Move security.* to spring.security.*

This commit also removes `security.basic.enabled` as this property is
no longer required.

Closes gh-10296

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityFilterAutoConfiguration.java

@@ -62,17 +62,17 @@ public class SecurityFilterAutoConfiguration {
 			SecurityProperties securityProperties) {
 		DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
 				DEFAULT_FILTER_NAME);
-		registration.setOrder(securityProperties.getFilterOrder());
+		registration.setOrder(securityProperties.getFilter().getOrder());
 		registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
 		return registration;
 	}
 
 	private EnumSet<DispatcherType> getDispatcherTypes(
 			SecurityProperties securityProperties) {
-		if (securityProperties.getFilterDispatcherTypes() == null) {
+		if (securityProperties.getFilter().getDispatcherTypes() == null) {
 			return null;
 		}
-		return securityProperties.getFilterDispatcherTypes().stream()
+		return securityProperties.getFilter().getDispatcherTypes().stream()
 				.map((type) -> DispatcherType.valueOf(type.name())).collect(Collectors
 						.collectingAndThen(Collectors.toSet(), EnumSet::copyOf));
 	}

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -26,12 +26,12 @@ import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.core.Ordered;
 
 /**
- * Properties for the security aspects of an application.
+ * Configuration properties for Spring Security.
  *
  * @author Dave Syer
  * @author Andy Wilkinson
  */
-@ConfigurationProperties(prefix = "security")
+@ConfigurationProperties(prefix = "spring.security")
 public class SecurityProperties implements SecurityPrerequisite {
 
 	/**
@@ -56,56 +56,39 @@ public class SecurityProperties implements SecurityPrerequisite {
 	public static final int DEFAULT_FILTER_ORDER = FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER
 			- 100;
 
-	private Basic basic = new Basic();
+	private final Filter filter = new Filter();
 
-	/**
-	 * Security filter chain order.
-	 */
-	private int filterOrder = DEFAULT_FILTER_ORDER;
-
-	/**
-	 * Security filter chain dispatcher types.
-	 */
-	private Set<DispatcherType> filterDispatcherTypes = new HashSet<>(Arrays
-			.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));
-
-	public Basic getBasic() {
-		return this.basic;
+	public Filter getFilter() {
+		return this.filter;
 	}
 
-	public void setBasic(Basic basic) {
-		this.basic = basic;
-	}
-
-	public int getFilterOrder() {
-		return this.filterOrder;
-	}
-
-	public void setFilterOrder(int filterOrder) {
-		this.filterOrder = filterOrder;
-	}
-
-	public Set<DispatcherType> getFilterDispatcherTypes() {
-		return this.filterDispatcherTypes;
-	}
-
-	public void setFilterDispatcherTypes(Set<DispatcherType> filterDispatcherTypes) {
-		this.filterDispatcherTypes = filterDispatcherTypes;
-	}
-
-	public static class Basic {
+	public static class Filter {
 
 		/**
-		 * Enable basic authentication.
+		 * Security filter chain order.
 		 */
-		private boolean enabled = true;
+		private int order = DEFAULT_FILTER_ORDER;
 
-		public boolean isEnabled() {
-			return this.enabled;
+		/**
+		 * Security filter chain dispatcher types.
+		 */
+		private Set<DispatcherType> dispatcherTypes = new HashSet<>(Arrays
+				.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));
+
+		public int getOrder() {
+			return this.order;
 		}
 
-		public void setEnabled(boolean enabled) {
-			this.enabled = enabled;
+		public void setOrder(int order) {
+			this.order = order;
+		}
+
+		public Set<DispatcherType> getDispatcherTypes() {
+			return this.dispatcherTypes;
+		}
+
+		public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {
+			this.dispatcherTypes = dispatcherTypes;
 		}
 
 	}

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

@@ -18,7 +18,6 @@ package org.springframework.boot.autoconfigure.security;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.context.annotation.Configuration;
@@ -37,7 +36,6 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
  * @author Madhura Bhave
  * @since 2.0.0
  */
-@ConditionalOnProperty(prefix = "security.basic", name = "enabled", havingValue = "true", matchIfMissing = true)
 @ConditionalOnClass(EnableWebSecurity.class)
 @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
 @ConditionalOnWebApplication(type = Type.SERVLET)

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfiguration.java

@@ -95,7 +95,7 @@ public class OAuth2RestOperationsConfiguration {
 				OAuth2ClientContextFilter filter, SecurityProperties security) {
 			FilterRegistrationBean<OAuth2ClientContextFilter> registration = new FilterRegistrationBean<>();
 			registration.setFilter(filter);
-			registration.setOrder(security.getFilterOrder() - 10);
+			registration.setOrder(security.getFilter().getOrder() - 10);
 			return registration;
 		}
 

spring-boot-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -1,7 +1,32 @@
 {"properties": [
   {
-    "name": "security.filter-dispatcher-types",
-    "defaultValue": ["async", "error", "request"]
+    "name" : "security.basic.enabled",
+    "type" : "java.lang.Boolean",
+    "description" : "Enable basic authentication.",
+    "defaultValue" : true,
+    "deprecation" : {
+      "reason": "The security auto-configuration is no longer customizable. Provide your own WebSecurityConfigurer bean instead.",
+      "level" : "error"
+    }
+  },
+  {
+    "name" : "security.filter-dispatcher-types",
+    "type" : "java.util.Set<java.lang.String>",
+    "description" : "Security filter chain dispatcher types.",
+    "deprecation" : {
+      "replacement" : "spring.security.filter.dispatcher-types",
+      "level" : "error"
+    }
+  },
+  {
+    "name" : "security.filter-order",
+    "type" : "java.lang.Integer",
+    "description" : "Security filter chain order.",
+    "defaultValue" : 0,
+    "deprecation" : {
+      "replacement" : "spring.security.filter.order",
+      "level" : "error"
+    }
   },
   {
     "name": "server.error.include-stacktrace",
@@ -355,6 +380,10 @@
     "description": "Create an AmqpAdmin bean.",
     "defaultValue": true
   },
+  {
+    "name": "spring.security.filter.dispatcher-types",
+    "defaultValue": ["async", "error", "request"]
+  },
   {
     "name": "spring.session.hazelcast.flush-mode",
     "defaultValue": "on-save"

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java

@@ -136,7 +136,7 @@ public class SecurityAutoConfigurationTests {
 	@Test
 	public void testCustomFilterOrder() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
-		TestPropertyValues.of("security.filter-order:12345").applyTo(this.context);
+		TestPropertyValues.of("spring.security.filter.order:12345").applyTo(this.context);
 		this.context.setServletContext(new MockServletContext());
 		this.context.register(SecurityAutoConfiguration.class,
 				SecurityFilterAutoConfiguration.class,
@@ -159,19 +159,6 @@ public class SecurityAutoConfigurationTests {
 				.hasSize(1);
 	}
 
-	@Test
-	public void testDisableDefaultSecurity() throws Exception {
-		this.context = new AnnotationConfigWebApplicationContext();
-		this.context.setServletContext(new MockServletContext());
-		this.context.register(SecurityAutoConfiguration.class,
-				PropertyPlaceholderAutoConfiguration.class);
-		TestPropertyValues.of("security.basic.enabled:false").applyTo(this.context);
-		this.context.refresh();
-		// Ignores and the "matches-none" filter only
-		assertThat(this.context.getBeanNamesForType(FilterChainProxy.class).length)
-				.isEqualTo(0);
-	}
-
 	@Test
 	public void testAuthenticationManagerCreated() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
@@ -357,7 +344,7 @@ public class SecurityAutoConfigurationTests {
 		this.context.register(SecurityAutoConfiguration.class,
 				SecurityFilterAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
-		TestPropertyValues.of("security.filter-dispatcher-types:INCLUDE,ERROR")
+		TestPropertyValues.of("spring.security.filter.dispatcher-types:INCLUDE,ERROR")
 				.applyTo(this.context);
 		this.context.refresh();
 		DelegatingFilterProxyRegistrationBean bean = this.context.getBean(

