From 1e5f7023c6c99ebc725e2b44ffbba40f0d0a3546 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Tue, 20 Jan 2015 14:28:17 -0600
Subject: [PATCH] SEC-2822: Make EnableGlobalAuthenticationAutowiredConfigurer
 static Bean

This ensures that EnableGlobalAuthenticationAutowiredConfigurer is actually
used in newer versions of Spring. See SPR-12646
---
 .../AuthenticationConfiguration.java          |  2 +-
 .../AuthenticationConfigurationTests.groovy   | 45 +++++++++++++++++++
 ...balMethodSecurityConfigurationTests.groovy |  1 +
 3 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
index a007e6c63e..58c4e0eac6 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
@@ -61,7 +61,7 @@ public class AuthenticationConfiguration {
     }
 
     @Bean
-    public GlobalAuthenticationConfigurerAdapter enableGlobalAuthenticationAutowiredConfigurer(ApplicationContext context) {
+    public static GlobalAuthenticationConfigurerAdapter enableGlobalAuthenticationAutowiredConfigurer(ApplicationContext context) {
         return new EnableGlobalAuthenticationAutowiredConfigurer(context);
     }
 
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy
index 7b01aa97e4..a9c5d31583 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy
@@ -16,7 +16,12 @@
 package org.springframework.security.config.annotation.authentication.configuration;
 
 import org.springframework.aop.framework.ProxyFactoryBean
+import org.springframework.beans.BeansException
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.config.BeanPostProcessor
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory
+import org.springframework.beans.factory.support.BeanDefinitionRegistry
+import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor
 import org.springframework.context.ApplicationContext
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
@@ -321,4 +326,44 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
             null
         }
     }
+
+    def "SEC-2822: Cannot Force Authentication already built"() {
+        setup:
+        loadConfig(Sec2822WebSecurity,Sec2822UseAuth,Sec2822Config)
+        when:
+        AuthenticationConfiguration config = context.getBean(AuthenticationConfiguration)
+        config.getAuthenticationManager()
+        then:
+        noExceptionThrown()
+    }
+
+    @Configuration
+    @Import(AuthenticationConfiguration)
+    static class Sec2822Config {}
+
+    @Configuration
+    @EnableWebSecurity
+    static class Sec2822WebSecurity extends WebSecurityConfigurerAdapter {
+        @Autowired
+        public void configureGlobal(AuthenticationManagerBuilder auth) {
+            auth.inMemoryAuthentication()
+        }
+    }
+
+    @Configuration
+    static class Sec2822UseAuth {
+        @Autowired
+        public void useAuthenticationManager(AuthenticationConfiguration auth) {
+            auth.authenticationManager
+        }
+
+        // Ensures that Sec2822UseAuth is initialized before Sec2822WebSecurity
+        // must have additional GlobalAuthenticationConfigurerAdapter to trigger SEC-2822
+        @Bean
+        public static GlobalAuthenticationConfigurerAdapter bootGlobalAuthenticationConfigurerAdapter() {
+            new BootGlobalAuthenticationConfigurerAdapter()
+        }
+
+        static class BootGlobalAuthenticationConfigurerAdapter extends GlobalAuthenticationConfigurerAdapter { }
+    }
 }
\ No newline at end of file
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
index 4b77105051..4ec4e541e8 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.method.configuration
 import org.springframework.beans.BeansException
 import org.springframework.beans.factory.config.BeanPostProcessor
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 
 import javax.sql.DataSource