of criteria, while SecurityMatcher is used to match the authentication and authorization requirements for a particular request. Both interfaces are used together to determine which SecurityFilterChain should be applied to a particular request.

craph commented 1 year ago

Thank you very much for all the information. Do you have a link that explains all this ? In https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-security-matchers it says :

In Spring Security 5.8, the antMatchers, mvcMatchers, and regexMatchers methods were deprecated in favor of new requestMatchers methods.

and

In Spring Security 5.8, the antMatchers, mvcMatchers and requestMatchers methods from HttpSecurity were deprecated in favor of new securityMatchers methods.

and

Another reason for adding the securityMatchers methods is to avoid confusion with the requestMatchers methods from authorizeHttpRequests.

But it's really confusing :( I don't really understand quite well the differences

hendisantika commented 1 year ago

For now, just follow. You will understand eventually when you have many experiences.

craph commented 1 year ago

Thank you very much

hendisantika commented 1 year ago

You're welcome.

craph commented 1 year ago

Last question, when you say

So, to summarize, RequestMatcher is used to match incoming requests against a predefined set of criteria, while SecurityMatcher is used to match the authentication and authorization requirements for a particular request. Both interfaces are used together to determine which SecurityFilterChain should be applied to a particular request.

SecurityMatcher is also used to match incoming requests no ?

because 

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((authz) -> authz
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            );
        return http.build();
    }
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/api/**")
        .authorizeHttpRequests((authz) -> authz
            .requestMatchers("/api/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
        );
    return http.build();
}

both verify authenticated right ?

hendisantika commented 1 year ago

It is better to user requestMatchers if it is only request without security.

craph commented 1 year ago

It is better to user requestMatchers if it is only request without security.

but authenticated is security too no ? it's weird

hendisantika commented 1 year ago

No, it's different.

craph commented 1 year ago

which line of code define security ?

Moreover here in your code https://github.com/hendisantika/springboot-adminlte3-template/commit/8f5542cfc359ec13420b31a734eed5ef683d6dc9#diff-bca8dd685120e9fce44e5327c3feabb5738b4a7602a015a5686c507e090ca461R60 you are using a deprecated method