Merge branch '2.7.x' into main

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/ErrorPageSecurityFilterConfiguration.java

@@ -1,52 +0,0 @@
-/*
- * Copyright 2012-2021 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.autoconfigure.security.servlet;
-
-import java.util.EnumSet;
-
-import jakarta.servlet.DispatcherType;
-
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
-
-/**
- * Configures the {@link ErrorPageSecurityFilter}.
- *
- * @author Madhura Bhave
- */
-@Configuration(proxyBeanMethods = false)
-@ConditionalOnClass(WebInvocationPrivilegeEvaluator.class)
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-class ErrorPageSecurityFilterConfiguration {
-
-	@Bean
-	@ConditionalOnBean(WebInvocationPrivilegeEvaluator.class)
-	FilterRegistrationBean<ErrorPageSecurityFilter> errorPageSecurityInterceptor(ApplicationContext context) {
-		FilterRegistrationBean<ErrorPageSecurityFilter> registration = new FilterRegistrationBean<>(
-				new ErrorPageSecurityFilter(context));
-		registration.setDispatcherTypes(EnumSet.of(DispatcherType.ERROR));
-		return registration;
-	}
-
-}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfiguration.java

@@ -40,8 +40,7 @@ import org.springframework.security.authentication.DefaultAuthenticationEventPub
 @AutoConfiguration
 @ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
 @EnableConfigurationProperties(SecurityProperties.class)
-@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
+@Import({ SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class })
-		SecurityDataConfiguration.class, ErrorPageSecurityFilterConfiguration.class })
 public class SecurityAutoConfiguration {
 
 	@Bean

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java

@@ -16,38 +16,94 @@
 
 package org.springframework.boot.autoconfigure.security.servlet;
 
+import java.util.EnumSet;
+
+import jakarta.servlet.DispatcherType;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
+import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 
 /**
- * The default configuration for web security. It relies on Spring Security's
+ * {@link Configuration @Configuration} class securing servlet applications.
- * content-negotiation strategy to determine what sort of authentication to use. If the
- * user specifies their own
- * {@link org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter}
- * or {@link SecurityFilterChain} bean, this will back-off completely and the users should
- * specify all the bits that they want to configure as part of the custom security
- * configuration.
  *
  * @author Madhura Bhave
  */
 @Configuration(proxyBeanMethods = false)
-@ConditionalOnDefaultWebSecurity
 @ConditionalOnWebApplication(type = Type.SERVLET)
 @SuppressWarnings("deprecation")
 class SpringBootWebSecurityConfiguration {
 
-	@Bean
+	/**
-	@Order(SecurityProperties.BASIC_AUTH_ORDER)
+	 * The default configuration for web security. It relies on Spring Security's
-	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+	 * content-negotiation strategy to determine what sort of authentication to use. If
-		http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
+	 * the user specifies their own {@link WebSecurityConfigurerAdapter} or
-		return http.build();
+	 * {@link SecurityFilterChain} bean, this will back-off completely and the users
+	 * should specify all the bits that they want to configure as part of the custom
+	 * security configuration.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnDefaultWebSecurity
+	static class SecurityFilterChainConfiguration {
+
+		@Bean
+		@Order(SecurityProperties.BASIC_AUTH_ORDER)
+		SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+			http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
+			return http.build();
+		}
+
+	}
+
+	/**
+	 * Configures the {@link ErrorPageSecurityFilter}.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnClass(WebInvocationPrivilegeEvaluator.class)
+	@ConditionalOnBean(WebInvocationPrivilegeEvaluator.class)
+	static class ErrorPageSecurityFilterConfiguration {
+
+		@Bean
+		FilterRegistrationBean<ErrorPageSecurityFilter> errorPageSecurityFilter(ApplicationContext context) {
+			FilterRegistrationBean<ErrorPageSecurityFilter> registration = new FilterRegistrationBean<>(
+					new ErrorPageSecurityFilter(context));
+			registration.setDispatcherTypes(EnumSet.of(DispatcherType.ERROR));
+			return registration;
+		}
+
+	}
+
+	/**
+	 * Adds the{@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security
+	 * is on the classpath. This will make sure that the annotation is present with
+	 * default security auto-configuration and also if the user adds custom security and
+	 * forgets to add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has
+	 * already been added or if a bean with name
+	 * {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been configured by the user, this
+	 * will back-off.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
+	@ConditionalOnClass(EnableWebSecurity.class)
+	@EnableWebSecurity
+	static class WebSecurityEnablerConfiguration {
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/WebSecurityEnablerConfiguration.java

@@ -1,43 +0,0 @@
-/*
- * Copyright 2012-2020 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.autoconfigure.security.servlet;
-
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.BeanIds;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-
-/**
- * Adds the{@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security is
- * on the classpath. This will make sure that the annotation is present with default
- * security auto-configuration and also if the user adds custom security and forgets to
- * add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has already been
- * added or if a bean with name {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been
- * configured by the user, this will back-off.
- *
- * @author Madhura Bhave
- */
-@Configuration(proxyBeanMethods = false)
-@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
-@ConditionalOnClass(EnableWebSecurity.class)
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-@EnableWebSecurity
-class WebSecurityEnablerConfiguration {
-
-}