Commit Graph

17 Commits (b9c80433bc20518111661dc2f74588533b1053ff)

Author SHA1 Message Date
Phillip Webb 44d708ef7a Polish 11 years ago
Dave Syer de9b6a6a22 Switch off debug in secure sample
Fixes gh-438
11 years ago
Phillip Webb 468728a2c0 Polish 11 years ago
Dave Syer b0b7bc0e7f Fix tests
Some assumptions were being made in tests, e.g. about
there being an AuthenticationManager @Bean, which were
false with the new Security 3.2.1 updates from Rob.

Also parent-child contexts with the actuator were
problematic because they didn't exclude the web configuration
for the management security in the parent context.

Fixes gh-244
11 years ago
Phillip Webb ed9735361e Apply source cleanup and formatting 11 years ago
Dave Syer 4d608f20e9 Support for AuthenticationManagerBuilder injection into user code
Spring Boot provides a default AuthenticatiomManager for getting
started quickly with security and never exposing insecure
endpoints. To override that feature as users move to the next
stage in their project, they may have to do something slightly
different depending on whether it is a webapp or not.

In any app (web or not), providing a @Bean of type
AuthenticationManager always works, but you don't get the benefit of
the builder features.

In a webapp the user can also extend WebSecurityConfigurerAdapter
to provides a custom AuthenticationManager, and the preferred
way of doing that is via a void method that is autowired with an
AuthenticationManagerBuilder. The default AuthenticationManager is
built in a configurer with @Order(LOWEST_PRECEDENCE - 3) so
to override it the user's confugrer must have higher precedence
(lower @Order).

@EnableGlobalMethodSecurity can also be used in a non-webapp, and
Spring Boot will still provide a default AuthenticationManager.
To override it the user has to either extend
GlobalMethodSecurityConfiguration or provide a @Bean of type
AuthenticationManager (there's no other way to
capture the AuthenticationManagerBuilder that doesn't happen too late
in the beans lifecyle).

Fixes gh-244
11 years ago
Phillip Webb 0160760568 Apply latest eclipse cleanup rules 11 years ago
Phillip Webb cdda330acd Update copyright header for files changed in 2014 11 years ago
Phillip Webb 47da8a817a Polish 11 years ago
Dave Syer 5bbb01c071 Move properties file to correct location 11 years ago
Dave Syer b1db714c23 Allow @EnableGlobalMethodSecurity in a non webapp
Fixes gh-202
11 years ago
Phillip Webb 1bcd3de7b5 Polish 11 years ago
Dave Syer f448e79f29 Remove long package names from samples
Long package names are really unnecessary in samples and they
just clutter things up. Also Spring Loaded doesn't work with
org.sfw packages, so to demo that technology you need a
different package name.
11 years ago
Dave Syer bd26b28aa5 Extract actuator security into separate classes
So spring-security + a web app is secure by default
(you don't need the actuator).
11 years ago
Dave Syer 0c79c8913f Ensure AutoConfigurationReport is always present 11 years ago
Greg Turnquist b63016d8fc Create a report based on Boot's autoconfiguration decisions
- Gather autoconfiguration conditional decisiions (true and false)
- Provide an actuator endpoint as one means to read the report
- Define @EnableAutConfigurationReport annotation to turn this feature on
- Tidy up autoconfig report a bit and log it if --debug=true
11 years ago
Dave Syer e53dad879d Add sample with form login 11 years ago