New modules have been added to Jmix: io.jmix.security:jmix-security-resource-server and io.jmix.security:jmix-security-resource-server-starter. New modules contains classes for constructing the request matcher for the resource server.
jmix-authserver-starterand jmix-oidc-starter depend on the jmix-security-resource-server-starter.
Resource server configurations in OIDC and Authorization Server add-on starters now use the CompositeResourceServerRequestMatcherProvider to get the ReqeustMatcher that will be used a securityMatcher for the HttpSecurity instance:
The default implementation of the CompositeResourceServerRequestMatcherProvider combines RequestMatchers provided by multiple AuthenticatedRequestMatcherProvider and AnonymousRequestMatcherProvider instances.
If necessary, users may define their own implementation of the CompositeResourceServerRequestMatcherProvider in the project and this implementation will be used instead of default one.
Configure RequestMatchers for the Resource Server in the Project
Creating the AuthenticatedRequestMatcherProvider
import io.jmix.securityresourceserver.requestmatcher.ResourceServerRequestMatcherProvider;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;
@Component
public class GreetingAuthenticatedRequestMatcherProvider implements AuthenticatedRequestMatcherProvider {
@Override
public RequestMatcher getAuthenticatedRequestMatcher() {
return new AntPathRequestMatcher("/greeting/**");
}
}
This approach allows you to create complex request matchers, e.g. new AntPathRequestMatcher("/greeting/**", HttpMethod.GET.name());
Creating the AnonymousRequestMatcherProvider
If some URL processed by the resource server must be accessed anonymously, the AnonymousRequestMatcherProvider may be used.
import io.jmix.securityresourceserver.requestmatcher.AnonymousRequestMatcherProvider;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;
@Component
public class GreetingAnonymousRequestMatcherProvider implements AnonymousRequestMatcherProvider {
@Override
public RequestMatcher getAnonymousRequestMatcher() {
return new AntPathRequestMatcher("/greeting/public/**");
}
}
Creating the AuthenticatedUrlPatternsProvider
import io.jmix.securityresourceserver.requestmatcher.urlprovider.AuthenticatedUrlPatternsProvider;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class GreetingAuthenticatedUrlProvider implements AuthenticatedUrlPatternsProvider {
@Override
public List<String> getAuthenticatedUrlPatterns() {
return List.of("/greeting/**");
}
}
This approach allows you to return a list of URL patterns that must be protected by the resource server.
Creating the AnonymousUrlPatternsProvider
import io.jmix.securityresourceserver.requestmatcher.urlprovider.AnonymousUrlPatternsProvider;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class GreetingAnonymousUrlProvider implements AnonymousUrlPatternsProvider {
@Override
public List<String> getAnonymousUrlPatterns() {
return List.of("/greeting/public/**");
}
}
This approach allows you to return a list of URL patterns that must be processed by the resource server configuration but accessed anonymously.
The issue: #3397
Implementation Details
New modules have been added to Jmix:
io.jmix.security:jmix-security-resource-server
andio.jmix.security:jmix-security-resource-server-starter
. New modules contains classes for constructing the request matcher for the resource server.jmix-authserver-starter
andjmix-oidc-starter
depend on thejmix-security-resource-server-starter
.Resource server configurations in OIDC and Authorization Server add-on starters now use the
CompositeResourceServerRequestMatcherProvider
to get the ReqeustMatcher that will be used a securityMatcher for the HttpSecurity instance:The default implementation of the
CompositeResourceServerRequestMatcherProvider
combines RequestMatchers provided by multipleAuthenticatedRequestMatcherProvider
andAnonymousRequestMatcherProvider
instances.If necessary, users may define their own implementation of the
CompositeResourceServerRequestMatcherProvider
in the project and this implementation will be used instead of default one.Configure RequestMatchers for the Resource Server in the Project
Creating the
AuthenticatedRequestMatcherProvider
This approach allows you to create complex request matchers, e.g.
new AntPathRequestMatcher("/greeting/**", HttpMethod.GET.name())
;Creating the
AnonymousRequestMatcherProvider
If some URL processed by the resource server must be accessed anonymously, the
AnonymousRequestMatcherProvider
may be used.Creating the
AuthenticatedUrlPatternsProvider
This approach allows you to return a list of URL patterns that must be protected by the resource server.
Creating the
AnonymousUrlPatternsProvider
This approach allows you to return a list of URL patterns that must be processed by the resource server configuration but accessed anonymously.
Using the Application Property
Legacy
AuthorizedUrlsProvider
SupportLegacy
AuthorizedUrlsProvider
will continue working:Generic REST Add-on Endpoints Security
Previously, Generic REST add-on endpoints were secured by default:
/rest/**
- authenticatedAfter the changes made in this PR, REST endpoints security must be explicitly defined in the project, for example:
This settings may be added by Studio when it migrates old project or when the REST API is added to the project.
Application properties from the REST API add-on should be replaced with corresponding resource server properties: