Remove additional auto-configured security configurers
Closes gh-10435
This commit is contained in:
parent
8f9b47aa4c
commit
0e2d34cdb4
|
@ -18,24 +18,15 @@ package org.springframework.boot.autoconfigure.h2;
|
|||
|
||||
import org.h2.server.web.WebServlet;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
|
||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
|
||||
import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
|
||||
import org.springframework.boot.autoconfigure.security.SecurityProperties;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.boot.web.servlet.ServletRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
||||
/**
|
||||
* {@link EnableAutoConfiguration Auto-configuration} for H2's web console.
|
||||
|
@ -50,7 +41,6 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
|
|||
@ConditionalOnClass(WebServlet.class)
|
||||
@ConditionalOnProperty(prefix = "spring.h2.console", name = "enabled", havingValue = "true", matchIfMissing = false)
|
||||
@EnableConfigurationProperties(H2ConsoleProperties.class)
|
||||
@AutoConfigureAfter(SecurityAutoConfiguration.class)
|
||||
public class H2ConsoleAutoConfiguration {
|
||||
|
||||
private final H2ConsoleProperties properties;
|
||||
|
@ -75,37 +65,4 @@ public class H2ConsoleAutoConfiguration {
|
|||
return registration;
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
|
||||
@ConditionalOnBean(ObjectPostProcessor.class)
|
||||
@ConditionalOnProperty(prefix = "security.basic", name = "enabled", matchIfMissing = true)
|
||||
static class H2ConsoleSecurityConfiguration {
|
||||
|
||||
@Bean
|
||||
public WebSecurityConfigurerAdapter h2ConsoleSecurityConfigurer() {
|
||||
return new H2ConsoleSecurityConfigurer();
|
||||
}
|
||||
|
||||
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
|
||||
private static class H2ConsoleSecurityConfigurer
|
||||
extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Autowired
|
||||
private H2ConsoleProperties console;
|
||||
|
||||
@Override
|
||||
public void configure(HttpSecurity http) throws Exception {
|
||||
String path = this.console.getPath();
|
||||
String antPattern = (path.endsWith("/") ? path + "**" : path + "/**");
|
||||
HttpSecurity h2Console = http.antMatcher(antPattern);
|
||||
h2Console.csrf().disable();
|
||||
h2Console.httpBasic();
|
||||
h2Console.headers().frameOptions().sameOrigin();
|
||||
http.authorizeRequests().anyRequest().authenticated();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -1,89 +0,0 @@
|
|||
/*
|
||||
* Copyright 2012-2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.autoconfigure.h2;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.h2.H2ConsoleAutoConfigurationIntegrationTests.TestConfiguration;
|
||||
import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.test.annotation.DirtiesContext;
|
||||
import org.springframework.test.context.ContextConfiguration;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.test.context.web.WebAppConfiguration;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
|
||||
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
/**
|
||||
* Integration tests for {@link H2ConsoleAutoConfiguration}
|
||||
*
|
||||
* @author Andy Wilkinson
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@DirtiesContext
|
||||
@WebAppConfiguration
|
||||
@ContextConfiguration(classes = TestConfiguration.class)
|
||||
@TestPropertySource(properties = "spring.h2.console.enabled:true")
|
||||
public class H2ConsoleAutoConfigurationIntegrationTests {
|
||||
|
||||
@Autowired
|
||||
private WebApplicationContext context;
|
||||
|
||||
@Test
|
||||
public void noPrincipal() throws Exception {
|
||||
MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context)
|
||||
.apply(springSecurity()).build();
|
||||
mockMvc.perform(get("/h2-console/").accept(MediaType.APPLICATION_JSON))
|
||||
.andExpect(status().isUnauthorized());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void userPrincipal() throws Exception {
|
||||
MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context)
|
||||
.apply(springSecurity()).build();
|
||||
mockMvc.perform(get("/h2-console/").accept(MediaType.APPLICATION_JSON)
|
||||
.with(user("test").roles("USER"))).andExpect(status().isOk())
|
||||
.andExpect(header().string("X-Frame-Options", "SAMEORIGIN"));
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@Import({ SecurityAutoConfiguration.class, H2ConsoleAutoConfiguration.class })
|
||||
@Controller
|
||||
static class TestConfiguration {
|
||||
|
||||
@RequestMapping("/h2-console/**")
|
||||
public void mockConsole() {
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
|
@ -25,11 +25,9 @@ import org.apache.commons.logging.LogFactory;
|
|||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.boot.autoconfigure.security.SecurityProperties;
|
||||
import org.springframework.boot.autoconfigure.web.ServerProperties;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.boot.devtools.remote.server.AccessManager;
|
||||
|
@ -46,11 +44,7 @@ import org.springframework.boot.devtools.restart.server.HttpRestartServerHandler
|
|||
import org.springframework.boot.devtools.restart.server.SourceFolderUrlFilter;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.http.server.ServerHttpRequest;
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
||||
/**
|
||||
* {@link EnableAutoConfiguration Auto-configuration} for remote development support.
|
||||
|
@ -143,31 +137,4 @@ public class RemoteDevToolsAutoConfiguration {
|
|||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
|
||||
@ConditionalOnBean(ObjectPostProcessor.class)
|
||||
static class RemoteDevToolsSecurityConfiguration {
|
||||
|
||||
@Bean
|
||||
public RemoteRestartWebSecurityConfigurer remoteRestartWebSecurityConfigurer() {
|
||||
return new RemoteRestartWebSecurityConfigurer();
|
||||
}
|
||||
|
||||
@Order(SecurityProperties.IGNORED_ORDER + 2)
|
||||
static class RemoteRestartWebSecurityConfigurer
|
||||
extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Autowired
|
||||
private DevToolsProperties properties;
|
||||
|
||||
@Override
|
||||
public void configure(HttpSecurity http) throws Exception {
|
||||
http.antMatcher(this.properties.getRemote().getContextPath() + "/**");
|
||||
http.csrf().disable();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue