Files
stream-applications/applications/apps-core/common/stream-apps-security-common/README.adoc
Soby Chacko 517ccd5b40 Initial Commit
Migrating the existing structure from the following location:
https://github.com/spring-cloud-stream-app-starters/stream-applications/tree/restructuring
2020-05-04 17:51:05 -04:00

34 lines
1.9 KiB
Plaintext

=== `App Starters Security` Common Module
Spring Boot auto-configuration to manage the web security of the application starters.
When the `app-starters-security-common` dependency is on the classpath, the `spring.cloud.streamapp.security.enabled` and `spring.cloud.streamapp.security.csrf-enabled` properties control the application security behavior.
By default the security is enabled allowing unauthorized access only to the `Info` and `Health` endpoints.
The `spring.cloud.streamapp.security.enabled = false` completely surpass the application security.
For secured application setting `spring.cloud.streamapp.security.csrf-enabled = false` disables security for the CSRF access.
With security enabled (`spring.cloud.streamapp.security.enabled = true`) and `actuator` dependency on the classpath, the `(Reactive)ManagementWebSecurityAutoConfiguration` is activated, providing unauthenticated access to the `HealthEndpoint` and `InfoEndpoint`.
If the user specifies their own `WebSecurityConfigurerAdapter` (for MVC application), this configuration will back-off completely and the user should specify all the bits that they want to configure as part of the custom security configuration.
For reactive (WebFlux) application the same effect can be achieved with a custom `WebFilterChainProxy` bean.
=== Configuration
To include app starters security management for a stream app, just include a dependency on this module.
[source,xml]
----
<dependency>
<groupId>org.springframework.cloud.stream.app</groupId>
<artifactId>app-starters-security-common</artifactId>
</dependency>
----
All Spring Cloud Stream app starters that inherit form the `core` pom have the `app-starters-security-common` dependency included by default.
* `spring.cloud.streamapp.security.enabled` (default: `true`). If set to `false` it surpasses the boot security.
* `spring.cloud.streamapp.security.csrf-enabled` (default: `true`). If set to `false`, for secured applications it enables CQRS.