Add security.management.enabled flag

wilkinsona · Sep 6, 2013 · 8467a66 · 8467a66
1 parent 5f8f062
commit 8467a66
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 14 deletions.
diff --git a/...c/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java b/...c/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
@@ -234,26 +234,28 @@ private static class ManagementWebSecurityConfigurerAdapter extends
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 
-			if (this.security.isRequireSsl()) {
-				http.requiresChannel().anyRequest().requiresSecure();
-			}
-
-			String[] paths = getEndpointPaths(true);
-			if (this.security.getBasic().isEnabled() && paths.length > 0) {
+			String[] paths = getEndpointPaths(true); // secure endpoints
+			if (paths.length > 0 && this.security.getManagement().isEnabled()) {
+				// Always protect them if present
+				if (this.security.isRequireSsl()) {
+					http.requiresChannel().anyRequest().requiresSecure();
+				}
 				http.exceptionHandling().authenticationEntryPoint(entryPoint());
 				http.requestMatchers().antMatchers(paths);
 				http.authorizeRequests().anyRequest()
 						.hasRole(this.security.getManagement().getRole()) //
 						.and().httpBasic() //
 						.and().anonymous().disable();
-			}
-			// No cookies for management endpoints by default
-			http.csrf().disable();
-			http.sessionManagement().sessionCreationPolicy(
-					this.security.getManagement().getSessions());
 
-			SecurityAutoConfiguration.configureHeaders(http.headers(),
-					this.security.getHeaders());
+				// No cookies for management endpoints by default
+				http.csrf().disable();
+				http.sessionManagement().sessionCreationPolicy(
+						this.security.getManagement().getSessions());
+
+				SecurityAutoConfiguration.configureHeaders(http.headers(),
+						this.security.getHeaders());
+
+			}
 
 		}
 

diff --git a/...ctuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java b/...ctuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
@@ -195,6 +195,8 @@ public void setPath(String... paths) {
 
 	public static class Management {
 
+		private boolean enabled = true;
+
 		private String role = "ADMIN";
 
 		private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS;
@@ -215,6 +217,14 @@ public String getRole() {
 			return this.role;
 		}
 
+		public boolean isEnabled() {
+			return this.enabled;
+		}
+
+		public void setEnabled(boolean enabled) {
+			this.enabled = enabled;
+		}
+
 	}
 
 	public static class User {

diff --git a/...org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java b/...org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java
@@ -23,7 +23,7 @@
 import org.springframework.boot.cli.compiler.DependencyCustomizer;
 
 /**
- * {@link CompilerAutoConfiguration} for the Recator.
+ * {@link CompilerAutoConfiguration} for the Reactor.
  * 
  * @author Dave Syer
  */