New modules have been added to Jmix: io.jmix.security:jmix-security-resource-server and io.jmix.security:jmix-security-resource-server-starter. New modules contains classes for constructing the request matcher for the resource server.
jmix-authserver-starterand jmix-oidc-starter depend on the jmix-security-resource-server-starter.
Resource server configurations in OIDC and Authorization Server add-on starters now use the CompositeResourceServerRequestMatcherProvider to get the ReqeustMatcher that will be used a securityMatcher for the HttpSecurity instance:
The default implementation of the CompositeResourceServerRequestMatcherProvider combines RequestMatchers provided by multiple AuthenticatedRequestMatcherProvider and AnonymousRequestMatcherProvider instances.
If necessary, users may define their own implementation of the CompositeResourceServerRequestMatcherProvider in the project and this implementation will be used instead of default one.
Configure RequestMatchers for the Resource Server in the Project
Creating the AuthenticatedRequestMatcherProvider
import io.jmix.securityresourceserver.requestmatcher.ResourceServerRequestMatcherProvider;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;
@Component
public class GreetingAuthenticatedRequestMatcherProvider implements AuthenticatedRequestMatcherProvider {
@Override
public RequestMatcher getAuthenticatedRequestMatcher() {
return new AntPathRequestMatcher("/greeting/**");
}
}
This approach allows you to create complex request matchers, e.g. new AntPathRequestMatcher("/greeting/**", HttpMethod.GET.name());
Creating the AnonymousRequestMatcherProvider
If some URL processed by the resource server must be accessed anonymously, the AnonymousRequestMatcherProvider may be used.
import io.jmix.securityresourceserver.requestmatcher.AnonymousRequestMatcherProvider;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;
@Component
public class GreetingAnonymousRequestMatcherProvider implements AnonymousRequestMatcherProvider {
@Override
public RequestMatcher getAnonymousRequestMatcher() {
return new AntPathRequestMatcher("/greeting/public/**");
}
}
Creating the AuthenticatedUrlPatternsProvider
import io.jmix.securityresourceserver.requestmatcher.urlprovider.AuthenticatedUrlPatternsProvider;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class GreetingAuthenticatedUrlProvider implements AuthenticatedUrlPatternsProvider {
@Override
public List<String> getAuthenticatedUrlPatterns() {
return List.of("/greeting/**");
}
}
This approach allows you to return a list of URL patterns that must be protected by the resource server.
Creating the AnonymousUrlPatternsProvider
import io.jmix.securityresourceserver.requestmatcher.urlprovider.AnonymousUrlPatternsProvider;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class GreetingAnonymousUrlProvider implements AnonymousUrlPatternsProvider {
@Override
public List<String> getAnonymousUrlPatterns() {
return List.of("/greeting/public/**");
}
}
This approach allows you to return a list of URL patterns that must be processed by the resource server configuration but accessed anonymously.
The issue: #3397
Implementation Details
New modules have been added to Jmix:
io.jmix.security:jmix-security-resource-serverandio.jmix.security:jmix-security-resource-server-starter. New modules contains classes for constructing the request matcher for the resource server.jmix-authserver-starterandjmix-oidc-starterdepend on thejmix-security-resource-server-starter.Resource server configurations in OIDC and Authorization Server add-on starters now use the
CompositeResourceServerRequestMatcherProviderto get the ReqeustMatcher that will be used a securityMatcher for the HttpSecurity instance:The default implementation of the
CompositeResourceServerRequestMatcherProvidercombines RequestMatchers provided by multipleAuthenticatedRequestMatcherProviderandAnonymousRequestMatcherProviderinstances.If necessary, users may define their own implementation of the
CompositeResourceServerRequestMatcherProviderin the project and this implementation will be used instead of default one.Configure RequestMatchers for the Resource Server in the Project
Creating the
AuthenticatedRequestMatcherProviderThis approach allows you to create complex request matchers, e.g.
new AntPathRequestMatcher("/greeting/**", HttpMethod.GET.name());Creating the
AnonymousRequestMatcherProviderIf some URL processed by the resource server must be accessed anonymously, the
AnonymousRequestMatcherProvidermay be used.Creating the
AuthenticatedUrlPatternsProviderThis approach allows you to return a list of URL patterns that must be protected by the resource server.
Creating the
AnonymousUrlPatternsProviderThis approach allows you to return a list of URL patterns that must be processed by the resource server configuration but accessed anonymously.
Using the Application Property
Legacy
AuthorizedUrlsProviderSupportLegacy
AuthorizedUrlsProviderwill continue working:Generic REST Add-on Endpoints Security
Previously, Generic REST add-on endpoints were secured by default:
/rest/**- authenticatedAfter the changes made in this PR, REST endpoints security must be explicitly defined in the project, for example:
This settings may be added by Studio when it migrates old project or when the REST API is added to the project.
Application properties from the REST API add-on should be replaced with corresponding resource server properties: