From 7ca2a18ab9158399e6a3f72cb1a795713dbd9b52 Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Fri, 7 Jun 2013 08:23:32 +0100 Subject: [PATCH] [bs-138] Add explicit @Order to auto security filter Now users can provide a fallback filter with default @Order and it won't affect the operation of the default secure endpoints. [Fixes #50721675] --- .../SecurityAutoConfiguration.java | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java b/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java index f5816fe596f..dd66d60aefa 100644 --- a/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java +++ b/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java @@ -28,6 +28,7 @@ import org.springframework.bootstrap.context.annotation.ConditionalOnMissingBean import org.springframework.bootstrap.context.annotation.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; import org.springframework.security.authentication.AuthenticationEventPublisher; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.DefaultAuthenticationEventPublisher; @@ -41,6 +42,44 @@ import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint; /** + *

+ * Auto configuration for security of a web application or service. By default everything + * is secured with HTTP Basic authentication except the + * {@link SecurityProperties#getIgnored() explicitly ignored} paths (defaults to + * /css/**, /js/**, /images/**, /**/favicon.ico). Many + * aspects of the behaviour can be controller with {@link SecurityProperties} via + * externalized application properties (or via an bean definition of that type to set the + * defaults). The user details for authentication are just placeholders + * (username=user, + * password=password) but can easily be customized by providing a bean definition + * of type {@link AuthenticationManager}. Also provides audit logging of authentication + * events. + *

+ * + *

+ * The framework {@link EndpointsProperties} configuration bean has explicitly + * {@link EndpointsProperties#getSecurePaths() secure} and + * {@link EndpointsProperties#getOpenPaths() open} paths (by name) which are always + * respected by the filter created here. You can override the paths of those endpoints + * using application properties (e.g. endpoints.info.path is open, and + * endpoints.metrics.path is secure), but not the security aspects. The + * always secure paths are management endpoints that would be inadvisable to expose to all + * users. + *

+ * + *

+ * Some common simple customizations: + *

+ *

+ * * @author Dave Syer */ @Configuration @@ -67,6 +106,8 @@ public class SecurityAutoConfiguration { return new BoostrapWebSecurityConfigurerAdapter(); } + // Give user-supplied filters a chance to be last in line + @Order(Integer.MAX_VALUE - 10) private static class BoostrapWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {