From 71acc90da82eafb06f1ad56d785b3b3e4d104283 Mon Sep 17 00:00:00 2001
From: Madhura Bhave <bhavem@vmware.com>
Date: Mon, 22 Nov 2021 16:05:54 -0800
Subject: [PATCH] Simplify SecurityAutoConfiguration

Closes gh-28851
---
 .../ErrorPageSecurityFilterConfiguration.java | 52 ------------
 .../servlet/SecurityAutoConfiguration.java    |  3 +-
 .../SpringBootWebSecurityConfiguration.java   | 82 ++++++++++++++++---
 .../WebSecurityEnablerConfiguration.java      | 43 ----------
 4 files changed, 70 insertions(+), 110 deletions(-)
 delete mode 100644 spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java
 delete mode 100644 spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/WebSecurityEnablerConfiguration.java

diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java
deleted file mode 100644
index 6d303239425..00000000000
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright 2012-2021 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.autoconfigure.security.servlet;
-
-import java.util.EnumSet;
-
-import javax.servlet.DispatcherType;
-
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
-
-/**
- * Configures the {@link ErrorPageSecurityFilter}.
- *
- * @author Madhura Bhave
- */
-@Configuration(proxyBeanMethods = false)
-@ConditionalOnClass(WebInvocationPrivilegeEvaluator.class)
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-class ErrorPageSecurityFilterConfiguration {
-
-	@Bean
-	@ConditionalOnBean(WebInvocationPrivilegeEvaluator.class)
-	FilterRegistrationBean<ErrorPageSecurityFilter> errorPageSecurityInterceptor(ApplicationContext context) {
-		FilterRegistrationBean<ErrorPageSecurityFilter> registration = new FilterRegistrationBean<>(
-				new ErrorPageSecurityFilter(context));
-		registration.setDispatcherTypes(EnumSet.of(DispatcherType.ERROR));
-		return registration;
-	}
-
-}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfiguration.java
index aedbb97be5a..d5490ebeb1d 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfiguration.java
@@ -40,8 +40,7 @@ import org.springframework.security.authentication.DefaultAuthenticationEventPub
 @AutoConfiguration
 @ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
 @EnableConfigurationProperties(SecurityProperties.class)
-@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
-		SecurityDataConfiguration.class, ErrorPageSecurityFilterConfiguration.class })
+@Import({ SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class })
 public class SecurityAutoConfiguration {
 
 	@Bean
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java
index a15d22efaf6..f389cb3d356 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java
@@ -16,38 +16,94 @@
 
 package org.springframework.boot.autoconfigure.security.servlet;
 
+import java.util.EnumSet;
+
+import javax.servlet.DispatcherType;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
+import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 
 /**
- * The default configuration for web security. It relies on Spring Security's
- * content-negotiation strategy to determine what sort of authentication to use. If the
- * user specifies their own
- * {@link org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter}
- * or {@link SecurityFilterChain} bean, this will back-off completely and the users should
- * specify all the bits that they want to configure as part of the custom security
- * configuration.
+ * {@link Configuration @Configuration} class securing servlet applications.
  *
  * @author Madhura Bhave
  */
 @Configuration(proxyBeanMethods = false)
-@ConditionalOnDefaultWebSecurity
 @ConditionalOnWebApplication(type = Type.SERVLET)
 @SuppressWarnings("deprecation")
 class SpringBootWebSecurityConfiguration {
 
-	@Bean
-	@Order(SecurityProperties.BASIC_AUTH_ORDER)
-	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
-		http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
-		return http.build();
+	/**
+	 * The default configuration for web security. It relies on Spring Security's
+	 * content-negotiation strategy to determine what sort of authentication to use. If
+	 * the user specifies their own {@link WebSecurityConfigurerAdapter} or
+	 * {@link SecurityFilterChain} bean, this will back-off completely and the users
+	 * should specify all the bits that they want to configure as part of the custom
+	 * security configuration.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnDefaultWebSecurity
+	static class SecurityFilterChainConfiguration {
+
+		@Bean
+		@Order(SecurityProperties.BASIC_AUTH_ORDER)
+		SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+			http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
+			return http.build();
+		}
+
+	}
+
+	/**
+	 * Configures the {@link ErrorPageSecurityFilter}.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnClass(WebInvocationPrivilegeEvaluator.class)
+	@ConditionalOnBean(WebInvocationPrivilegeEvaluator.class)
+	static class ErrorPageSecurityFilterConfiguration {
+
+		@Bean
+		FilterRegistrationBean<ErrorPageSecurityFilter> errorPageSecurityFilter(ApplicationContext context) {
+			FilterRegistrationBean<ErrorPageSecurityFilter> registration = new FilterRegistrationBean<>(
+					new ErrorPageSecurityFilter(context));
+			registration.setDispatcherTypes(EnumSet.of(DispatcherType.ERROR));
+			return registration;
+		}
+
+	}
+
+	/**
+	 * Adds the{@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security
+	 * is on the classpath. This will make sure that the annotation is present with
+	 * default security auto-configuration and also if the user adds custom security and
+	 * forgets to add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has
+	 * already been added or if a bean with name
+	 * {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been configured by the user, this
+	 * will back-off.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
+	@ConditionalOnClass(EnableWebSecurity.class)
+	@EnableWebSecurity
+	static class WebSecurityEnablerConfiguration {
+
 	}
 
 }
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/WebSecurityEnablerConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/WebSecurityEnablerConfiguration.java
deleted file mode 100644
index c78de091844..00000000000
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/WebSecurityEnablerConfiguration.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright 2012-2020 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.autoconfigure.security.servlet;
-
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.BeanIds;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-
-/**
- * Adds the{@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security is
- * on the classpath. This will make sure that the annotation is present with default
- * security auto-configuration and also if the user adds custom security and forgets to
- * add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has already been
- * added or if a bean with name {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been
- * configured by the user, this will back-off.
- *
- * @author Madhura Bhave
- */
-@Configuration(proxyBeanMethods = false)
-@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
-@ConditionalOnClass(EnableWebSecurity.class)
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-@EnableWebSecurity
-class WebSecurityEnablerConfiguration {
-
-}