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java

@@ -38,8 +38,8 @@ public class SecurityPropertiesTests {
 
 	@Test
 	public void testBinding() {
-		bind("security.basic.enabled", "false");
-		assertThat(this.security.getBasic().isEnabled()).isFalse();
+		bind("spring.security.filter.order", "55");
+		assertThat(this.security.getFilter().getOrder()).isEqualTo(55);
 	}
 
 	private void bind(String name, String value) {
@@ -47,7 +47,7 @@ public class SecurityPropertiesTests {
 	}
 
 	private void bind(ConfigurationPropertySource source) {
-		new Binder(source).bind("security", Bindable.ofInstance(this.security));
+		new Binder(source).bind("spring.security", Bindable.ofInstance(this.security));
 	}
 
 }

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfigurationTests.java

@@ -19,7 +19,6 @@ package org.springframework.boot.autoconfigure.security.oauth2.client;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
-import org.mockito.Mockito;
 
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.boot.WebApplicationType;
@@ -122,15 +121,11 @@ public class OAuth2RestOperationsConfigurationTests {
 	}
 
 	@Configuration
-	@Import({ OAuth2ClientConfiguration.class, OAuth2RestOperationsConfiguration.class })
+	@Import({ SecurityProperties.class,
+			OAuth2ClientConfiguration.class, OAuth2RestOperationsConfiguration.class })
 	protected static class ConfigForSessionScopedConfiguration
 			extends WebApplicationConfiguration {
 
-		@Bean
-		public SecurityProperties securityProperties() {
-			return Mockito.mock(SecurityProperties.class);
-		}
-
 	}
 
 	@Configuration

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -476,9 +476,8 @@ content into your application; rather pick only the properties that you need.
 	# SECURITY PROPERTIES
 	# ----------------------------------------
 	# SECURITY ({sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[SecurityProperties])
-    security.basic.enabled=true # Enable basic authentication.
-    security.filter-order=0 # Security filter chain order.
-    security.filter-dispatcher-types=ASYNC,ERROR,REQUEST # Security filter chain dispatcher types.
+    spring.security.filter.order=0 # Security filter chain order.
+    spring.security.filter.dispatcher-types=ASYNC,ERROR,REQUEST # Security filter chain dispatcher types.
 
 	# SECURITY OAUTH2 CLIENT ({sc-spring-boot-autoconfigure}/security/oauth2/OAuth2ClientProperties.{sc-ext}[OAuth2ClientProperties])
 	security.oauth2.client.client-id= # OAuth2 client id.

spring-boot-samples/spring-boot-sample-secure-oauth2-resource/src/main/resources/application.properties

@@ -1,6 +1,5 @@
 server.port=8081
 spring.datasource.platform=h2
-security.basic.enabled=false
 security.oauth2.resource.id=service
 security.oauth2.resource.userInfoUri=http://localhost:8080/user
 logging.level.org.springframework.security=DEBUG

spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/resources/application.properties

@@ -1,3 +1,2 @@
 spring.thymeleaf.cache: false
-security.basic.enabled: false
 logging.level.org.springframework.security: INFO

spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/resources/application.properties

@@ -1,4 +1,3 @@
 debug: true
 spring.thymeleaf.cache: false
-security.basic.enabled: false
 logging.level.org.springframework.security: INFO

spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/application.properties

@@ -1,5 +1,4 @@
 spring.thymeleaf.cache: false
-security.basic.enabled: false
 # demo only:
 logging.level.org.springframework.security: INFO
 logging.level.org.springframework.boot.actuate.audit.listener.AuditListener: DEBUG