diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java index a0950f72441..04f24deeb77 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -64,6 +64,7 @@ import org.springframework.http.HttpHeaders; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.WebSecurityConfigurer; import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.servlet.DispatcherServlet; @@ -158,18 +159,23 @@ public class CloudFoundryActuatorAutoConfiguration { * specific paths. The Cloud foundry endpoints are protected by their own security * interceptor. */ - @ConditionalOnClass(WebSecurity.class) - @Order(SecurityProperties.IGNORED_ORDER) + @ConditionalOnClass({ WebSecurityCustomizer.class, WebSecurity.class }) @Configuration(proxyBeanMethods = false) - public static class IgnoredPathsWebSecurityConfigurer implements WebSecurityConfigurer { + public static class IgnoredCloudFoundryPathsWebSecurityConfiguration { - @Override - public void init(WebSecurity builder) throws Exception { - builder.ignoring().requestMatchers(new AntPathRequestMatcher("/cloudfoundryapplication/**")); + @Bean + IgnoredCloudFoundryPathsWebSecurityCustomizer ignoreCloudFoundryPathsWebSecurityCustomizer() { + return new IgnoredCloudFoundryPathsWebSecurityCustomizer(); } + } + + @Order(SecurityProperties.IGNORED_ORDER) + static class IgnoredCloudFoundryPathsWebSecurityCustomizer implements WebSecurityCustomizer { + @Override - public void configure(WebSecurity builder) throws Exception { + public void customize(WebSecurity web) { + web.ignoring().requestMatchers(new AntPathRequestMatcher("/cloudfoundryapplication/**")); } } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java index 8b835001217..ca5c849da20 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java @@ -31,6 +31,7 @@ import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAu import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration; import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration; import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -49,7 +50,7 @@ import org.springframework.security.web.SecurityFilterChain; * @since 2.1.0 */ @Configuration(proxyBeanMethods = false) -@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) +@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class }) @ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class }) @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) @AutoConfigureBefore(SecurityAutoConfiguration.class) @@ -58,19 +59,15 @@ import org.springframework.security.web.SecurityFilterChain; OAuth2ResourceServerAutoConfiguration.class, Saml2RelyingPartyAutoConfiguration.class }) public class ManagementWebSecurityAutoConfiguration { - @Configuration(proxyBeanMethods = false) - static class ManagementWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests((requests) -> { - requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll(); - requests.anyRequest().authenticated(); - }); - http.formLogin(Customizer.withDefaults()); - http.httpBasic(Customizer.withDefaults()); - } - + @Bean + SecurityFilterChain managementSecurityFilterChain(HttpSecurity http) throws Exception { + http.authorizeRequests((requests) -> { + requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll(); + requests.anyRequest().authenticated(); + }); + http.formLogin(Customizer.withDefaults()); + http.httpBasic(Customizer.withDefaults()); + return http.build(); } } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java index 8a4b9228006..17818b577fb 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java @@ -56,6 +56,8 @@ import static org.assertj.core.api.Assertions.assertThat; */ class ManagementWebSecurityAutoConfigurationTests { + private static final String MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN = "managementSecurityFilterChain"; + private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration( AutoConfigurations.of(HealthContributorAutoConfiguration.class, HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class, @@ -65,6 +67,7 @@ class ManagementWebSecurityAutoConfigurationTests { @Test void permitAllForHealth() { this.contextRunner.run((context) -> { + assertThat(context).hasBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN); HttpStatus status = getResponseStatus(context, "/actuator/health"); assertThat(status).isEqualTo(HttpStatus.OK); }); @@ -127,8 +130,8 @@ class ManagementWebSecurityAutoConfigurationTests { void backOffIfOAuth2ResourceServerAutoConfigurationPresent() { this.contextRunner.withConfiguration(AutoConfigurations.of(OAuth2ResourceServerAutoConfiguration.class)) .withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver") - .run((context) -> assertThat(context).doesNotHaveBean( - ManagementWebSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter.class)); + .run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class) + .doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN)); } @Test @@ -139,8 +142,8 @@ class ManagementWebSecurityAutoConfigurationTests { "spring.security.saml2.relyingparty.registration.simplesamlphp.identity-provider.single-sign-on.sign-request=false", "spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php", "spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.verification.credentials[0].certificate-location=classpath:saml/certificate-location") - .run((context) -> assertThat(context).doesNotHaveBean( - ManagementWebSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter.class)); + .run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class) + .doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN)); } private HttpStatus getResponseStatus(AssertableWebApplicationContext context, String path) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java index 876a2e26c3f..eee191a350e 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java @@ -54,15 +54,16 @@ class OAuth2WebSecurityConfiguration { } @Configuration(proxyBeanMethods = false) - @ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) + @ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class }) @ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class }) - static class OAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { + static class OAuth2SecurityFilterChainConfiguration { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); http.oauth2Login(Customizer.withDefaults()); http.oauth2Client(); + return http.build(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java index b2949da65e9..79e859a2995 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java @@ -50,7 +50,6 @@ import org.springframework.security.web.SecurityFilterChain; * @author HaiTao Zhang */ @Configuration(proxyBeanMethods = false) - class OAuth2ResourceServerJwtConfiguration { @Configuration(proxyBeanMethods = false) @@ -98,22 +97,16 @@ class OAuth2ResourceServerJwtConfiguration { } @Configuration(proxyBeanMethods = false) - @ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) + @ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class }) @ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class }) - static class OAuth2WebSecurityConfigurerAdapter { + static class OAuth2SecurityFilterChainConfiguration { @Bean @ConditionalOnBean(JwtDecoder.class) - WebSecurityConfigurerAdapter jwtDecoderWebSecurityConfigurerAdapter() { - return new WebSecurityConfigurerAdapter() { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); - http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); - } - - }; + SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http) throws Exception { + http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); + http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); + return http.build(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java index 701edad647c..1d368c62afd 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java @@ -56,20 +56,14 @@ class OAuth2ResourceServerOpaqueTokenConfiguration { @Configuration(proxyBeanMethods = false) @ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) @ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class }) - static class OAuth2WebSecurityConfigurerAdapter { + static class OAuth2SecurityFilterChainConfiguration { @Bean @ConditionalOnBean(OpaqueTokenIntrospector.class) - WebSecurityConfigurerAdapter opaqueTokenWebSecurityConfigurerAdapter() { - return new WebSecurityConfigurerAdapter() { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); - http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); - } - - }; + SecurityFilterChain opaqueTokenSecurityFilterChain(HttpSecurity http) throws Exception { + http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); + http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken); + return http.build(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/Oauth2ResourceServerConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/Oauth2ResourceServerConfiguration.java index e14e1034d48..36c522e39a7 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/Oauth2ResourceServerConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/Oauth2ResourceServerConfiguration.java @@ -32,14 +32,14 @@ class Oauth2ResourceServerConfiguration { @Configuration(proxyBeanMethods = false) @ConditionalOnClass(JwtDecoder.class) @Import({ OAuth2ResourceServerJwtConfiguration.JwtDecoderConfiguration.class, - OAuth2ResourceServerJwtConfiguration.OAuth2WebSecurityConfigurerAdapter.class }) + OAuth2ResourceServerJwtConfiguration.OAuth2SecurityFilterChainConfiguration.class }) static class JwtConfiguration { } @Configuration(proxyBeanMethods = false) @Import({ OAuth2ResourceServerOpaqueTokenConfiguration.OpaqueTokenIntrospectionClientConfiguration.class, - OAuth2ResourceServerOpaqueTokenConfiguration.OAuth2WebSecurityConfigurerAdapter.class }) + OAuth2ResourceServerOpaqueTokenConfiguration.OAuth2SecurityFilterChainConfiguration.class }) static class OpaqueTokenConfiguration { } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java index 06ba83e42a7..2af84fe8352 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2LoginConfiguration.java @@ -19,6 +19,7 @@ package org.springframework.boot.autoconfigure.security.saml2; import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -32,19 +33,15 @@ import org.springframework.security.web.SecurityFilterChain; * @author Madhura Bhave */ @Configuration(proxyBeanMethods = false) -@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class }) +@ConditionalOnMissingBean({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) @ConditionalOnBean(RelyingPartyRegistrationRepository.class) -@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) +@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class }) class Saml2LoginConfiguration { - @Configuration(proxyBeanMethods = false) - static class Saml2LoginConfigurerAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests((requests) -> requests.anyRequest().authenticated()).saml2Login(); - } - + @Bean + SecurityFilterChain samlSecurityFilterChain(HttpSecurity http) throws Exception { + http.authorizeRequests((requests) -> requests.anyRequest().authenticated()).saml2Login(); + return http.build(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java index be37fdb4fcb..9985817aa53 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java @@ -21,8 +21,10 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type; import org.springframework.boot.autoconfigure.security.SecurityProperties; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.SecurityFilterChain; @@ -37,15 +39,16 @@ import org.springframework.security.web.SecurityFilterChain; * @author Madhura Bhave */ @Configuration(proxyBeanMethods = false) -@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) -@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class }) +@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class }) +@ConditionalOnMissingBean({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) @ConditionalOnWebApplication(type = Type.SERVLET) class SpringBootWebSecurityConfiguration { - @Configuration(proxyBeanMethods = false) + @Bean @Order(SecurityProperties.BASIC_AUTH_ORDER) - static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter { - + SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic(); + return http.build(); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfigurationTests.java index 8ae77dcfd00..0400f98f944 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfigurationTests.java @@ -117,7 +117,7 @@ class OAuth2WebSecurityConfigurationTests { } @Test - void securityConfigurerBacksOffBacksOffWhenOtherWebSecurityAdapterPresent() { + void securityFilterChainConfigBacksOffWhenOtherWebSecurityAdapterPresent() { this.contextRunner .withUserConfiguration(TestWebSecurityConfigurerConfig.class, OAuth2WebSecurityConfiguration.class) .run((context) -> { @@ -128,7 +128,7 @@ class OAuth2WebSecurityConfigurationTests { } @Test - void securityConfigurerBacksOffBacksOffWhenOtherSecurityFilterChainBeanPresent() { + void securityFilterChainConfigBacksOffWhenOtherSecurityFilterChainBeanPresent() { this.contextRunner .withUserConfiguration(TestSecurityFilterChainConfig.class, OAuth2WebSecurityConfiguration.class) .run((context) -> { @@ -139,7 +139,7 @@ class OAuth2WebSecurityConfigurationTests { } @Test - void securityConfigurerBacksOffConditionalOnSecurityFilterChainClass() { + void securityFilterChainConfigConditionalOnSecurityFilterChainClass() { this.contextRunner .withUserConfiguration(ClientRegistrationRepositoryConfiguration.class, OAuth2WebSecurityConfiguration.class) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java index f063c37faaf..27f6e16aaf6 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java @@ -38,6 +38,7 @@ import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.Resource; import org.springframework.security.config.BeanIds; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository; @@ -220,6 +221,11 @@ class Saml2RelyingPartyAutoConfigurationTests { } + @EnableWebSecurity + static class WebSecurityEnablerConfiguration { + + } + @Configuration(proxyBeanMethods = false) static class WebSecurityConfigurerAdapterConfiguration { diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java index 792b2301d27..3f4e72a1d1b 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java @@ -76,6 +76,12 @@ class SecurityAutoConfigurationTests { .run((context) -> assertThat(context).doesNotHaveBean("springSecurityFilterChain")); } + @Test + void filterChainBeanIsConditionalOnClassSecurityFilterChain() { + this.contextRunner.withClassLoader(new FilteredClassLoader(SecurityFilterChain.class)) + .run((context) -> assertThat(context).doesNotHaveBean(SecurityFilterChain.class)); + } + @Test void securityConfigurerBacksOffWhenOtherSecurityFilterChainBeanPresent() { this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> { diff --git a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java index c7b1630a1c7..a270f898201 100644 --- a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java @@ -19,10 +19,10 @@ package org.springframework.boot.devtools.autoconfigure; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.autoconfigure.web.ServerProperties; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -32,13 +32,12 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; * * @author Madhura Bhave */ -@ConditionalOnClass({ SecurityFilterChain.class, WebSecurityConfigurerAdapter.class }) +@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class }) @Configuration(proxyBeanMethods = false) class RemoteDevtoolsSecurityConfiguration { - @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) @Configuration - static class SecurityConfiguration extends WebSecurityConfigurerAdapter { + static class SecurityConfiguration { private final String url; @@ -48,10 +47,12 @@ class RemoteDevtoolsSecurityConfiguration { this.url = servletContextPath + devToolsProperties.getRemote().getContextPath() + "/restart"; } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) + SecurityFilterChain configure(HttpSecurity http) throws Exception { http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeRequests().anyRequest().anonymous().and() .csrf().disable(); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java index 21709bbc65b..9ce59217ce7 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,14 +26,14 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User.UserBuilder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; @Configuration(proxyBeanMethods = false) -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { +public class SecurityConfiguration { @Bean public InMemoryUserDetailsManager inMemoryUserDetailsManager() { @@ -53,8 +53,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { return builder.build(); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configure(HttpSecurity http) throws Exception { http.authorizeRequests((requests) -> { requests.mvcMatchers("/actuator/beans").hasRole("BEANS"); requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll(); @@ -66,6 +66,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { }); http.cors(Customizer.withDefaults()); http.httpBasic(); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java index 1e63e15a757..7e4a50a1461 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/ShutdownSampleActuatorApplicationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,11 +24,12 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.annotation.DirtiesContext; import static org.assertj.core.api.Assertions.assertThat; @@ -69,11 +70,12 @@ class