Add a @EnableWebSecurity if it looks like the user needs one
If the user explicitly disables the basic security features and forgets to @EnableWebSecurity, and yet still wants a bean of type WebSecurityConfigurerAdapter, he is trying to use a custom security setup and the app would fail in a confusing way without this change. Fixes gh-568
This commit is contained in:
Dave Syer
parent
60fe468af9
commit
809a5a711f
|
|
@ -17,13 +17,18 @@
|
||||||
package org.springframework.boot.autoconfigure.security;
|
package org.springframework.boot.autoconfigure.security;
|
||||||
|
|
||||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||||
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
||||||
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||||
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
|
||||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.context.annotation.Import;
|
import org.springframework.context.annotation.Import;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -52,4 +57,23 @@ public class SecurityAutoConfiguration {
|
||||||
return new SecurityProperties();
|
return new SecurityProperties();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If the user explicitly disables the basic security features and forgets to
|
||||||
|
* <code>@EnableWebSecurity</code>, and yet still wants a bean of type
|
||||||
|
* WebSecurityConfigurerAdapter, he is trying to use a custom security setup. The app
|
||||||
|
* would fail in a confusing way without this shim configuration, which just helpfully
|
||||||
|
* defines an empty <code>@EnableWebSecurity</code>.
|
||||||
|
*
|
||||||
|
* @author Dave Syer
|
||||||
|
*/
|
||||||
|
@ConditionalOnExpression("!${security.basic.enabled:true}")
|
||||||
|
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
|
||||||
|
@ConditionalOnClass(EnableWebSecurity.class)
|
||||||
|
@ConditionalOnMissingBean(WebSecurityConfiguration.class)
|
||||||
|
@ConditionalOnWebApplication
|
||||||
|
@EnableWebSecurity
|
||||||
|
protected static class EmptyWebSecurityConfiguration {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter
|
||||||
@EnableAutoConfiguration
|
@EnableAutoConfiguration
|
||||||
@ComponentScan
|
@ComponentScan
|
||||||
@Controller
|
@Controller
|
||||||
public class SampleSecureApplication extends WebMvcConfigurerAdapter {
|
public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
|
||||||
|
|
||||||
@RequestMapping("/")
|
@RequestMapping("/")
|
||||||
public String home(Map<String, Object> model) {
|
public String home(Map<String, Object> model) {
|
||||||
|
|
@ -52,7 +52,7 @@ public class SampleSecureApplication extends WebMvcConfigurerAdapter {
|
||||||
|
|
||||||
public static void main(String[] args) throws Exception {
|
public static void main(String[] args) throws Exception {
|
||||||
// Set user password to "password" for demo purposes only
|
// Set user password to "password" for demo purposes only
|
||||||
new SpringApplicationBuilder(SampleSecureApplication.class).properties("security.user.password=password").run(
|
new SpringApplicationBuilder(SampleWebSecureApplication.class).properties("security.user.password=password").run(
|
||||||
args);
|
args);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1,2 +1,3 @@
|
||||||
spring.thymeleaf.cache: false
|
spring.thymeleaf.cache: false
|
||||||
debug: true
|
debug: true
|
||||||
|
security.basic.enabled: false
|
||||||
|
|
@ -42,7 +42,7 @@ import static org.junit.Assert.assertTrue;
|
||||||
* @author Dave Syer
|
* @author Dave Syer
|
||||||
*/
|
*/
|
||||||
@RunWith(SpringJUnit4ClassRunner.class)
|
@RunWith(SpringJUnit4ClassRunner.class)
|
||||||
@SpringApplicationConfiguration(classes = SampleSecureApplication.class)
|
@SpringApplicationConfiguration(classes = SampleWebSecureApplication.class)
|
||||||
@WebAppConfiguration
|
@WebAppConfiguration
|
||||||
@IntegrationTest
|
@IntegrationTest
|
||||||
@DirtiesContext
|
@DirtiesContext
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue