From a3b29b0e4224dbf423b50fbaad5e7ad793be6612 Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Tue, 14 Jun 2016 10:31:09 +0100 Subject: [PATCH] Add /webjars/** to default list of unsecured resources Fixes gh-2460 --- .../security/SpringBootWebSecurityConfiguration.java | 2 +- .../security/SecurityAutoConfigurationTests.java | 4 ++-- spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java index 4a6e8536925..1358495c63f 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java @@ -88,7 +88,7 @@ import org.springframework.util.StringUtils; public class SpringBootWebSecurityConfiguration { private static List DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**", - "/images/**", "/**/favicon.ico"); + "/images/**", "/webjars/**", "/**/favicon.ico"); @Bean @ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class }) diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java index e117dcab819..8c4f534ff37 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java @@ -90,9 +90,9 @@ public class SecurityAutoConfigurationTests { PropertyPlaceholderAutoConfiguration.class); this.context.refresh(); assertThat(this.context.getBean(AuthenticationManagerBuilder.class)).isNotNull(); - // 4 for static resources and one for the rest + // 5 for static resources and one for the rest assertThat(this.context.getBean(FilterChainProxy.class).getFilterChains()) - .hasSize(5); + .hasSize(6); } @Test diff --git a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index e8bf1062b57..b668fb722c3 100644 --- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -2181,7 +2181,7 @@ The basic features you get out of the box in a web application are: * An `AuthenticationManager` bean with in-memory store and a single user (see `SecurityProperties.User` for the properties of the user). * Ignored (insecure) paths for common static resource locations (`+/css/**+`, `+/js/**+`, - `+/images/**+` and `+**/favicon.ico+`). + `+/images/**+`, `+/webjars/**+` and `+**/favicon.ico+`). * HTTP Basic security for all other endpoints. * Security events published to Spring's `ApplicationEventPublisher` (successful and unsuccessful authentication and access denied).