ShutdownSampleActuatorApplicationTests { } @Configuration(proxyBeanMethods = false) - static class SecurityConfiguration extends WebSecurityConfigurerAdapter { + static class SecurityConfiguration { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configure(HttpSecurity http) throws Exception { http.csrf().disable(); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java index c9942d8cfa3..e4fd4dd24be 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,12 +21,12 @@ import org.springframework.boot.actuate.web.mappings.MappingsEndpoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; @Configuration -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { +public class SecurityConfiguration { @SuppressWarnings("deprecation") @Bean @@ -38,8 +38,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { .authorities("ROLE_ACTUATOR", "ROLE_USER").build()); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configure(HttpSecurity http) throws Exception { // @formatter:off http.authorizeRequests() .requestMatchers(EndpointRequest.to("health", "info")).permitAll() @@ -47,6 +47,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { .antMatchers("/**").hasRole("USER") .and() .httpBasic(); + return http.build(); // @formatter:on } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java index 3db484701dc..872d85960a6 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,9 +29,9 @@ import org.springframework.core.annotation.Order; import org.springframework.security.access.annotation.Secured; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; @@ -68,10 +68,10 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer { } @Configuration(proxyBeanMethods = false) - protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { + protected static class ApplicationSecurity { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain appSecurity(HttpSecurity http) throws Exception { http.authorizeRequests((requests) -> { requests.antMatchers("/login").permitAll(); requests.anyRequest().fullyAuthenticated(); @@ -82,19 +82,21 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer { }); http.logout((logout) -> logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))); http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access?error")); + return http.build(); } } @Configuration(proxyBeanMethods = false) @Order(1) - protected static class ActuatorSecurity extends WebSecurityConfigurerAdapter { + protected static class ActuatorSecurity { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain actuatorSecurity(HttpSecurity http) throws Exception { http.requestMatcher(EndpointRequest.toAnyEndpoint()); http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); http.httpBasic(); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java index a14e9f7a164..6f40103e055 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,10 +21,11 @@ import java.util.Map; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.builder.SpringApplicationBuilder; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; @@ -58,10 +59,10 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer { } @Configuration(proxyBeanMethods = false) - protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { + protected static class ApplicationSecurity { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configure(HttpSecurity http) throws Exception { http.authorizeRequests((requests) -> { requests.antMatchers("/css/**").permitAll(); requests.anyRequest().fullyAuthenticated(); @@ -71,6 +72,7 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer { form.failureUrl("/login?error").permitAll(); }); http.logout(LogoutConfigurer::permitAll); + return http.build(); } } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java index 589f2cae397..a1e39d805f7 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,9 +26,9 @@ import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; import org.springframework.security.provisioning.JdbcUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; @@ -62,10 +62,10 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer { } @Configuration(proxyBeanMethods = false) - protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { + protected static class ApplicationSecurity { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configure(HttpSecurity http) throws Exception { http.authorizeRequests((requests) -> { requests.antMatchers("/css/**").permitAll(); requests.anyRequest().fullyAuthenticated(); @@ -75,6 +75,7 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer { form.failureUrl("/login?error").permitAll(); }); http.logout(LogoutConfigurer::permitAll); + return http.build(); } @Bean diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java index d66798fde9e..cd47bc5fabb 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/main/java/smoketest/web/secure/SampleWebSecureApplication.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,10 +22,11 @@ import java.util.Map; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.security.servlet.PathRequest; import org.springframework.boot.builder.SpringApplicationBuilder; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; @@ -59,10 +60,10 @@ public class SampleWebSecureApplication implements WebMvcConfigurer { } @Configuration(proxyBeanMethods = false) - protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { + protected static class ApplicationSecurity { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configure(HttpSecurity http) throws Exception { http.authorizeRequests((requests) -> { requests.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll(); requests.anyRequest().fullyAuthenticated(); @@ -72,6 +73,7 @@ public class SampleWebSecureApplication implements WebMvcConfigurer { form.failureUrl("/login?error").permitAll(); }); http.logout(LogoutConfigurer::permitAll); + return http.build(); } }