Commit Graph

6 Commits

Author SHA1 Message Date
Dave Syer
1d7caf8e31 Man up and deal with CSRF in integration test
Fixes gh-979
2014-05-30 08:21:57 +01:00
Dave Syer
5e3cc95ccf Adjust security.basic.enabled=false behaviour
Actually the web-secure sample is misusing
security.basic.enabled=false (IMO) - it should be a flag
to say that you want to temporarily disable the basic security
fallback on application endpoins, not  way to disable all
security autoconfiguration.

Added test case to web-secure sample to ensure a user
can log in.

Fixes gh-979
2014-05-29 13:25:01 +01:00
Phillip Webb
8bcda1bcbe Polish 2014-05-20 18:26:56 +01:00
Dave Syer
14d3b46809 Add constants to SecurityProperties and ManagementServerProperties
For the convenience of users who want to selectively override the
access rules in an application without taking complete control of the
security configuration we now have some constants:

* SecurityProperties.ACCESS_OVERRIDE_ORDER for overriding just the
application endpoint access rules

* ManagementServerProperties.ACCESS_OVERRIDE_ORDER for overriding the
application endpoint and management endpoint access rules

Fixes gh-803
2014-05-08 05:32:43 -07:00
Phillip Webb
beaddb2362 Polish 2014-03-26 13:29:26 -07:00
Dave Syer
809a5a711f Add a @EnableWebSecurity if it looks like the user needs one
If the user explicitly disables the basic security features and forgets to
@EnableWebSecurity, and yet still wants a bean of type
WebSecurityConfigurerAdapter, he is trying to use a custom
security setup and the app would fail in a confusing way without
this change.

Fixes gh-568
2014-03-25 12:19:56 +00:00