Commit Graph

17 Commits

Author SHA1 Message Date
Andy Wilkinson
66b55defa0 Adapt to password encoder changes in Spring Security
Closes gh-10762
2017-10-24 21:50:19 +01:00
Madhura Bhave
8600bd7294 Upgrade to Spring Security 5.0.0.BUILD-SNAPSHOT
Following some changes in the latest snapshot this includes:
- Some updates to oauth2 client auto-config
- Security auto-config no longer relies on GlobalAuthenticationConfigurerAdapter
- Remove reactive security starter

Closes gh-10704
2017-10-19 15:39:01 -07:00
Phillip Webb
46dfe38b60 Rework security request matchers
Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:

http.authorizeRequests()
  .requestMatchers(EndpointRequest.to("status", "info")).permitAll()
  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
  .requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()

Closes gh-7958
2017-09-12 00:11:29 -07:00
Phillip Webb
0f99b29b1a Temporarily remove security matchers
Temporarily back out `SpringBootSecurity` to enable easier
package refactoring.

See gh-10261
2017-09-12 00:02:34 -07:00
Phillip Webb
ecb8461e8c Manually format security configuration
Update security configuration formatting to follow conventions
recommended in the Spring Security documentation.

See gh-7958
2017-09-11 23:58:52 -07:00
Phillip Webb
2c97d3a5e9 Polish 2017-08-29 15:59:32 -07:00
Madhura Bhave
e08ddbf838 Rework security autoconfiguration
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.

Closes gh-7958
2017-08-27 23:15:18 -07:00
Phillip Webb
06558675bb Polish 2017-04-25 09:45:14 -07:00
Madhura Bhave
c2e5fd031a Replace usage of WebMvcConfigurerAdapter
Closes gh-8964
2017-04-24 15:31:39 -07:00
Phillip Webb
6121208cbb Polish formatting 2016-12-19 12:47:03 -08:00
Madhura Bhave
1be5812cf0 Require ACTUATOR role rather than ADMIN
Update management security to require an `ACTUATOR` role rather than
`ADMIN` by default. This should reduce the risk of users accidentally
exposing actuator endpoints because they happen to use a role named
`ADMIN`.

Fixes gh-7569
2016-12-05 17:58:16 -08:00
Andy Wilkinson
46e03529fb Remove redundant bean declarations from some of the security samples
Closes gh-6740
2016-08-24 17:34:29 +01:00
Andy Wilkinson
3348ed5bb3 Make use of new GetMapping and PostMapping annotations
Closes gh-5277
2016-05-09 17:08:16 +01:00
Phillip Webb
95c4cdbedc Fix packages and annotations used in sample
Update a few of the samples to correct the packages used in tests and
to make use of the `@SpringBootApplication` annotation.
2016-02-22 10:29:43 -08:00
Phillip Webb
e473364e4e Merge branch '1.2.x' 2015-10-07 23:34:08 -07:00
Phillip Webb
61fc4f3f12 Polish copyright headers 2015-06-23 10:22:14 -07:00
Phillip Webb
1ce617f1ae Polish sample package names 2015-06-23 00:47:12 -07:00