Better implementation of ignores in security config
This commit is contained in:
@@ -22,6 +22,8 @@ import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@@ -46,6 +48,7 @@ import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
|
||||
import org.springframework.security.authentication.ProviderManager;
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.SecurityConfigurer;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
@@ -98,9 +101,6 @@ import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
@EnableConfigurationProperties
|
||||
public class SecurityAutoConfiguration {
|
||||
|
||||
private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
|
||||
"/images/**", "/**/favicon.ico");
|
||||
|
||||
private static final String[] NO_PATHS = new String[0];
|
||||
|
||||
@Bean(name = "org.springframework.actuate.properties.SecurityProperties")
|
||||
@@ -129,6 +129,56 @@ public class SecurityAutoConfiguration {
|
||||
return new ManagementWebSecurityConfigurerAdapter();
|
||||
}
|
||||
|
||||
@Bean
|
||||
@ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class })
|
||||
public SecurityConfigurer<Filter, WebSecurity> ignoredPathsWebSecurityConfigurerAdapter() {
|
||||
return new IgnoredPathsWebSecurityConfigurerAdapter();
|
||||
}
|
||||
|
||||
// Get the ignored paths in early
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
private static class IgnoredPathsWebSecurityConfigurerAdapter implements
|
||||
SecurityConfigurer<Filter, WebSecurity> {
|
||||
|
||||
private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
|
||||
"/images/**", "/**/favicon.ico");
|
||||
|
||||
@Autowired(required = false)
|
||||
private ErrorController errorController;
|
||||
|
||||
@Autowired(required = false)
|
||||
private EndpointHandlerMapping endpointHandlerMapping;
|
||||
|
||||
@Autowired
|
||||
private SecurityProperties security;
|
||||
|
||||
@Override
|
||||
public void configure(WebSecurity builder) throws Exception {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(WebSecurity builder) throws Exception {
|
||||
IgnoredRequestConfigurer ignoring = builder.ignoring();
|
||||
ignoring.antMatchers(getEndpointPaths(this.endpointHandlerMapping, false));
|
||||
List<String> ignored = new ArrayList<String>(this.security.getIgnored());
|
||||
if (!this.security.getManagement().isEnabled()) {
|
||||
ignored.addAll(Arrays.asList(getEndpointPaths(
|
||||
this.endpointHandlerMapping, true)));
|
||||
}
|
||||
if (ignored.isEmpty()) {
|
||||
ignored.addAll(DEFAULT_IGNORED);
|
||||
}
|
||||
else if (ignored.contains("none")) {
|
||||
ignored.remove("none");
|
||||
}
|
||||
if (this.errorController != null) {
|
||||
ignored.add(this.errorController.getErrorPath());
|
||||
}
|
||||
ignoring.antMatchers(ignored.toArray(new String[0]));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Give user-supplied filters a chance to be last in line
|
||||
@Order(Ordered.LOWEST_PRECEDENCE - 5)
|
||||
private static class ApplicationWebSecurityConfigurerAdapter extends
|
||||
@@ -140,12 +190,6 @@ public class SecurityAutoConfiguration {
|
||||
@Autowired
|
||||
private AuthenticationEventPublisher authenticationEventPublisher;
|
||||
|
||||
@Autowired(required = false)
|
||||
private ErrorController errorController;
|
||||
|
||||
@Autowired(required = false)
|
||||
private EndpointHandlerMapping endpointHandlerMapping;
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
|
||||
@@ -193,26 +237,6 @@ public class SecurityAutoConfiguration {
|
||||
return entryPoint;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(WebSecurity builder) throws Exception {
|
||||
IgnoredRequestConfigurer ignoring = builder.ignoring();
|
||||
List<String> ignored = new ArrayList<String>(this.security.getIgnored());
|
||||
if (!this.security.getManagement().isEnabled()) {
|
||||
ignored.addAll(Arrays.asList(getEndpointPaths(
|
||||
this.endpointHandlerMapping, true)));
|
||||
}
|
||||
if (ignored.isEmpty()) {
|
||||
ignored.addAll(DEFAULT_IGNORED);
|
||||
}
|
||||
else if (ignored.contains("none")) {
|
||||
ignored.remove("none");
|
||||
}
|
||||
if (this.errorController != null) {
|
||||
ignored.add(this.errorController.getErrorPath());
|
||||
}
|
||||
ignoring.antMatchers(ignored.toArray(new String[0]));
|
||||
}
|
||||
|
||||
@Override
|
||||
protected AuthenticationManager authenticationManager() throws Exception {
|
||||
AuthenticationManager manager = super.authenticationManager();
|
||||
@@ -268,24 +292,6 @@ public class SecurityAutoConfiguration {
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(WebSecurity builder) throws Exception {
|
||||
IgnoredRequestConfigurer ignoring = builder.ignoring();
|
||||
List<String> ignored = new ArrayList<String>();
|
||||
if (!this.security.getBasic().isEnabled()) {
|
||||
ignored.addAll(this.security.getIgnored());
|
||||
if (ignored.isEmpty()) {
|
||||
ignored.addAll(DEFAULT_IGNORED);
|
||||
}
|
||||
else if (ignored.contains("none")) {
|
||||
ignored.remove("none");
|
||||
}
|
||||
}
|
||||
ignored.addAll(Arrays.asList(getEndpointPaths(this.endpointHandlerMapping,
|
||||
false)));
|
||||
ignoring.antMatchers(ignored.toArray(new String[0]));
|
||||
}
|
||||
|
||||
private AuthenticationEntryPoint entryPoint() {
|
||||
BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint();
|
||||
entryPoint.setRealmName(this.security.getBasic().getRealm());
|
||||
|
||||
Reference in New Issue
Block a user