Class SecurityConfig
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.authentication.AuthenticationManagerauthenticationManager(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.crypto.password.PasswordEncoder passwordEncoder) Configures and provides the AuthenticationManager bean.org.springframework.security.web.SecurityFilterChainfilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http) Configures the security filter chain for HTTP requests.org.springframework.security.crypto.password.PasswordEncoderDefines the PasswordEncoder bean used for hashing passwords.
-
Constructor Details
-
SecurityConfig
public SecurityConfig()
-
-
Method Details
-
passwordEncoder
@Bean public org.springframework.security.crypto.password.PasswordEncoder passwordEncoder()Defines the PasswordEncoder bean used for hashing passwords. Here, BCryptPasswordEncoder is used, which is a strong hashing algorithm that adds salt and is computationally expensive to resist brute force attacks.This encoder is used both when registering users (to hash their password) and when authenticating users (to verify raw password against stored hash).
-
authenticationManager
@Bean public org.springframework.security.authentication.AuthenticationManager authenticationManager(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.crypto.password.PasswordEncoder passwordEncoder) throws Exception Configures and provides the AuthenticationManager bean. This method obtains the AuthenticationManagerBuilder from the HttpSecurity object, which is used to configure authentication mechanisms.It sets the custom UserDetailsService (userDetailsService) to load user-specific data (such as username, password, and roles) from the database. It also sets the PasswordEncoder (passwordEncoder) to handle password hashing and verification, ensuring that plaintext passwords can be compared securely against stored hashes.
Finally, it builds and returns the AuthenticationManager instance, which is the core component used during authentication attempts (e.g., during login)
- Parameters:
http- the HttpSecurity object, providing access to shared objects including the AuthenticationManagerBuilderpasswordEncoder- the PasswordEncoder bean used for hashing and verifying passwords- Returns:
- the configured AuthenticationManager instance
- Throws:
Exception- if an error occurs during building the AuthenticationManager
-
filterChain
@Bean public org.springframework.security.web.SecurityFilterChain filterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception Configures the security filter chain for HTTP requests. This method sets up the security policies for the application, including:- Disabling CSRF protection because the app is stateless and typically uses tokens (like JWT). - Configuring the session management to be stateless, meaning the server does not keep any session data between requests. - Defining authorization rules: * The specified endpoints for authentication (/login, /register) and API documentation (Swagger UI and OpenAPI docs) are publicly accessible without authentication. * All other requests require authentication.
This configuration ensures that only authorized users can access protected endpoints, while allowing free access to login, registration, and API docs.
- Parameters:
http- the HttpSecurity object used to configure web based security for specific http requests- Returns:
- the configured SecurityFilterChain instance
- Throws:
Exception- if an error occurs while building the security filter chain
-