Adjust security.basic.enabled=false behaviour

Actually the web-secure sample is misusing
security.basic.enabled=false (IMO) - it should be a flag
to say that you want to temporarily disable the basic security
fallback on application endpoins, not  way to disable all
security autoconfiguration.

Added test case to web-secure sample to ensure a user
can log in.

Fixes gh-979
This commit is contained in:
Dave Syer
2014-05-29 13:20:20 +01:00
parent b1969f5095
commit 5e3cc95ccf
11 changed files with 149 additions and 62 deletions

View File

@@ -19,6 +19,7 @@ package sample.ui.secure;
import java.util.Date;
import java.util.Map;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.builder.SpringApplicationBuilder;
@@ -36,7 +37,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter
@ComponentScan
@Controller
public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
@RequestMapping("/")
public String home(Map<String, Object> model) {
model.put("message", "Hello World");
@@ -51,9 +52,7 @@ public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
}
public static void main(String[] args) throws Exception {
// Set user password to "password" for demo purposes only
new SpringApplicationBuilder(SampleWebSecureApplication.class).properties(
"security.user.password=password").run(args);
new SpringApplicationBuilder(SampleWebSecureApplication.class).run(args);
}
@Override
@@ -68,8 +67,16 @@ public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private SecurityProperties security;
@Override
protected void configure(HttpSecurity http) throws Exception {
if (!security.isEnableCsrf()) {
// For testing
http.csrf().disable();
}
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
}