Fix secure method configuration global authentication

This fixes a bug in the sample, where the AuthenticationManager it builds is a local one for the filter chain containing "/login", whereas it was expecting to override the Boot default, which is "global". The fix is to extract the authentication configuration out into a GlobalAuthenticationConfigurerAdapter. Fixes gh-699

Fix secure method configuration global authentication
This fixes a bug in the sample, where the AuthenticationManager it builds is a local one for the filter chain containing "/login", whereas it was expecting to override the Boot default, which is "global". The fix is to extract the authentication configuration out into a GlobalAuthenticationConfigurerAdapter. Fixes gh-699
0aa93036 · Dave Syer · e4b8e174 · 0aa93036 · 0aa93036
Commit 0aa93036 authored Apr 20, 2014 by Dave Syer
Showing with 23 additions and 11 deletions

SampleMethodSecurityApplication.java ...ava/sample/ui/method/SampleMethodSecurityApplication.java +11 -4

SampleMethodSecurityApplicationTests.java ...ample/ui/method/SampleMethodSecurityApplicationTests.java +12 -7

No files found.
--- a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java
@@ -23,10 +23,12 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -70,17 +72,22 @@ public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter {
 		return new ApplicationSecurity();
 	}

-	@Order(Ordered.LOWEST_PRECEDENCE - 8)
-	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
-
+	@Order(Ordered.HIGHEST_PRECEDENCE)
+	@Configuration
+	protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
+		
 		@Override
-		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			// @formatter:off
 			auth.inMemoryAuthentication().withUser("admin").password("admin")
 					.roles("ADMIN", "USER").and().withUser("user").password("user")
 					.roles("USER");
 			// @formatter:on
 		}
+	}
+	
+	@Order(Ordered.LOWEST_PRECEDENCE - 8)
+	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

 		@Override
 		protected void configure(HttpSecurity http) throws Exception {

--- a/spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java
@@ -16,17 +16,19 @@

 package sample.ui.method;

+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
 import java.util.Arrays;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

-import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.IntegrationTest;
-import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.boot.test.SpringApplicationConfiguration;
+import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
@@ -39,9 +41,6 @@ import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;

-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
 /**
 * Basic integration tests for demo application.
 * 
@@ -117,13 +116,19 @@ public class SampleMethodSecurityApplicationTests {
 	}

 	@Test
-	@Ignore("https://github.com/spring-projects/spring-boot/issues/699")
 	public void testManagementAuthorizedAccess() throws Exception {
-		ResponseEntity<String> entity = new TestRestTemplate("user", "user")
+		ResponseEntity<String> entity = new TestRestTemplate("admin", "admin")
 				.getForEntity("http://localhost:" + port + "/beans", String.class);
 		assertEquals(HttpStatus.OK, entity.getStatusCode());
 	}

+	@Test
+	public void testManagementUnauthorizedAccess() throws Exception {
+		ResponseEntity<String> entity = new TestRestTemplate("user", "user")
+				.getForEntity("http://localhost:" + port + "/beans", String.class);
+		assertEquals(HttpStatus.FORBIDDEN, entity.getStatusCode());
+	}
+
 	private void getCsrf(MultiValueMap<String, String> form, HttpHeaders headers) {
 		ResponseEntity<String> page = new TestRestTemplate().getForEntity(
 				"http://localhost:" + port + "/login", String.class);