Remove additional auto-configured security configurers

Closes gh-10435

Remove additional auto-configured security configurers
Closes gh-10435
0e2d34cd · Andy Wilkinson · 8f9b47aa · 0e2d34cd · 8f9b47aa · 0e2d34cd
Commit 0e2d34cd authored Sep 28, 2017 by Andy Wilkinson
3 changed files
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/h2/H2ConsoleAutoConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/h2/H2ConsoleAutoConfiguration.java
@@ -18,24 +18,15 @@ package org.springframework.boot.autoconfigure.h2;

 import org.h2.server.web.WebServlet;

-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.servlet.ServletRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.annotation.Order;
-import org.springframework.security.config.annotation.ObjectPostProcessor;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

 /**
 * {@link EnableAutoConfiguration Auto-configuration} for H2's web console.
@@ -50,7 +41,6 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 @ConditionalOnClass(WebServlet.class)
 @ConditionalOnProperty(prefix = "spring.h2.console", name = "enabled", havingValue = "true", matchIfMissing = false)
 @EnableConfigurationProperties(H2ConsoleProperties.class)
-@AutoConfigureAfter(SecurityAutoConfiguration.class)
 public class H2ConsoleAutoConfiguration {

 	private final H2ConsoleProperties properties;
@@ -75,37 +65,4 @@ public class H2ConsoleAutoConfiguration {
 		return registration;
 	}

-	@Configuration
-	@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
-	@ConditionalOnBean(ObjectPostProcessor.class)
-	@ConditionalOnProperty(prefix = "security.basic", name = "enabled", matchIfMissing = true)
-	static class H2ConsoleSecurityConfiguration {
-
-		@Bean
-		public WebSecurityConfigurerAdapter h2ConsoleSecurityConfigurer() {
-			return new H2ConsoleSecurityConfigurer();
-		}
-
-		@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
-		private static class H2ConsoleSecurityConfigurer
-				extends WebSecurityConfigurerAdapter {
-
-			@Autowired
-			private H2ConsoleProperties console;
-
-			@Override
-			public void configure(HttpSecurity http) throws Exception {
-				String path = this.console.getPath();
-				String antPattern = (path.endsWith("/") ? path + "**" : path + "/**");
-				HttpSecurity h2Console = http.antMatcher(antPattern);
-				h2Console.csrf().disable();
-				h2Console.httpBasic();
-				h2Console.headers().frameOptions().sameOrigin();
-				http.authorizeRequests().anyRequest().authenticated();
-			}
-
-		}
-
-	}
-
 }
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/h2/H2ConsoleAutoConfigurationIntegrationTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/h2/H2ConsoleAutoConfigurationIntegrationTests.java
-/*
- * Copyright 2012-2017 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.autoconfigure.h2;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.h2.H2ConsoleAutoConfigurationIntegrationTests.TestConfiguration;
-import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
-import org.springframework.http.MediaType;
-import org.springframework.stereotype.Controller;
-import org.springframework.test.annotation.DirtiesContext;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.TestPropertySource;
-import org.springframework.test.context.junit4.SpringRunner;
-import org.springframework.test.context.web.WebAppConfiguration;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.context.WebApplicationContext;
-
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
-import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
-/**
- * Integration tests for {@link H2ConsoleAutoConfiguration}
- *
- * @author Andy Wilkinson
- */
-@RunWith(SpringRunner.class)
-@DirtiesContext
-@WebAppConfiguration
-@ContextConfiguration(classes = TestConfiguration.class)
-@TestPropertySource(properties = "spring.h2.console.enabled:true")
-public class H2ConsoleAutoConfigurationIntegrationTests {
-
-	@Autowired
-	private WebApplicationContext context;
-
-	@Test
-	public void noPrincipal() throws Exception {
-		MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context)
-				.apply(springSecurity()).build();
-		mockMvc.perform(get("/h2-console/").accept(MediaType.APPLICATION_JSON))
-				.andExpect(status().isUnauthorized());
-	}
-
-	@Test
-	public void userPrincipal() throws Exception {
-		MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context)
-				.apply(springSecurity()).build();
-		mockMvc.perform(get("/h2-console/").accept(MediaType.APPLICATION_JSON)
-				.with(user("test").roles("USER"))).andExpect(status().isOk())
-				.andExpect(header().string("X-Frame-Options", "SAMEORIGIN"));
-	}
-
-	@Configuration
-	@Import({ SecurityAutoConfiguration.class, H2ConsoleAutoConfiguration.class })
-	@Controller
-	static class TestConfiguration {
-
-		@RequestMapping("/h2-console/**")
-		public void mockConsole() {
-
-		}
-
-	}
-
-}
--- a/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java
+++ b/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java
@@ -25,11 +25,9 @@ import org.apache.commons.logging.LogFactory;

 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.devtools.remote.server.AccessManager;
@@ -46,11 +44,7 @@ import org.springframework.boot.devtools.restart.server.HttpRestartServerHandler
 import org.springframework.boot.devtools.restart.server.SourceFolderUrlFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.annotation.Order;
 import org.springframework.http.server.ServerHttpRequest;
-import org.springframework.security.config.annotation.ObjectPostProcessor;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

 /**
 * {@link EnableAutoConfiguration Auto-configuration} for remote development support.
@@ -143,31 +137,4 @@ public class RemoteDevToolsAutoConfiguration {

 	}

-	@Configuration
-	@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
-	@ConditionalOnBean(ObjectPostProcessor.class)
-	static class RemoteDevToolsSecurityConfiguration {
-
-		@Bean
-		public RemoteRestartWebSecurityConfigurer remoteRestartWebSecurityConfigurer() {
-			return new RemoteRestartWebSecurityConfigurer();
-		}
-
-		@Order(SecurityProperties.IGNORED_ORDER + 2)
-		static class RemoteRestartWebSecurityConfigurer
-				extends WebSecurityConfigurerAdapter {
-
-			@Autowired
-			private DevToolsProperties properties;
-
-			@Override
-			public void configure(HttpSecurity http) throws Exception {
-				http.antMatcher(this.properties.getRemote().getContextPath() + "/**");
-				http.csrf().disable();
-			}
-
-		}
-
-	}
-
 }