User can enable OAuth2 SSO by declaring the intent (@EnableOAuth2Sso)
and also configuring the client properties (spring.oauth2.client.*).
The spring.oauth2.sso.* are only needed to change the path for the
login (defaults to /login) - any other security configuration for the
protected resources can be added in a WebSecurityConfigurerAdapter
which carries the @EnableOAuth2Sso annotation.
* Automatically spin up Authorization Server and Resource Server
* Automatically configures method level security included OAuth2Expression handler
* Wrote extensive unit tests verifying default behavior as well as the auto-configuration backing off when custom Authorization/Resource servers are included
* Created org.springframework.boot.security.oauth2 subpackage to contain it
* Can also disable either resource of authorization server completely with a single property for each
* Print out the auto-generated secrets and other settings
* Added spring-boot-sample-secure-oauth2 to provide a sample that can be run and poked with curl as well as some automated tests.
* Make users ask for which servers to install by adding @Enable*
* User has to @EnableGlobalMethodSecurity instead of using properties files
Add Spring Security OAuth2 support to Spring Boot CLI
* Triggered from either @EnableAuthorizationServer or @EnableResourceServer
* Needs to have @EnableGlobalMethodSecurity to allow picking the annotation model.
* By default, comes with import support for @PreAuthorize, @PreFilter, @PostAuthorize, and @PostFilter via a single start import
* Also need import support for the enable annotations mentioned above.
* Added extra test case and sample (oauth2.groovy)
This avoids a potential problems with ordering between Dropwizard and
normal repository configuration. A Dropwizard sample has been added to
verify the behaviour.
The package names changed a bit from the prototype project, but wuth vanilla
autconfiguration usage that shouldn't matter. Follows closely the Groovy
templates support. Templates live in classpath:/templates/*.html by default.
Fixes gh-2242
ServerConnector is in different packages in Jetty 8 and Jetty 9 which
was leading to a NoClassDefFounderError when SSL was used with
Jetty 8.
This commit updates SslServerConnectorFactory to return an
AbstractConnector, a super class of ServerConnector, that is in the
same package in both Jetty 8 and Jetty 9. This class does not provide
a setPort method so the setting of the port has been pushed down into
the SslServerConnectorFactory implementation.
SSL samples for both Jetty 8 and Jetty 9 have been added to verify
SSL with both supported versions of Jetty.
Closes gh-1925
Switch the Tomcat 8 and Jetty 9 samples to Tomcat 7 and Jetty 8. Since
Tomcat 8 and Jetty 9 are now the default versions the previous samples
are no longer relevant, however, we do need integration tests to check
that we remain compatible with Tomcat 7 and Jetty 8.
See gh-1832
Jersey 2 has some Spring support built in but it's a bit awkward to
use in a Boot app, so autoconfiguration seems appropriate. The tests
and sample show how to use it, but the short story is that any
@Component can define JAX-RS endpoints via @GET etc.
There's a sample for Jersey 1 as well (pay careful attention to
the plugin configuration if you want to build an executable jar)
Fixes gh-1651
Velocity and Freemarker share some common properties so the base class for
configuring their properties makes some sense. Unfortunately the implementation
pulls in Spring MVC at runtime because of the signature of one method (that
would never be called). We can fix that in a number of ways, but the least
disruptive is probably to change the signature of that method and only refer
to the concrete template view resolver type if the method is called.
Fixes gh-1437
We can't easily solve the problem by not allowing Spring Security to
eagerly instantiate everything, but we can be defensive about data.sql
and make sure it is executed even if the listener isn't yet registered.
Fixes gh-1386
Updates to prevent the maven-invoker-plugin from downloading remote
snapshot jars. Possibly caused by the recent changes to the
spring-boot-dependencies POM.
See gh-1413
if user also adds @EnableWebMvcSecurity. The problem is that the ordering
of the init() and configure() methods in the Spring Security configurers
can force things to happen too early unless we are careful. It's still a bit
twitchy I would say, but this relatively small change seems to fix the GS guide
and not break any existing tests.
I added a sample which mimic ths GS guide so we get an integration test that
executes the new code paths.
Fixes gh-1364