From 8467a66e8478fccf71813550c2c02aa475b0c6e5 Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Fri, 6 Sep 2013 19:54:15 +0100 Subject: [PATCH] Add security.management.enabled flag --- .../SecurityAutoConfiguration.java | 28 ++++++++++--------- .../properties/SecurityProperties.java | 10 +++++++ .../ReactorCompilerAutoConfiguration.java | 2 +- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java index 287ce1ad14ef..527b42f60773 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java @@ -234,26 +234,28 @@ private static class ManagementWebSecurityConfigurerAdapter extends @Override protected void configure(HttpSecurity http) throws Exception { - if (this.security.isRequireSsl()) { - http.requiresChannel().anyRequest().requiresSecure(); - } - - String[] paths = getEndpointPaths(true); - if (this.security.getBasic().isEnabled() && paths.length > 0) { + String[] paths = getEndpointPaths(true); // secure endpoints + if (paths.length > 0 && this.security.getManagement().isEnabled()) { + // Always protect them if present + if (this.security.isRequireSsl()) { + http.requiresChannel().anyRequest().requiresSecure(); + } http.exceptionHandling().authenticationEntryPoint(entryPoint()); http.requestMatchers().antMatchers(paths); http.authorizeRequests().anyRequest() .hasRole(this.security.getManagement().getRole()) // .and().httpBasic() // .and().anonymous().disable(); - } - // No cookies for management endpoints by default - http.csrf().disable(); - http.sessionManagement().sessionCreationPolicy( - this.security.getManagement().getSessions()); - SecurityAutoConfiguration.configureHeaders(http.headers(), - this.security.getHeaders()); + // No cookies for management endpoints by default + http.csrf().disable(); + http.sessionManagement().sessionCreationPolicy( + this.security.getManagement().getSessions()); + + SecurityAutoConfiguration.configureHeaders(http.headers(), + this.security.getHeaders()); + + } } diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java index cc1253134f0f..72b32f5618cb 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java @@ -195,6 +195,8 @@ public void setPath(String... paths) { public static class Management { + private boolean enabled = true; + private String role = "ADMIN"; private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS; @@ -215,6 +217,14 @@ public String getRole() { return this.role; } + public boolean isEnabled() { + return this.enabled; + } + + public void setEnabled(boolean enabled) { + this.enabled = enabled; + } + } public static class User { diff --git a/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java b/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java index 7925bd230fce..4b0082b5eb65 100644 --- a/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java +++ b/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java @@ -23,7 +23,7 @@ import org.springframework.boot.cli.compiler.DependencyCustomizer; /** - * {@link CompilerAutoConfiguration} for the Recator. + * {@link CompilerAutoConfiguration} for the Reactor. * * @author Dave Syer */