From f84df423e8dc59e9dce68def4d0494939ed2d328 Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Fri, 1 Nov 2013 15:07:02 +0000 Subject: [PATCH] Better implementation of ignores in security config --- .../SecurityAutoConfiguration.java | 100 ++++++++++-------- 1 file changed, 53 insertions(+), 47 deletions(-) diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java index 595d391abd..6363acc115 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java @@ -22,6 +22,8 @@ import java.util.LinkedHashSet; import java.util.List; import java.util.Set; +import javax.servlet.Filter; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -46,6 +48,7 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.DefaultAuthenticationEventPublisher; import org.springframework.security.authentication.ProviderManager; import org.springframework.security.config.annotation.ObjectPostProcessor; +import org.springframework.security.config.annotation.SecurityConfigurer; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -98,9 +101,6 @@ import org.springframework.security.web.util.matcher.AnyRequestMatcher; @EnableConfigurationProperties public class SecurityAutoConfiguration { - private static List DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**", - "/images/**", "/**/favicon.ico"); - private static final String[] NO_PATHS = new String[0]; @Bean(name = "org.springframework.actuate.properties.SecurityProperties") @@ -129,6 +129,56 @@ public class SecurityAutoConfiguration { return new ManagementWebSecurityConfigurerAdapter(); } + @Bean + @ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class }) + public SecurityConfigurer ignoredPathsWebSecurityConfigurerAdapter() { + return new IgnoredPathsWebSecurityConfigurerAdapter(); + } + + // Get the ignored paths in early + @Order(Ordered.HIGHEST_PRECEDENCE) + private static class IgnoredPathsWebSecurityConfigurerAdapter implements + SecurityConfigurer { + + private static List DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**", + "/images/**", "/**/favicon.ico"); + + @Autowired(required = false) + private ErrorController errorController; + + @Autowired(required = false) + private EndpointHandlerMapping endpointHandlerMapping; + + @Autowired + private SecurityProperties security; + + @Override + public void configure(WebSecurity builder) throws Exception { + } + + @Override + public void init(WebSecurity builder) throws Exception { + IgnoredRequestConfigurer ignoring = builder.ignoring(); + ignoring.antMatchers(getEndpointPaths(this.endpointHandlerMapping, false)); + List ignored = new ArrayList(this.security.getIgnored()); + if (!this.security.getManagement().isEnabled()) { + ignored.addAll(Arrays.asList(getEndpointPaths( + this.endpointHandlerMapping, true))); + } + if (ignored.isEmpty()) { + ignored.addAll(DEFAULT_IGNORED); + } + else if (ignored.contains("none")) { + ignored.remove("none"); + } + if (this.errorController != null) { + ignored.add(this.errorController.getErrorPath()); + } + ignoring.antMatchers(ignored.toArray(new String[0])); + } + + } + // Give user-supplied filters a chance to be last in line @Order(Ordered.LOWEST_PRECEDENCE - 5) private static class ApplicationWebSecurityConfigurerAdapter extends @@ -140,12 +190,6 @@ public class SecurityAutoConfiguration { @Autowired private AuthenticationEventPublisher authenticationEventPublisher; - @Autowired(required = false) - private ErrorController errorController; - - @Autowired(required = false) - private EndpointHandlerMapping endpointHandlerMapping; - @Override protected void configure(HttpSecurity http) throws Exception { @@ -193,26 +237,6 @@ public class SecurityAutoConfiguration { return entryPoint; } - @Override - public void configure(WebSecurity builder) throws Exception { - IgnoredRequestConfigurer ignoring = builder.ignoring(); - List ignored = new ArrayList(this.security.getIgnored()); - if (!this.security.getManagement().isEnabled()) { - ignored.addAll(Arrays.asList(getEndpointPaths( - this.endpointHandlerMapping, true))); - } - if (ignored.isEmpty()) { - ignored.addAll(DEFAULT_IGNORED); - } - else if (ignored.contains("none")) { - ignored.remove("none"); - } - if (this.errorController != null) { - ignored.add(this.errorController.getErrorPath()); - } - ignoring.antMatchers(ignored.toArray(new String[0])); - } - @Override protected AuthenticationManager authenticationManager() throws Exception { AuthenticationManager manager = super.authenticationManager(); @@ -268,24 +292,6 @@ public class SecurityAutoConfiguration { } - @Override - public void configure(WebSecurity builder) throws Exception { - IgnoredRequestConfigurer ignoring = builder.ignoring(); - List ignored = new ArrayList(); - if (!this.security.getBasic().isEnabled()) { - ignored.addAll(this.security.getIgnored()); - if (ignored.isEmpty()) { - ignored.addAll(DEFAULT_IGNORED); - } - else if (ignored.contains("none")) { - ignored.remove("none"); - } - } - ignored.addAll(Arrays.asList(getEndpointPaths(this.endpointHandlerMapping, - false))); - ignoring.antMatchers(ignored.toArray(new String[0])); - } - private AuthenticationEntryPoint entryPoint() { BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint(); entryPoint.setRealmName(this.security.getBasic().getRealm());