Fix secure method configuration global authentication
This fixes a bug in the sample, where the AuthenticationManager it builds is a local one for the filter chain containing "/login", whereas it was expecting to override the Boot default, which is "global". The fix is to extract the authentication configuration out into a GlobalAuthenticationConfigurerAdapter. Fixes gh-699
This commit is contained in:
Dave Syer
parent
e4b8e174e8
commit
0aa93036fa
|
|
@ -23,10 +23,12 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
|||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.ComponentScan;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.Ordered;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.security.access.annotation.Secured;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
|
@ -70,17 +72,22 @@ public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter {
|
|||
return new ApplicationSecurity();
|
||||
}
|
||||
|
||||
@Order(Ordered.LOWEST_PRECEDENCE - 8)
|
||||
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
@Configuration
|
||||
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
public void init(AuthenticationManagerBuilder auth) throws Exception {
|
||||
// @formatter:off
|
||||
auth.inMemoryAuthentication().withUser("admin").password("admin")
|
||||
.roles("ADMIN", "USER").and().withUser("user").password("user")
|
||||
.roles("USER");
|
||||
// @formatter:on
|
||||
}
|
||||
}
|
||||
|
||||
@Order(Ordered.LOWEST_PRECEDENCE - 8)
|
||||
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
|
|
|
|||
|
|
@ -16,17 +16,19 @@
|
|||
|
||||
package sample.ui.method;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.junit.Ignore;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.boot.test.IntegrationTest;
|
||||
import org.springframework.boot.test.TestRestTemplate;
|
||||
import org.springframework.boot.test.SpringApplicationConfiguration;
|
||||
import org.springframework.boot.test.TestRestTemplate;
|
||||
import org.springframework.http.HttpEntity;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
|
|
@ -39,9 +41,6 @@ import org.springframework.test.context.web.WebAppConfiguration;
|
|||
import org.springframework.util.LinkedMultiValueMap;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* Basic integration tests for demo application.
|
||||
*
|
||||
|
|
@ -117,13 +116,19 @@ public class SampleMethodSecurityApplicationTests {
|
|||
}
|
||||
|
||||
@Test
|
||||
@Ignore("https://github.com/spring-projects/spring-boot/issues/699")
|
||||
public void testManagementAuthorizedAccess() throws Exception {
|
||||
ResponseEntity<String> entity = new TestRestTemplate("user", "user")
|
||||
ResponseEntity<String> entity = new TestRestTemplate("admin", "admin")
|
||||
.getForEntity("http://localhost:" + port + "/beans", String.class);
|
||||
assertEquals(HttpStatus.OK, entity.getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testManagementUnauthorizedAccess() throws Exception {
|
||||
ResponseEntity<String> entity = new TestRestTemplate("user", "user")
|
||||
.getForEntity("http://localhost:" + port + "/beans", String.class);
|
||||
assertEquals(HttpStatus.FORBIDDEN, entity.getStatusCode());
|
||||
}
|
||||
|
||||
private void getCsrf(MultiValueMap<String, String> form, HttpHeaders headers) {
|
||||
ResponseEntity<String> page = new TestRestTemplate().getForEntity(
|
||||
"http://localhost:" + port + "/login", String.class);
|
||||
|
|
|
|||
Loading…
Reference in New Issue