Commit Graph

27 Commits

Author SHA1 Message Date
Andy Wilkinson
66b55defa0 Adapt to password encoder changes in Spring Security
Closes gh-10762
2017-10-24 21:50:19 +01:00
Madhura Bhave
8600bd7294 Upgrade to Spring Security 5.0.0.BUILD-SNAPSHOT
Following some changes in the latest snapshot this includes:
- Some updates to oauth2 client auto-config
- Security auto-config no longer relies on GlobalAuthenticationConfigurerAdapter
- Remove reactive security starter

Closes gh-10704
2017-10-19 15:39:01 -07:00
Phillip Webb
46dfe38b60 Rework security request matchers
Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:

http.authorizeRequests()
  .requestMatchers(EndpointRequest.to("status", "info")).permitAll()
  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
  .requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()

Closes gh-7958
2017-09-12 00:11:29 -07:00
Phillip Webb
0f99b29b1a Temporarily remove security matchers
Temporarily back out `SpringBootSecurity` to enable easier
package refactoring.

See gh-10261
2017-09-12 00:02:34 -07:00
Phillip Webb
ecb8461e8c Manually format security configuration
Update security configuration formatting to follow conventions
recommended in the Spring Security documentation.

See gh-7958
2017-09-11 23:58:52 -07:00
Phillip Webb
2c97d3a5e9 Polish 2017-08-29 15:59:32 -07:00
Stephane Nicoll
98455e30dc Rename default endpoint settings to "default"
Closes gh-10098
2017-08-29 11:27:35 +02:00
Madhura Bhave
e08ddbf838 Rework security autoconfiguration
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.

Closes gh-7958
2017-08-27 23:15:18 -07:00
Phillip Webb
06558675bb Polish 2017-04-25 09:45:14 -07:00
Madhura Bhave
c2e5fd031a Replace usage of WebMvcConfigurerAdapter
Closes gh-8964
2017-04-24 15:31:39 -07:00
Phillip Webb
6121208cbb Polish formatting 2016-12-19 12:47:03 -08:00
Madhura Bhave
1be5812cf0 Require ACTUATOR role rather than ADMIN
Update management security to require an `ACTUATOR` role rather than
`ADMIN` by default. This should reduce the risk of users accidentally
exposing actuator endpoints because they happen to use a role named
`ADMIN`.

Fixes gh-7569
2016-12-05 17:58:16 -08:00
Andy Wilkinson
46e03529fb Remove redundant bean declarations from some of the security samples
Closes gh-6740
2016-08-24 17:34:29 +01:00
Andy Wilkinson
3348ed5bb3 Make use of new GetMapping and PostMapping annotations
Closes gh-5277
2016-05-09 17:08:16 +01:00
Phillip Webb
95c4cdbedc Fix packages and annotations used in sample
Update a few of the samples to correct the packages used in tests and
to make use of the `@SpringBootApplication` annotation.
2016-02-22 10:29:43 -08:00
Phillip Webb
e473364e4e Merge branch '1.2.x' 2015-10-07 23:34:08 -07:00
Phillip Webb
6ab376e2e8 Reformat code use Eclipse Mars 2015-10-07 23:32:31 -07:00
Phillip Webb
61fc4f3f12 Polish copyright headers 2015-06-23 10:22:14 -07:00
Phillip Webb
1ce617f1ae Polish sample package names 2015-06-23 00:47:12 -07:00
Dave Syer
fd757cb371 Add logging.level to application.properties
E.g.

logging.level.org.springframework: DEBUG
logging.level.org.hibernate: WARN

Fixed gh-788
2014-06-27 15:49:17 +01:00
Javier Gayoso
b7d94d1364 Optimized login form - delegated CSRF token creation to thymeleaf
Also added additional test to verify behaviour.

Fixes gh-1039
2014-06-09 10:56:01 +01:00
Phillip Webb
8bcda1bcbe Polish 2014-05-20 18:26:56 +01:00
Dave Syer
14d3b46809 Add constants to SecurityProperties and ManagementServerProperties
For the convenience of users who want to selectively override the
access rules in an application without taking complete control of the
security configuration we now have some constants:

* SecurityProperties.ACCESS_OVERRIDE_ORDER for overriding just the
application endpoint access rules

* ManagementServerProperties.ACCESS_OVERRIDE_ORDER for overriding the
application endpoint and management endpoint access rules

Fixes gh-803
2014-05-08 05:32:43 -07:00
Dave Syer
0aa93036fa Fix secure method configuration global authentication
This fixes a bug in the sample, where the AuthenticationManager it builds
is a local one for the filter chain containing "/login", whereas it was
expecting to override the Boot default, which is "global". The fix is
to extract the authentication configuration out into a
GlobalAuthenticationConfigurerAdapter.

Fixes gh-699
2014-04-20 10:18:04 -07:00
Phillip Webb
468728a2c0 Polish 2014-03-03 17:50:19 -08:00
Dave Syer
8ff9e67714 Add actuator to method security sample 2014-03-03 15:03:08 +00:00
Dave Syer
9504f6e5a9 Add method security web sample
Useful sample for common use case where user adds custom Authentication,
a form login, *and* global method security all the the same application.
2014-03-03 14:24:08 +00:00