diff --git a/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java b/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java
index f5816fe596..dd66d60aef 100644
--- a/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java
+++ b/spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityAutoConfiguration.java
@@ -28,6 +28,7 @@ import org.springframework.bootstrap.context.annotation.ConditionalOnMissingBean
import org.springframework.bootstrap.context.annotation.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationEventPublisher;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
@@ -41,6 +42,44 @@ import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
/**
+ *
+ * Auto configuration for security of a web application or service. By default everything
+ * is secured with HTTP Basic authentication except the
+ * {@link SecurityProperties#getIgnored() explicitly ignored} paths (defaults to
+ * /css/**, /js/**, /images/**, /**/favicon.ico). Many
+ * aspects of the behaviour can be controller with {@link SecurityProperties} via
+ * externalized application properties (or via an bean definition of that type to set the
+ * defaults). The user details for authentication are just placeholders
+ * (username=user,
+ * password=password) but can easily be customized by providing a bean definition
+ * of type {@link AuthenticationManager}. Also provides audit logging of authentication
+ * events.
+ *
+ *
+ *
+ * The framework {@link EndpointsProperties} configuration bean has explicitly
+ * {@link EndpointsProperties#getSecurePaths() secure} and
+ * {@link EndpointsProperties#getOpenPaths() open} paths (by name) which are always
+ * respected by the filter created here. You can override the paths of those endpoints
+ * using application properties (e.g. endpoints.info.path is open, and
+ * endpoints.metrics.path is secure), but not the security aspects. The
+ * always secure paths are management endpoints that would be inadvisable to expose to all
+ * users.
+ *
+ *
+ *
+ * Some common simple customizations:
+ *
+ * - Switch off security completely and permanently: remove Spring Security from the
+ * classpath
+ * - Switch off security temporarily (e.g. for a dev environment): set
+ *
security.basic.enabled: false
+ * - Customize the user details: add an AuthenticationManager bean
+ * - Add form login for user facing resources: add a
+ * {@link WebSecurityConfigurerAdapter} and use {@link HttpConfiguration#formLogin()}
+ *
+ *
+ *
* @author Dave Syer
*/
@Configuration
@@ -67,6 +106,8 @@ public class SecurityAutoConfiguration {
return new BoostrapWebSecurityConfigurerAdapter();
}
+ // Give user-supplied filters a chance to be last in line
+ @Order(Integer.MAX_VALUE - 10)
private static class BoostrapWebSecurityConfigurerAdapter extends
WebSecurityConfigurerAdapter {