Better implementation of ignores in security config

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java

@@ -22,6 +22,8 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
 
+import javax.servlet.Filter;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -46,6 +48,7 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -98,9 +101,6 @@ import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 @EnableConfigurationProperties
 public class SecurityAutoConfiguration {
 
-	private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
-			"/images/**", "/**/favicon.ico");
-
 	private static final String[] NO_PATHS = new String[0];
 
 	@Bean(name = "org.springframework.actuate.properties.SecurityProperties")
@@ -129,6 +129,56 @@ public class SecurityAutoConfiguration {
 		return new ManagementWebSecurityConfigurerAdapter();
 	}
 
+	@Bean
+	@ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class })
+	public SecurityConfigurer<Filter, WebSecurity> ignoredPathsWebSecurityConfigurerAdapter() {
+		return new IgnoredPathsWebSecurityConfigurerAdapter();
+	}
+
+	// Get the ignored paths in early
+	@Order(Ordered.HIGHEST_PRECEDENCE)
+	private static class IgnoredPathsWebSecurityConfigurerAdapter implements
+			SecurityConfigurer<Filter, WebSecurity> {
+
+		private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
+				"/images/**", "/**/favicon.ico");
+
+		@Autowired(required = false)
+		private ErrorController errorController;
+
+		@Autowired(required = false)
+		private EndpointHandlerMapping endpointHandlerMapping;
+
+		@Autowired
+		private SecurityProperties security;
+
+		@Override
+		public void configure(WebSecurity builder) throws Exception {
+		}
+
+		@Override
+		public void init(WebSecurity builder) throws Exception {
+			IgnoredRequestConfigurer ignoring = builder.ignoring();
+			ignoring.antMatchers(getEndpointPaths(this.endpointHandlerMapping, false));
+			List<String> ignored = new ArrayList<String>(this.security.getIgnored());
+			if (!this.security.getManagement().isEnabled()) {
+				ignored.addAll(Arrays.asList(getEndpointPaths(
+						this.endpointHandlerMapping, true)));
+			}
+			if (ignored.isEmpty()) {
+				ignored.addAll(DEFAULT_IGNORED);
+			}
+			else if (ignored.contains("none")) {
+				ignored.remove("none");
+			}
+			if (this.errorController != null) {
+				ignored.add(this.errorController.getErrorPath());
+			}
+			ignoring.antMatchers(ignored.toArray(new String[0]));
+		}
+
+	}
+
 	// Give user-supplied filters a chance to be last in line
 	@Order(Ordered.LOWEST_PRECEDENCE - 5)
 	private static class ApplicationWebSecurityConfigurerAdapter extends
@@ -140,12 +190,6 @@ public class SecurityAutoConfiguration {
 		@Autowired
 		private AuthenticationEventPublisher authenticationEventPublisher;
 
-		@Autowired(required = false)
-		private ErrorController errorController;
-
-		@Autowired(required = false)
-		private EndpointHandlerMapping endpointHandlerMapping;
-
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 
@@ -193,26 +237,6 @@ public class SecurityAutoConfiguration {
 			return entryPoint;
 		}
 
-		@Override
-		public void configure(WebSecurity builder) throws Exception {
-			IgnoredRequestConfigurer ignoring = builder.ignoring();
-			List<String> ignored = new ArrayList<String>(this.security.getIgnored());
-			if (!this.security.getManagement().isEnabled()) {
-				ignored.addAll(Arrays.asList(getEndpointPaths(
-						this.endpointHandlerMapping, true)));
-			}
-			if (ignored.isEmpty()) {
-				ignored.addAll(DEFAULT_IGNORED);
-			}
-			else if (ignored.contains("none")) {
-				ignored.remove("none");
-			}
-			if (this.errorController != null) {
-				ignored.add(this.errorController.getErrorPath());
-			}
-			ignoring.antMatchers(ignored.toArray(new String[0]));
-		}
-
 		@Override
 		protected AuthenticationManager authenticationManager() throws Exception {
 			AuthenticationManager manager = super.authenticationManager();
@@ -268,24 +292,6 @@ public class SecurityAutoConfiguration {
 
 		}
 
-		@Override
-		public void configure(WebSecurity builder) throws Exception {
-			IgnoredRequestConfigurer ignoring = builder.ignoring();
-			List<String> ignored = new ArrayList<String>();
-			if (!this.security.getBasic().isEnabled()) {
-				ignored.addAll(this.security.getIgnored());
-				if (ignored.isEmpty()) {
-					ignored.addAll(DEFAULT_IGNORED);
-				}
-				else if (ignored.contains("none")) {
-					ignored.remove("none");
-				}
-			}
-			ignored.addAll(Arrays.asList(getEndpointPaths(this.endpointHandlerMapping,
-					false)));
-			ignoring.antMatchers(ignored.toArray(new String[0]));
-		}
-
 		private AuthenticationEntryPoint entryPoint() {
 			BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint();
 			entryPoint.setRealmName(this.security.getBasic().getRealm());