From 1231da1c2fa1a089cd2d0216227b383cb6ac7a29 Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Wed, 25 Feb 2015 12:36:55 -0800 Subject: [PATCH] Add security.basic.authorize-mode property Add a `security.basic.authorize-mode` property that can be used to affect how basic security authorization is applied. Fixes gh-2462 --- .../security/SecurityAuthorizeMode.java | 42 +++++++++++++++++++ .../security/SecurityProperties.java | 13 ++++++ .../SpringBootWebSecurityConfiguration.java | 10 ++++- ...ringBootWebSecurityConfigurationTests.java | 33 ++++++++++++++- .../appendix-application-properties.adoc | 1 + 5 files changed, 95 insertions(+), 4 deletions(-) create mode 100644 spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAuthorizeMode.java diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAuthorizeMode.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAuthorizeMode.java new file mode 100644 index 00000000000..33a66eef5a2 --- /dev/null +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAuthorizeMode.java @@ -0,0 +1,42 @@ +/* + * Copyright 2012-2015 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.autoconfigure.security; + +/** + * Security authorization modes as specified in {@link SecurityProperties}. + * + * @author Phillip Webb + * @since 1.2.2 + */ +public enum SecurityAuthorizeMode { + + /** + * Must be a member of one of the security roles. + */ + ROLE, + + /** + * Must be an authenticated user. + */ + AUTHENTICATED, + + /** + * No security authorization is setup. + */ + NONE + +} diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java index edf396ba459..7271bc85eef 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java @@ -238,6 +238,11 @@ public class SecurityProperties implements SecurityPrerequisite { */ private String[] path = new String[] { "/**" }; + /** + * The security authorize mode to apply. + */ + private SecurityAuthorizeMode authorizeMode = SecurityAuthorizeMode.ROLE; + public boolean isEnabled() { return this.enabled; } @@ -262,6 +267,14 @@ public class SecurityProperties implements SecurityPrerequisite { this.path = paths; } + public SecurityAuthorizeMode getAuthorizeMode() { + return this.authorizeMode; + } + + public void setAuthorizeMode(SecurityAuthorizeMode authorizeMode) { + this.authorizeMode = authorizeMode; + } + } public static class User { diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java index 0bd3b5b91c5..fcd61541d6f 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java @@ -252,8 +252,14 @@ public class SpringBootWebSecurityConfiguration { http.exceptionHandling().authenticationEntryPoint(entryPoint); http.httpBasic().authenticationEntryPoint(entryPoint); http.requestMatchers().antMatchers(paths); - String[] role = this.security.getUser().getRole().toArray(new String[0]); - http.authorizeRequests().anyRequest().hasAnyRole(role); + String[] roles = this.security.getUser().getRole().toArray(new String[0]); + SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); + if (mode == null || mode == SecurityAuthorizeMode.ROLE) { + http.authorizeRequests().anyRequest().hasAnyRole(roles); + } + else if (mode == SecurityAuthorizeMode.AUTHENTICATED) { + http.authorizeRequests().anyRequest().authenticated(); + } } } diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java index 6a61f040642..9dda84a0f6c 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java @@ -103,6 +103,37 @@ public class SpringBootWebSecurityConfigurationTests { Matchers.containsString("realm=\"Spring\""))); } + @Test + public void testWebConfigurationFilterChainUnauthenticatedWithAuthorizeModeNone() + throws Exception { + this.context = SpringApplication.run(VanillaWebConfiguration.class, + "--server.port=0", "--security.basic.authorize-mode=none"); + MockMvc mockMvc = MockMvcBuilders + .webAppContextSetup((WebApplicationContext) this.context) + .addFilters( + this.context.getBean("springSecurityFilterChain", Filter.class)) + .build(); + mockMvc.perform(MockMvcRequestBuilders.get("/")).andExpect( + MockMvcResultMatchers.status().isNotFound()); + } + + @Test + public void testWebConfigurationFilterChainUnauthenticatedWithAuthorizeModeAuthenticated() + throws Exception { + this.context = SpringApplication.run(VanillaWebConfiguration.class, + "--server.port=0", "--security.basic.authorize-mode=authenticated"); + MockMvc mockMvc = MockMvcBuilders + .webAppContextSetup((WebApplicationContext) this.context) + .addFilters( + this.context.getBean("springSecurityFilterChain", Filter.class)) + .build(); + mockMvc.perform(MockMvcRequestBuilders.get("/")) + .andExpect(MockMvcResultMatchers.status().isUnauthorized()) + .andExpect( + MockMvcResultMatchers.header().string("www-authenticate", + Matchers.containsString("realm=\"Spring\""))); + } + @Test public void testWebConfigurationFilterChainBadCredentials() throws Exception { this.context = SpringApplication.run(VanillaWebConfiguration.class, @@ -164,10 +195,8 @@ public class SpringBootWebSecurityConfigurationTests { @Autowired public void init(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off auth.inMemoryAuthentication().withUser("dave").password("secret") .roles("USER"); - // @formatter:on } @Override diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc index 039a7e5747d..c06a2559e52 100644 --- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc +++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc @@ -211,6 +211,7 @@ content into your application; rather pick only the properties that you need. security.basic.enabled=true security.basic.realm=Spring security.basic.path= # /** + security.basic.authorize-mode= # ROLE, AUTHENTICATED, NONE security.filter-order=0 security.headers.xss=false security.headers.cache=false