Commit Graph

12 Commits

Author SHA1 Message Date
Javier Gayoso
b7d94d1364 Optimized login form - delegated CSRF token creation to thymeleaf
Also added additional test to verify behaviour.

Fixes gh-1039
2014-06-09 10:56:01 +01:00
Dave Syer
0ccfba939e Switch to a matches-none filter for security.basic.enabled=false
There were some residual issues to do with the changes to the implementation
of security.basic.enabled=false. It was a good idea to have a filetr chain
triggered by the flag being off because it smooths the way for user-defined
filter chains to use the Boot AuthenticationManager (as a first step at least),
but it wasn't a goog idea to add any actual secuity features to that filter.
E.g. if it has HSTS then even an app like Sagan that has some secure endpoints
that it manages itself and the rest is unsecured has issues because it can't
accept connections over HTTP even on unsecure endpoints.

TODO: find a way for security.ssl_enabled=true to apply to only the user-
defined security filter (maybe not possible or worth the effort, since they
can inject a SecurityProperties if they need it?).

See gh-928
2014-06-05 07:04:07 +01:00
Dave Syer
1d7caf8e31 Man up and deal with CSRF in integration test
Fixes gh-979
2014-05-30 08:21:57 +01:00
Dave Syer
5e3cc95ccf Adjust security.basic.enabled=false behaviour
Actually the web-secure sample is misusing
security.basic.enabled=false (IMO) - it should be a flag
to say that you want to temporarily disable the basic security
fallback on application endpoins, not  way to disable all
security autoconfiguration.

Added test case to web-secure sample to ensure a user
can log in.

Fixes gh-979
2014-05-29 13:25:01 +01:00
Phillip Webb
8bcda1bcbe Polish 2014-05-20 18:26:56 +01:00
Dave Syer
14d3b46809 Add constants to SecurityProperties and ManagementServerProperties
For the convenience of users who want to selectively override the
access rules in an application without taking complete control of the
security configuration we now have some constants:

* SecurityProperties.ACCESS_OVERRIDE_ORDER for overriding just the
application endpoint access rules

* ManagementServerProperties.ACCESS_OVERRIDE_ORDER for overriding the
application endpoint and management endpoint access rules

Fixes gh-803
2014-05-08 05:32:43 -07:00
Phillip Webb
beaddb2362 Polish 2014-03-26 13:29:26 -07:00
Dave Syer
809a5a711f Add a @EnableWebSecurity if it looks like the user needs one
If the user explicitly disables the basic security features and forgets to
@EnableWebSecurity, and yet still wants a bean of type
WebSecurityConfigurerAdapter, he is trying to use a custom
security setup and the app would fail in a confusing way without
this change.

Fixes gh-568
2014-03-25 12:19:56 +00:00
Dave Syer
b21fdd3463 Switch default security filter back on
If the user sets security.basic.enabled=false he has to remember
to @EnableWebSecurity.  Possibly we could be more helpful about the
exception, but I think this might be pilot error.

Fixes gh-568
2014-03-25 07:51:25 +00:00
Dave Syer
d23dab3bd0 Change package name in sample 2014-01-22 09:34:56 +00:00
Phillip Webb
cdda330acd Update copyright header for files changed in 2014 2014-01-21 10:27:10 -08:00
Dave Syer
b1db714c23 Allow @EnableGlobalMethodSecurity in a non webapp
Fixes gh-202
2014-01-09 17:13:59 +00:00