From f888567c1d303d7e0521991ce832bd2a935e667c Mon Sep 17 00:00:00 2001
From: Dave Syer <dsyer@gopivotal.com>
Date: Mon, 17 Feb 2014 18:08:23 +0000
Subject: [PATCH] Be defensive about Spring Security dependencies

In particular don't assume that Spring Security Web is on the
classpath, just because Spring Security Core is.

Fixes gh-363
---
 .../ManagementServerProperties.java           |  5 +-
 .../security/AuthenticationAuditListener.java | 50 ++++++++++++++-----
 2 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java
index a61562ea1c..138437eba0 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java
@@ -119,8 +119,9 @@ public class ManagementServerProperties implements SecurityPrequisite {
 	}
 
 	private static Security maybeCreateSecurity() {
-		return (ClassUtils.isPresent("org.springframework.security.core.Authentication",
-				null) ? new Security() : null);
+		return (ClassUtils.isPresent(
+				"org.springframework.security.config.http.SessionCreationPolicy", null) ? new Security()
+				: null);
 	}
 
 }
diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/security/AuthenticationAuditListener.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/security/AuthenticationAuditListener.java
index ecfdb06c16..14f8db75b9 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/security/AuthenticationAuditListener.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/security/AuthenticationAuditListener.java
@@ -27,6 +27,7 @@ import org.springframework.context.ApplicationListener;
 import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
 import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
 import org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent;
+import org.springframework.util.ClassUtils;
 
 /**
  * {@link ApplicationListener} expose Spring Security {@link AbstractAuthenticationEvent
@@ -39,18 +40,30 @@ public class AuthenticationAuditListener implements
 
 	private ApplicationEventPublisher publisher;
 
+	private WebAuditListener webListener = maybeCreateWebListener();
+
 	@Override
 	public void setApplicationEventPublisher(ApplicationEventPublisher publisher) {
 		this.publisher = publisher;
 	}
 
+	private static WebAuditListener maybeCreateWebListener() {
+		if (ClassUtils
+				.isPresent(
+						"org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent",
+						null)) {
+			return new WebAuditListener();
+		}
+		return null;
+	}
+
 	@Override
 	public void onApplicationEvent(AbstractAuthenticationEvent event) {
 		if (event instanceof AbstractAuthenticationFailureEvent) {
 			onAuthenticationFailureEvent((AbstractAuthenticationFailureEvent) event);
 		}
-		else if (event instanceof AuthenticationSwitchUserEvent) {
-			onAuthenticationSwitchUserEvent((AuthenticationSwitchUserEvent) event);
+		else if (this.webListener != null && this.webListener.accepts(event)) {
+			this.webListener.process(this, event);
 		}
 		else {
 			onAuthenticationEvent(event);
@@ -65,16 +78,6 @@ public class AuthenticationAuditListener implements
 				"AUTHENTICATION_FAILURE", data));
 	}
 
-	private void onAuthenticationSwitchUserEvent(AuthenticationSwitchUserEvent event) {
-		Map<String, Object> data = new HashMap<String, Object>();
-		if (event.getAuthentication().getDetails() != null) {
-			data.put("details", event.getAuthentication().getDetails());
-		}
-		data.put("target", event.getTargetUser().getUsername());
-		publish(new AuditEvent(event.getAuthentication().getName(),
-				"AUTHENTICATION_SWITCH", data));
-	}
-
 	private void onAuthenticationEvent(AbstractAuthenticationEvent event) {
 		Map<String, Object> data = new HashMap<String, Object>();
 		if (event.getAuthentication().getDetails() != null) {
@@ -90,4 +93,27 @@ public class AuthenticationAuditListener implements
 		}
 	}
 
+	private static class WebAuditListener {
+
+		public void process(AuthenticationAuditListener listener,
+				AbstractAuthenticationEvent input) {
+			if (listener != null) {
+				AuthenticationSwitchUserEvent event = (AuthenticationSwitchUserEvent) input;
+				Map<String, Object> data = new HashMap<String, Object>();
+				if (event.getAuthentication().getDetails() != null) {
+					data.put("details", event.getAuthentication().getDetails());
+				}
+				data.put("target", event.getTargetUser().getUsername());
+				listener.publish(new AuditEvent(event.getAuthentication().getName(),
+						"AUTHENTICATION_SWITCH", data));
+			}
+
+		}
+
+		public boolean accepts(AbstractAuthenticationEvent event) {
+			return event instanceof AuthenticationSwitchUserEvent;
+		}
+
+	}
+
 }