Add a @EnableWebSecurity if it looks like the user needs one

If the user explicitly disables the basic security features and forgets to @EnableWebSecurity, and yet still wants a bean of type WebSecurityConfigurerAdapter, he is trying to use a custom security setup and the app would fail in a confusing way without this change. Fixes gh-568
2014-03-25 12:16:31 +00:00 · 2014-03-25 12:16:31 +00:00 · 809a5a711f
parent 60fe468af9
commit 809a5a711f
4 changed files with 29 additions and 4 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java
@ -17,13 +17,18 @@
 package org.springframework.boot.autoconfigure.security;

 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

 /**
@ -52,4 +57,23 @@ public class SecurityAutoConfiguration {
 		return new SecurityProperties();
 	}

+	/**
+	 * If the user explicitly disables the basic security features and forgets to
+	 * <code>@EnableWebSecurity</code>, and yet still wants a bean of type
+	 * WebSecurityConfigurerAdapter, he is trying to use a custom security setup. The app
+	 * would fail in a confusing way without this shim configuration, which just helpfully
+	 * defines an empty <code>@EnableWebSecurity</code>.
+	 * 
+	 * @author Dave Syer
+	 */
+	@ConditionalOnExpression("!${security.basic.enabled:true}")
+	@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
+	@ConditionalOnClass(EnableWebSecurity.class)
+	@ConditionalOnMissingBean(WebSecurityConfiguration.class)
+	@ConditionalOnWebApplication
+	@EnableWebSecurity
+	protected static class EmptyWebSecurityConfiguration {
+
+	}
+
 }
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java
@ -35,7 +35,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter
@EnableAutoConfiguration
@ComponentScan
@Controller
-public class SampleSecureApplication extends WebMvcConfigurerAdapter {
+public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {

 	@RequestMapping("/")
 	public String home(Map<String, Object> model) {
@ -52,7 +52,7 @@ public class SampleSecureApplication extends WebMvcConfigurerAdapter {

 	public static void main(String[] args) throws Exception {
 		// Set user password to "password" for demo purposes only
-		new SpringApplicationBuilder(SampleSecureApplication.class).properties("security.user.password=password").run(
+		new SpringApplicationBuilder(SampleWebSecureApplication.class).properties("security.user.password=password").run(
 				args);
 	}

--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/application.properties
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/application.properties
@ -1,2 +1,3 @@
 spring.thymeleaf.cache: false
-debug: true
+debug: true
+security.basic.enabled: false
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java
@ -42,7 +42,7 @@ import static org.junit.Assert.assertTrue;
 * @author Dave Syer
 */
@RunWith(SpringJUnit4ClassRunner.class)
-@SpringApplicationConfiguration(classes = SampleSecureApplication.class)
+@SpringApplicationConfiguration(classes = SampleWebSecureApplication.class)
@WebAppConfiguration
@IntegrationTest
@DirtiesContext