Commit Graph

37 Commits

Author SHA1 Message Date
Stephane Nicoll
474da80b4d Revert "Restructure of security packages"
See gh-14412
2018-10-17 12:22:51 +02:00
Madhura Bhave
f835f82582 Preliminary restructure of security packages
Restructure the security auto-configuration packages to better reflect
the part of the system that the configuration applies to.

See gh-14412
2018-10-16 01:01:10 -07:00
Phillip Webb
21d80d87a3 Merge branch '1.5.x' into 2.0.x 2018-05-25 18:45:37 -07:00
Phillip Webb
e69296d7d3 Fix checkstyle violations in samples 2018-05-25 18:18:00 -07:00
Stephane Nicoll
7473642f58 Harmonize endpoints exclude property
Closes gh-11914
2018-02-12 14:00:40 +01:00
Andy Wilkinson
a09c64e18c Polish 2018-02-08 11:15:36 +00:00
Madhura Bhave
d65f9b25bc Remove redundant throws Exception 2018-01-25 17:25:38 +05:30
Phillip Webb
f3379668ac Polish 2018-01-18 23:21:51 -08:00
Madhura Bhave
e57aafd63d Provide EndpointRequest for WebFlux-based Security
Closes gh-11022
2018-01-09 16:06:36 -08:00
Phillip Webb
fd5c43cdc9 Separate endpoint concerns
Update endpoint code to provide cleaner separation of concerns.
Specifically, the top level endpoint package is no longer aware of
the fact that JMX and HTTP are ultimately used to expose endpoints.
Caching concerns have also been abstracted behind a general purpose
`OperationMethodInvokerAdvisor` interface.

Configuration properties have been refined to further enforce
separation. The `management.endpoint.<name>` prefix provides
configuration for a  single endpoint (including enable and cache
time-to-live). These  properties are now technology agnostic (they
don't include `web` or `jmx` sub properties).

The `management.endpoints.<technology>` prefix provide exposure specific
configuration. For example, `management.endpoints.web.path-mapping`
allow endpoint URLs to be changed.

Endpoint enabled/disabled logic has been simplified so that endpoints
can't be disabled per exposure technology. Instead a filter based
approach is used to allow refinement of what endpoints are exposed over
a given technology.

Fixes gh-10176
2017-11-15 14:41:38 -08:00
Andy Wilkinson
66b55defa0 Adapt to password encoder changes in Spring Security
Closes gh-10762
2017-10-24 21:50:19 +01:00
Madhura Bhave
8600bd7294 Upgrade to Spring Security 5.0.0.BUILD-SNAPSHOT
Following some changes in the latest snapshot this includes:
- Some updates to oauth2 client auto-config
- Security auto-config no longer relies on GlobalAuthenticationConfigurerAdapter
- Remove reactive security starter

Closes gh-10704
2017-10-19 15:39:01 -07:00
Phillip Webb
46dfe38b60 Rework security request matchers
Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:

http.authorizeRequests()
  .requestMatchers(EndpointRequest.to("status", "info")).permitAll()
  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
  .requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()

Closes gh-7958
2017-09-12 00:11:29 -07:00
Phillip Webb
0f99b29b1a Temporarily remove security matchers
Temporarily back out `SpringBootSecurity` to enable easier
package refactoring.

See gh-10261
2017-09-12 00:02:34 -07:00
Phillip Webb
ecb8461e8c Manually format security configuration
Update security configuration formatting to follow conventions
recommended in the Spring Security documentation.

See gh-7958
2017-09-11 23:58:52 -07:00
Phillip Webb
2c97d3a5e9 Polish 2017-08-29 15:59:32 -07:00
Stephane Nicoll
98455e30dc Rename default endpoint settings to "default"
Closes gh-10098
2017-08-29 11:27:35 +02:00
Madhura Bhave
e08ddbf838 Rework security autoconfiguration
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.

Closes gh-7958
2017-08-27 23:15:18 -07:00
Phillip Webb
06558675bb Polish 2017-04-25 09:45:14 -07:00
Madhura Bhave
c2e5fd031a Replace usage of WebMvcConfigurerAdapter
Closes gh-8964
2017-04-24 15:31:39 -07:00
Phillip Webb
6121208cbb Polish formatting 2016-12-19 12:47:03 -08:00
Madhura Bhave
1be5812cf0 Require ACTUATOR role rather than ADMIN
Update management security to require an `ACTUATOR` role rather than
`ADMIN` by default. This should reduce the risk of users accidentally
exposing actuator endpoints because they happen to use a role named
`ADMIN`.

Fixes gh-7569
2016-12-05 17:58:16 -08:00
Andy Wilkinson
46e03529fb Remove redundant bean declarations from some of the security samples
Closes gh-6740
2016-08-24 17:34:29 +01:00
Andy Wilkinson
3348ed5bb3 Make use of new GetMapping and PostMapping annotations
Closes gh-5277
2016-05-09 17:08:16 +01:00
Phillip Webb
95c4cdbedc Fix packages and annotations used in sample
Update a few of the samples to correct the packages used in tests and
to make use of the `@SpringBootApplication` annotation.
2016-02-22 10:29:43 -08:00
Phillip Webb
e473364e4e Merge branch '1.2.x' 2015-10-07 23:34:08 -07:00
Phillip Webb
6ab376e2e8 Reformat code use Eclipse Mars 2015-10-07 23:32:31 -07:00
Phillip Webb
61fc4f3f12 Polish copyright headers 2015-06-23 10:22:14 -07:00
Phillip Webb
1ce617f1ae Polish sample package names 2015-06-23 00:47:12 -07:00
Dave Syer
fd757cb371 Add logging.level to application.properties
E.g.

logging.level.org.springframework: DEBUG
logging.level.org.hibernate: WARN

Fixed gh-788
2014-06-27 15:49:17 +01:00
Javier Gayoso
b7d94d1364 Optimized login form - delegated CSRF token creation to thymeleaf
Also added additional test to verify behaviour.

Fixes gh-1039
2014-06-09 10:56:01 +01:00
Phillip Webb
8bcda1bcbe Polish 2014-05-20 18:26:56 +01:00
Dave Syer
14d3b46809 Add constants to SecurityProperties and ManagementServerProperties
For the convenience of users who want to selectively override the
access rules in an application without taking complete control of the
security configuration we now have some constants:

* SecurityProperties.ACCESS_OVERRIDE_ORDER for overriding just the
application endpoint access rules

* ManagementServerProperties.ACCESS_OVERRIDE_ORDER for overriding the
application endpoint and management endpoint access rules

Fixes gh-803
2014-05-08 05:32:43 -07:00
Dave Syer
0aa93036fa Fix secure method configuration global authentication
This fixes a bug in the sample, where the AuthenticationManager it builds
is a local one for the filter chain containing "/login", whereas it was
expecting to override the Boot default, which is "global". The fix is
to extract the authentication configuration out into a
GlobalAuthenticationConfigurerAdapter.

Fixes gh-699
2014-04-20 10:18:04 -07:00
Phillip Webb
468728a2c0 Polish 2014-03-03 17:50:19 -08:00
Dave Syer
8ff9e67714 Add actuator to method security sample 2014-03-03 15:03:08 +00:00
Dave Syer
9504f6e5a9 Add method security web sample
Useful sample for common use case where user adds custom Authentication,
a form login, *and* global method security all the the same application.
2014-03-03 14:24:08 +00:00