mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-07-05 00:56:58 +08:00
[bs-138] Add explicit @Order to auto security filter
Now users can provide a fallback filter with default @Order and it won't affect the operation of the default secure endpoints. [Fixes #50721675]
This commit is contained in:
parent
a7ea0f643a
commit
7ca2a18ab9
@ -28,6 +28,7 @@ import org.springframework.bootstrap.context.annotation.ConditionalOnMissingBean
|
||||
import org.springframework.bootstrap.context.annotation.EnableConfigurationProperties;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.security.authentication.AuthenticationEventPublisher;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
|
||||
@ -41,6 +42,44 @@ import org.springframework.security.web.AuthenticationEntryPoint;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Auto configuration for security of a web application or service. By default everything
|
||||
* is secured with HTTP Basic authentication except the
|
||||
* {@link SecurityProperties#getIgnored() explicitly ignored} paths (defaults to
|
||||
* <code>/css/**, /js/**, /images/**, /**/favicon.ico</code>). Many
|
||||
* aspects of the behaviour can be controller with {@link SecurityProperties} via
|
||||
* externalized application properties (or via an bean definition of that type to set the
|
||||
* defaults). The user details for authentication are just placeholders
|
||||
* <code>(username=user,
|
||||
* password=password)</code> but can easily be customized by providing a bean definition
|
||||
* of type {@link AuthenticationManager}. Also provides audit logging of authentication
|
||||
* events.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* The framework {@link EndpointsProperties} configuration bean has explicitly
|
||||
* {@link EndpointsProperties#getSecurePaths() secure} and
|
||||
* {@link EndpointsProperties#getOpenPaths() open} paths (by name) which are always
|
||||
* respected by the filter created here. You can override the paths of those endpoints
|
||||
* using application properties (e.g. <code>endpoints.info.path</code> is open, and
|
||||
* <code>endpoints.metrics.path</code> is secure), but not the security aspects. The
|
||||
* always secure paths are management endpoints that would be inadvisable to expose to all
|
||||
* users.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* Some common simple customizations:
|
||||
* <ul>
|
||||
* <li>Switch off security completely and permanently: remove Spring Security from the
|
||||
* classpath</li>
|
||||
* <li>Switch off security temporarily (e.g. for a dev environment): set
|
||||
* <code>security.basic.enabled: false</code></li>
|
||||
* <li>Customize the user details: add an AuthenticationManager bean</li>
|
||||
* <li>Add form login for user facing resources: add a
|
||||
* {@link WebSecurityConfigurerAdapter} and use {@link HttpConfiguration#formLogin()}</li>
|
||||
* </ul>
|
||||
* </p>
|
||||
*
|
||||
* @author Dave Syer
|
||||
*/
|
||||
@Configuration
|
||||
@ -67,6 +106,8 @@ public class SecurityAutoConfiguration {
|
||||
return new BoostrapWebSecurityConfigurerAdapter();
|
||||
}
|
||||
|
||||
// Give user-supplied filters a chance to be last in line
|
||||
@Order(Integer.MAX_VALUE - 10)
|
||||
private static class BoostrapWebSecurityConfigurerAdapter extends
|
||||
WebSecurityConfigurerAdapter {
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user