Backport to 1.1.x the fix for gh-2474 (originally made in e42fa79f)

df81b314 · Andy Wilkinson · 8622e5db · df81b314
Commit df81b314 authored Feb 19, 2015 by Andy Wilkinson
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 82 deletions

AuthenticationManagerConfiguration.java ...onfigure/security/AuthenticationManagerConfiguration.java +24 -82

No files found.
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
 import org.springframework.context.event.ContextRefreshedEvent;
+import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -40,9 +41,8 @@ import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
 /**
@@ -60,16 +60,7 @@ import org.springframework.stereotype.Component;
 @ConditionalOnBean(ObjectPostProcessor.class)
 @ConditionalOnMissingBean({ AuthenticationManager.class })
 @Order(0)
-public class AuthenticationManagerConfiguration extends
+public class AuthenticationManagerConfiguration {
-		GlobalAuthenticationConfigurerAdapter {
-	/*
-	 * Yes, this class is a GlobalAuthenticationConfigurerAdapter, even though none of
-	 * those methods are overridden: we want Spring Security to instantiate us early, so
-	 * we can in turn force the SecurityPrequisites to be instantiated. This will prevent
-	 * ordering issues between Spring Boot modules when they need to influence the default
-	 * security configuration.
-	 */
 	private static Log logger = LogFactory
 			.getLog(AuthenticationManagerConfiguration.class);
@@ -77,35 +68,17 @@ public class AuthenticationManagerConfiguration extends
 	@Autowired
 	private List<SecurityPrequisite> dependencies;
-	@Autowired
-	private SecurityProperties security;
-	@Autowired
-	private ObjectPostProcessor<Object> objectPostProcessor;
 	@Bean
 	@Primary
-	public AuthenticationManager authenticationManager(AuthenticationManagerBuilder auth,
+	public AuthenticationManager authenticationManager(AuthenticationConfiguration auth)
-			ApplicationContext context) throws Exception {
+			throws Exception {
+		return auth.getAuthenticationManager();
-		if (isAuthenticationManagerAlreadyConfigured(context)) {
-			return new LazyAuthenticationManager(auth);
-		}
-		/*
-		 * This AuthenticationManagerBuilder is for the global AuthenticationManager
-		 */
-		BootDefaultingAuthenticationConfigurerAdapter configurer = new BootDefaultingAuthenticationConfigurerAdapter();
-		configurer.configure(auth);
-		AuthenticationManager manager = configurer.getAuthenticationManagerBuilder()
-				.getOrBuild();
-		configurer.configureParent(auth);
-		return manager;
 	}
-	private boolean isAuthenticationManagerAlreadyConfigured(ApplicationContext context) {
+	@Bean
-		return context.getBeanNamesForType(GlobalAuthenticationConfigurerAdapter.class).length > 2;
+	public static BootDefaultingAuthenticationConfigurerAdapter bootDefaultingAuthenticationConfigurerAdapter(
+			SecurityProperties security, List<SecurityPrequisite> dependencies) {
+		return new BootDefaultingAuthenticationConfigurerAdapter(security);
 	}
 	@Component
@@ -152,64 +125,33 @@ public class AuthenticationManagerConfiguration extends
 	 * methods are invoked before configure, which cannot be guaranteed at this point.</li>
 	 * </ul>
 	 */
-	private class BootDefaultingAuthenticationConfigurerAdapter {
+	@Order(Ordered.LOWEST_PRECEDENCE - 100)
+	private static class BootDefaultingAuthenticationConfigurerAdapter extends
-		private AuthenticationManagerBuilder defaultAuth;
+			GlobalAuthenticationConfigurerAdapter {
+		private final SecurityProperties security;
-		private AuthenticationManager parent;
-		public void configureParent(AuthenticationManagerBuilder auth) {
-			if (!auth.isConfigured() && this.parent != null) {
-				auth.parentAuthenticationManager(this.parent);
-			}
-		}
-		public AuthenticationManagerBuilder getAuthenticationManagerBuilder() {
+		@Autowired
-			return this.defaultAuth;
+		public BootDefaultingAuthenticationConfigurerAdapter(SecurityProperties security) {
+			this.security = security;
 		}
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
+		@Override
+		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			if (auth.isConfigured()) {
-				this.defaultAuth = auth;
 				return;
 			}
-			User user = AuthenticationManagerConfiguration.this.security.getUser();
+			User user = this.security.getUser();
 			if (user.isDefaultPassword()) {
 				logger.info("\n\nUsing default security password: " + user.getPassword()
 						+ "\n\n");
 			}
-			this.defaultAuth = new AuthenticationManagerBuilder(
-					AuthenticationManagerConfiguration.this.objectPostProcessor);
 			Set<String> roles = new LinkedHashSet<String>(user.getRole());
+			auth.inMemoryAuthentication().withUser(user.getName())
-			this.parent = this.defaultAuth.inMemoryAuthentication()
+					.password(user.getPassword())
-					.withUser(user.getName()).password(user.getPassword())
+					.roles(roles.toArray(new String[roles.size()]));
-					.roles(roles.toArray(new String[roles.size()])).and().and().build();
-			// Defer actually setting the parent on the AuthenticationManagerBuilder
-			// because it makes it "configured" and we are only in the init() phase
-			// here.
 		}
 	}
-	private static class LazyAuthenticationManager implements AuthenticationManager {
-		private AuthenticationManagerBuilder builder;
-		public LazyAuthenticationManager(AuthenticationManagerBuilder builder) {
-			this.builder = builder;
-		}
-		@Override
-		public Authentication authenticate(Authentication authentication)
-				throws AuthenticationException {
-			return this.builder.getOrBuild().authenticate(authentication);
-		}
-	}
 }