From 0aa93036fa34eee08efcff90af3711a69577ef05 Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Sun, 20 Apr 2014 10:18:04 -0700 Subject: [PATCH] Fix secure method configuration global authentication This fixes a bug in the sample, where the AuthenticationManager it builds is a local one for the filter chain containing "/login", whereas it was expecting to override the Boot default, which is "global". The fix is to extract the authentication configuration out into a GlobalAuthenticationConfigurerAdapter. Fixes gh-699 --- .../SampleMethodSecurityApplication.java | 15 +++++++++++---- .../SampleMethodSecurityApplicationTests.java | 19 ++++++++++++------- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java index f329564b4cb..52e5bc1f863 100644 --- a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java +++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java @@ -23,10 +23,12 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; +import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.security.access.annotation.Secured; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -70,17 +72,22 @@ public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter { return new ApplicationSecurity(); } - @Order(Ordered.LOWEST_PRECEDENCE - 8) - protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { - + @Order(Ordered.HIGHEST_PRECEDENCE) + @Configuration + protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter { + @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + public void init(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth.inMemoryAuthentication().withUser("admin").password("admin") .roles("ADMIN", "USER").and().withUser("user").password("user") .roles("USER"); // @formatter:on } + } + + @Order(Ordered.LOWEST_PRECEDENCE - 8) + protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { diff --git a/spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java b/spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java index 62adc9a4034..72630c89851 100644 --- a/spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java +++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java @@ -16,17 +16,19 @@ package sample.ui.method; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + import java.util.Arrays; import java.util.regex.Matcher; import java.util.regex.Pattern; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.test.IntegrationTest; -import org.springframework.boot.test.TestRestTemplate; import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.boot.test.TestRestTemplate; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpMethod; @@ -39,9 +41,6 @@ import org.springframework.test.context.web.WebAppConfiguration; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - /** * Basic integration tests for demo application. * @@ -117,13 +116,19 @@ public class SampleMethodSecurityApplicationTests { } @Test - @Ignore("https://github.com/spring-projects/spring-boot/issues/699") public void testManagementAuthorizedAccess() throws Exception { - ResponseEntity entity = new TestRestTemplate("user", "user") + ResponseEntity entity = new TestRestTemplate("admin", "admin") .getForEntity("http://localhost:" + port + "/beans", String.class); assertEquals(HttpStatus.OK, entity.getStatusCode()); } + @Test + public void testManagementUnauthorizedAccess() throws Exception { + ResponseEntity entity = new TestRestTemplate("user", "user") + .getForEntity("http://localhost:" + port + "/beans", String.class); + assertEquals(HttpStatus.FORBIDDEN, entity.getStatusCode()); + } + private void getCsrf(MultiValueMap form, HttpHeaders headers) { ResponseEntity page = new TestRestTemplate().getForEntity( "http://localhost:" + port + "/login", String.class);