diff --git a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java index 377e73c0f23..3d1111bec8b 100644 --- a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java +++ b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java @@ -28,7 +28,6 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; -import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; import org.springframework.boot.autoconfigure.web.ServerProperties; import org.springframework.boot.autoconfigure.web.ServerProperties.Servlet; @@ -48,11 +47,8 @@ import org.springframework.boot.devtools.restart.server.SourceFolderUrlFilter; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Conditional; import org.springframework.context.annotation.Configuration; -import org.springframework.core.annotation.Order; +import org.springframework.context.annotation.Import; import org.springframework.http.server.ServerHttpRequest; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; /** * {@link EnableAutoConfiguration Auto-configuration} for remote development support. @@ -68,6 +64,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @ConditionalOnProperty(prefix = "spring.devtools.remote", name = "secret") @ConditionalOnClass({ Filter.class, ServerHttpRequest.class }) @AutoConfigureAfter(SecurityAutoConfiguration.class) +@Import(RemoteDevtoolsSecurityConfiguration.class) @EnableConfigurationProperties({ ServerProperties.class, DevToolsProperties.class }) public class RemoteDevToolsAutoConfiguration { @@ -136,25 +133,4 @@ public class RemoteDevToolsAutoConfiguration { } - @Configuration - @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) - @ConditionalOnClass(WebSecurityConfigurerAdapter.class) - static class SecurityConfiguration extends WebSecurityConfigurerAdapter { - - private final String url; - - SecurityConfiguration(DevToolsProperties devToolsProperties, ServerProperties serverProperties) { - Servlet servlet = serverProperties.getServlet(); - String servletContextPath = (servlet.getContextPath() != null) ? servlet.getContextPath() : ""; - this.url = servletContextPath + devToolsProperties.getRemote().getContextPath() + "/restart"; - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeRequests().anyRequest().anonymous().and() - .csrf().disable(); - } - - } - } diff --git a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java new file mode 100644 index 00000000000..d4e5c90e1ad --- /dev/null +++ b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java @@ -0,0 +1,58 @@ +/* + * Copyright 2012-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.devtools.autoconfigure; + +import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; +import org.springframework.boot.autoconfigure.security.SecurityProperties; +import org.springframework.boot.autoconfigure.web.ServerProperties; +import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; + +/** + * Spring Security configuration that allows anonymous access to the remote devtools + * endpoint. + * + * @author Madhura Bhave + */ +@ConditionalOnClass(WebSecurityConfigurerAdapter.class) +@Configuration +class RemoteDevtoolsSecurityConfiguration { + + @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) + @Configuration + static class SecurityConfiguration extends WebSecurityConfigurerAdapter { + + private final String url; + + SecurityConfiguration(DevToolsProperties devToolsProperties, ServerProperties serverProperties) { + ServerProperties.Servlet servlet = serverProperties.getServlet(); + String servletContextPath = (servlet.getContextPath() != null) ? servlet.getContextPath() : ""; + this.url = servletContextPath + devToolsProperties.getRemote().getContextPath() + "/restart"; + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeRequests().anyRequest().anonymous().and() + .csrf().disable(); + } + + } + +}