Fix secure method configuration global authentication
This fixes a bug in the sample, where the AuthenticationManager it builds is a local one for the filter chain containing "/login", whereas it was expecting to override the Boot default, which is "global". The fix is to extract the authentication configuration out into a GlobalAuthenticationConfigurerAdapter. Fixes gh-699
This commit is contained in:
@@ -23,10 +23,12 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.ComponentScan;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.Ordered;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.security.access.annotation.Secured;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
@@ -70,17 +72,22 @@ public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter {
|
||||
return new ApplicationSecurity();
|
||||
}
|
||||
|
||||
@Order(Ordered.LOWEST_PRECEDENCE - 8)
|
||||
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
@Configuration
|
||||
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
public void init(AuthenticationManagerBuilder auth) throws Exception {
|
||||
// @formatter:off
|
||||
auth.inMemoryAuthentication().withUser("admin").password("admin")
|
||||
.roles("ADMIN", "USER").and().withUser("user").password("user")
|
||||
.roles("USER");
|
||||
// @formatter:on
|
||||
}
|
||||
}
|
||||
|
||||
@Order(Ordered.LOWEST_PRECEDENCE - 8)
|
||||
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
|
||||
Reference in New Issue
Block a user