22

How can we enable support for the spring security kotlin DSL?

As you can see from the Screenshot of the IDE (IntelliJ), the DSL is not available:

enter image description here

This is the full SecurityConfig.kt file:

package com.example.backend.core

import org.springframework.context.annotation.Bean
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.web.server.SecurityWebFilterChain

@EnableWebFluxSecurity
class SecurityConfig {

  @Bean
  fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    return http {
      csrf { disable() }
      formLogin { disable() }
      httpBasic { disable() }
      // ...
    }
  }

}

This is our build.gradle.kts

import org.jetbrains.kotlin.gradle.tasks.KotlinCompile

val springBootVersion = "2.4.2"

plugins {
    id("org.springframework.boot") version "2.4.2"
    id("io.spring.dependency-management") version "1.0.11.RELEASE"
    kotlin("jvm") version "1.4.21"
    kotlin("plugin.spring") version "1.4.21"
}

group = "com.example"
version = "0.0.1-SNAPSHOT"
java.sourceCompatibility = JavaVersion.VERSION_11

configurations {
    compileOnly {
        extendsFrom(configurations.annotationProcessor.get())
    }
}

repositories {
    mavenCentral()
}

dependencies {
    implementation("org.springframework.boot:spring-boot-starter-actuator")
    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
    implementation("org.springframework.boot:spring-boot-starter-security")
    implementation("org.springframework.boot:spring-boot-starter-webflux")
    implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
    implementation("io.projectreactor.kotlin:reactor-kotlin-extensions")
    implementation("org.flywaydb:flyway-core")
    implementation("org.jetbrains.kotlin:kotlin-reflect")
    implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-reactor")
    developmentOnly("org.springframework.boot:spring-boot-devtools")
    runtimeOnly("io.micrometer:micrometer-registry-prometheus")
    runtimeOnly("org.postgresql:postgresql")
    annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
    testImplementation("org.springframework.boot:spring-boot-starter-test")
    testImplementation("io.projectreactor:reactor-test")
    testImplementation("org.springframework.security:spring-security-test")
}

tasks.withType<KotlinCompile> {
    kotlinOptions {
        freeCompilerArgs = listOf("-Xjsr305=strict")
        jvmTarget = "11"
    }
}

tasks.withType<Test> {
    useJUnitPlatform()
}

And this is the intellij version:

IntelliJ IDEA 2020.3 (Community Edition)
Build #IC-203.5981.155, built on November 30, 2020
Runtime version: 11.0.9+11-b1145.21 amd64
VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o.
Linux 5.4.0-64-generic
GC: ParNew, ConcurrentMarkSweep
Memory: 1979M
Cores: 12
Registry: compiler.automake.allow.when.app.running=true
Non-Bundled Plugins: Key Promoter X, Dart, io.flutter, Lombook Plugin, org.jetbrains.kotlin
Current Desktop: X-Cinnamon

Do we miss some dependency? Does it require any specific intellij setup?

Stuck
  • 11,225
  • 11
  • 59
  • 104

4 Answers4

26

You need to manually import the ServerHttpSecurity invoke.

import org.springframework.security.config.web.server.invoke

Because of this Kotlin issue in 1.4, the IDE does not suggest it to you as it should.

This is scheduled to be fixed in Kotlin 1.4.30.

Eleftheria Stein-Kousathana
  • 5,871
  • 1
  • 21
  • 34
  • thanks, that worked.:) I also saw that it is not `disabled()` but `disable()`. – Stuck Feb 04 '21 at 20:11
  • 3
    I am using 1.4.32 and it did not suggest. –  Apr 29 '21 at 21:50
  • 2
    I am also using Kotlin 1.5.20 and the Spring plugin for the same version but it's still not working. – Stefano Zanella Oct 21 '21 at 20:36
  • 4
    12 months later, I'm using 1.6.10 the latest stable release and still can't auto-import this, need to go through spring security's hello world sample to get this import, duh – John Joker Jun 22 '22 at 07:59
  • Using spring-security 6.1.1 I need to import `org.springframework.security.config.annotation.web.invoke` – Tom Jul 18 '23 at 19:50
15

I noticed your question was regarding WebFlux, but just complementing @Eleftheria's answer.

For WebMvc folks you should import:

import org.springframework.security.config.web.servlet.invoke

(servlet vs server)

albertocavalcante
  • 437
  • 5
  • 11
  • Thanks a ton, I just spend 2 days figuring this out. Spring is so very badly documented ... – mhubig Oct 21 '22 at 14:34
  • 6
    In spring security 6(spring boot 3/spring6), use `import org.springframework.security.config.annotation.web.invoke` instead. – Hantsy Jan 21 '23 at 08:48
9

What worked for me was to explicitly call the .invoke method on the HttpSecurity object:

http.invoke {
    csrf { disable }
}

which will force my IDE (I'm using IntelliJ) to import the .invoke.

remykarem
  • 2,251
  • 22
  • 28
1

This DSL is built in starting since Spring Security 5.3 version. For example the org.springframework.security:spring-security-config:5.3.4.RELEASE library has it: org.springframework.security.config.web.servlet.HttpSecurityDsl#csrf And for example the

compile group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.3.3.RELEASE'

library will contain it.

Andrey
  • 15,144
  • 25
  • 91
  • 187
  • As shown, we are using spring boot version 2.4.2 and it includes `spring-security-config:5.4.2` so the DSL should work, but somehow it is not – Stuck Feb 03 '21 at 09:33
  • The class `HttpSecurityDsl` is available. Since it is in the `servlet` folder I am now wondering if it is not available in a reactive stack? we use `spring-boot-starter-webflux` and hence the `ServerHttpSecurityDsl` should apply? It is on the classpath as well – Stuck Feb 03 '21 at 09:37