diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfiguration.java index acdcd7ad76..6df9a1aa3a 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfiguration.java @@ -23,7 +23,7 @@ import org.springframework.boot.autoconfigure.AutoConfigureBefore; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; -import org.springframework.boot.autoconfigure.security.oauth2.authserver.SpringSecurityOAuth2AuthorizationServerConfiguration; +import org.springframework.boot.autoconfigure.security.oauth2.authserver.OAuth2AuthorizationServerConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2RestOperationsConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.method.OAuth2MethodSecurityConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerConfiguration; @@ -46,7 +46,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter */ @Configuration @ConditionalOnClass({ OAuth2AccessToken.class, WebMvcConfigurerAdapter.class }) -@Import({ SpringSecurityOAuth2AuthorizationServerConfiguration.class, +@Import({ OAuth2AuthorizationServerConfiguration.class, OAuth2MethodSecurityConfiguration.class, OAuth2ResourceServerConfiguration.class, OAuth2RestOperationsConfiguration.class }) @AutoConfigureBefore(WebMvcAutoConfiguration.class) diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/SpringSecurityOAuth2AuthorizationServerConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/OAuth2AuthorizationServerConfiguration.java similarity index 97% rename from spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/SpringSecurityOAuth2AuthorizationServerConfiguration.java rename to spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/OAuth2AuthorizationServerConfiguration.java index 1796505376..08909f2c15 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/SpringSecurityOAuth2AuthorizationServerConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/OAuth2AuthorizationServerConfiguration.java @@ -60,11 +60,11 @@ import org.springframework.security.oauth2.provider.token.TokenStore; @ConditionalOnMissingBean(AuthorizationServerConfigurer.class) @ConditionalOnBean(AuthorizationServerEndpointsConfiguration.class) @EnableConfigurationProperties -public class SpringSecurityOAuth2AuthorizationServerConfiguration extends +public class OAuth2AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { private static final Log logger = LogFactory - .getLog(SpringSecurityOAuth2AuthorizationServerConfiguration.class); + .getLog(OAuth2AuthorizationServerConfiguration.class); @Autowired private BaseClientDetails details; diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/EnableOAuth2Sso.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/EnableOAuth2Sso.java index bd98af729c..f06d3c6176 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/EnableOAuth2Sso.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/EnableOAuth2Sso.java @@ -23,6 +23,7 @@ import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerTokenServicesConfiguration; +import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Import; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client; @@ -42,6 +43,7 @@ import org.springframework.security.oauth2.config.annotation.web.configuration.E @Retention(RetentionPolicy.RUNTIME) @Documented @EnableOAuth2Client +@EnableConfigurationProperties(OAuth2SsoProperties.class) @Import({ OAuth2SsoDefaultConfiguration.class, OAuth2SsoCustomConfiguration.class, ResourceServerTokenServicesConfiguration.class }) public @interface EnableOAuth2Sso { diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfiguration.java index 1305b1c82a..bfbc8037dd 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfiguration.java @@ -138,7 +138,7 @@ public class OAuth2RestOperationsConfiguration { protected static class RequestScopedConfiguration extends BaseConfiguration { @Bean - @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES) + @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES) public OAuth2ClientContext oauth2ClientContext() { DefaultOAuth2ClientContext context = new DefaultOAuth2ClientContext( new DefaultAccessTokenRequest()); diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2SsoDefaultConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2SsoDefaultConfiguration.java index d8d509de66..8e475b1508 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2SsoDefaultConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2SsoDefaultConfiguration.java @@ -21,7 +21,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition.ConditionOutcome; import org.springframework.boot.autoconfigure.condition.SpringBootCondition; import org.springframework.boot.autoconfigure.security.SecurityProperties; -import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration.NeedsWebSecurityCondition; import org.springframework.context.annotation.ConditionContext; import org.springframework.context.annotation.Conditional; import org.springframework.context.annotation.Configuration; @@ -41,46 +41,39 @@ import org.springframework.util.ClassUtils; * @since 1.3.0 */ @Configuration -@EnableConfigurationProperties(OAuth2SsoProperties.class) -public class OAuth2SsoDefaultConfiguration { +@Conditional(NeedsWebSecurityCondition.class) +public class OAuth2SsoDefaultConfiguration extends WebSecurityConfigurerAdapter implements + Ordered { - @Configuration - @Conditional(NeedsWebSecurityCondition.class) - protected static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter - implements Ordered { + @Autowired + BeanFactory beanFactory; - @Autowired - BeanFactory beanFactory; + @Autowired + OAuth2SsoProperties sso; - @Autowired - OAuth2SsoProperties sso; + @Override + protected void configure(HttpSecurity http) throws Exception { + http.antMatcher("/**").authorizeRequests().anyRequest().authenticated(); + new SsoSecurityConfigurer(this.beanFactory).configure(http); + } - @Override - protected void configure(HttpSecurity http) throws Exception { - http.antMatcher("/**").authorizeRequests().anyRequest().authenticated(); - new SsoSecurityConfigurer(this.beanFactory).configure(http); + @Override + public int getOrder() { + if (this.sso.getFilterOrder() != null) { + return this.sso.getFilterOrder(); } - - @Override - public int getOrder() { - if (this.sso.getFilterOrder() != null) { - return this.sso.getFilterOrder(); - } - if (ClassUtils - .isPresent( - "org.springframework.boot.actuate.autoconfigure.ManagementServerProperties", - null)) { - // If > BASIC_AUTH_ORDER then the existing rules for the actuator - // endpoints - // will take precedence. This value is < BASIC_AUTH_ORDER. - return SecurityProperties.ACCESS_OVERRIDE_ORDER - 5; - } - return SecurityProperties.ACCESS_OVERRIDE_ORDER; + if (ClassUtils + .isPresent( + "org.springframework.boot.actuate.autoconfigure.ManagementServerProperties", + null)) { + // If > BASIC_AUTH_ORDER then the existing rules for the actuator + // endpoints will take precedence. This value is < BASIC_AUTH_ORDER. + return SecurityProperties.ACCESS_OVERRIDE_ORDER - 5; } - + return SecurityProperties.ACCESS_OVERRIDE_ORDER; } - private static class NeedsWebSecurityCondition extends SpringBootCondition { + protected static class NeedsWebSecurityCondition extends SpringBootCondition { @Override public ConditionOutcome getMatchOutcome(ConditionContext context, diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/SpringSecurityOAuth2AutoConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/SpringSecurityOAuth2AutoConfigurationTests.java index 1dbfe67436..7bab5c2d49 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/SpringSecurityOAuth2AutoConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/SpringSecurityOAuth2AutoConfigurationTests.java @@ -24,7 +24,7 @@ import org.junit.Test; import org.springframework.aop.support.AopUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration; -import org.springframework.boot.autoconfigure.security.oauth2.authserver.SpringSecurityOAuth2AuthorizationServerConfiguration; +import org.springframework.boot.autoconfigure.security.oauth2.authserver.OAuth2AuthorizationServerConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.method.OAuth2MethodSecurityConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties; @@ -104,7 +104,7 @@ public class SpringSecurityOAuth2AutoConfigurationTests { private static final Class RESOURCE_SERVER_CONFIG = OAuth2ResourceServerConfiguration.class; - private static final Class AUTHORIZATION_SERVER_CONFIG = SpringSecurityOAuth2AuthorizationServerConfiguration.class; + private static final Class AUTHORIZATION_SERVER_CONFIG = OAuth2AuthorizationServerConfiguration.class; private AnnotationConfigEmbeddedWebApplicationContext context; diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerTokenServicesConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerTokenServicesConfigurationTests.java index 9ea76eed83..ee9342b8e9 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerTokenServicesConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerTokenServicesConfigurationTests.java @@ -19,12 +19,16 @@ package org.springframework.boot.autoconfigure.security.oauth2.resource; import org.junit.After; import org.junit.Test; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.beans.factory.support.BeanDefinitionRegistry; import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration; import org.springframework.boot.autoconfigure.security.oauth2.OAuth2ClientProperties; +import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2RestOperationsConfiguration; import org.springframework.boot.autoconfigure.social.FacebookAutoConfiguration; import org.springframework.boot.autoconfigure.social.SocialWebAutoConfiguration; import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory; +import org.springframework.boot.context.embedded.MockEmbeddedServletContainerFactory; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.boot.test.EnvironmentTestUtils; import org.springframework.context.ConfigurableApplicationContext; @@ -37,6 +41,7 @@ import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.RemoteTokenServices; import org.springframework.social.connect.ConnectionFactoryLocator; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.mockito.Mockito.mock; @@ -96,6 +101,19 @@ public class ResourceServerTokenServicesConfigurationTests { assertNotNull(services); } + @Test + public void userInfoNoClient() { + EnvironmentTestUtils.addEnvironment(this.environment, + "spring.oauth2.client.clientId=acme", + "spring.oauth2.resource.userInfoUri:http://example.com", + "server.port=-1", "debug=true"); + this.context = new SpringApplicationBuilder(ResourceNoClientConfiguration.class) + .environment(this.environment).web(true).run(); + BeanDefinition bean = ((BeanDefinitionRegistry) this.context) + .getBeanDefinition("scopedTarget.oauth2ClientContext"); + assertEquals("request", bean.getScope()); + } + @Test public void preferUserInfo() { EnvironmentTestUtils.addEnvironment(this.environment, @@ -154,6 +172,16 @@ public class ResourceServerTokenServicesConfigurationTests { } + @Import({ OAuth2RestOperationsConfiguration.class }) + protected static class ResourceNoClientConfiguration extends ResourceConfiguration { + + @Bean + public MockEmbeddedServletContainerFactory embeddedServletContainerFactory() { + return new MockEmbeddedServletContainerFactory(); + } + + } + @Configuration protected static class ResourceServerPropertiesConfiguration {