SEC-2789: Add Default WebSecurityConfigurerAdapter

2014-12-09 13:21:32 -06:00 · 2014-12-09 13:21:32 -06:00 · 62e127e978
parent 3171cc4364
commit 62e127e978
5 changed files with 23 additions and 19 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/configuration/AutowireBeanFactoryObjectPostProcessor.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/configuration/AutowireBeanFactoryObjectPostProcessor.java
@ -62,6 +62,7 @@ final class AutowireBeanFactoryObjectPostProcessor implements ObjectPostProcesso
            Class<?> type = object.getClass();
            throw new RuntimeException("Could not postProcess " + object + " of type " + type, e);
        }
+        autowireBeanFactory.autowireBean(object);
        if(result instanceof DisposableBean) {
            disposableBeans.add((DisposableBean) result);
        }
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
@ -38,6 +38,7 @@ import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityConfigurer;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.context.DelegatingApplicationListener;
@ -73,6 +74,9 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa

    private ClassLoader beanClassLoader;

+    @Autowired(required = false)
+    private ObjectPostProcessor<Object> objectObjectPostProcessor;
+
    @Bean
    public static DelegatingApplicationListener delegatingApplicationListener() {
        return new DelegatingApplicationListener();
@ -93,7 +97,8 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
    public Filter springSecurityFilterChain() throws Exception {
        boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty();
        if(!hasConfigurers) {
-            throw new IllegalStateException("At least one non-null instance of "+ WebSecurityConfigurer.class.getSimpleName()+" must be exposed as a @Bean when using @EnableWebSecurity. Hint try extending "+ WebSecurityConfigurerAdapter.class.getSimpleName());
+            WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess(new WebSecurityConfigurerAdapter() {});
+            webSecurity.apply(adapter);
        }
        return webSecurity.build();
    }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.groovy
@ -16,6 +16,7 @@
 package org.springframework.security.config.annotation.web.configurers

 import org.springframework.beans.factory.BeanCreationException
+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.AnnotationConfigApplicationContext
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
@ -23,6 +24,8 @@ import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.config.annotation.BaseSpringSpec
+import org.springframework.security.config.annotation.ObjectPostProcessor
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.builders.WebSecurity
@ -50,32 +53,29 @@ import org.springframework.security.web.util.matcher.AnyRequestMatcher
 * @author Rob Winch
 */
 class DefaultFiltersTests extends BaseSpringSpec {
-    def missingConfigMessage = "At least one non-null instance of "+ WebSecurityConfigurer.class.getSimpleName()+" must be exposed as a @Bean when using @EnableWebSecurity. Hint try extending "+ WebSecurityConfigurerAdapter.class.getSimpleName()

-    def "DefaultSecurityFilterChainBuilder cannot be null"() {
+    def "Default the WebSecurityConfigurerAdapter"() {
        when:
        context = new AnnotationConfigApplicationContext(FilterChainProxyBuilderMissingConfig)
        then:
-        BeanCreationException e = thrown()
-        e.message.contains missingConfigMessage
+        context.getBean(FilterChainProxy) != null
    }

    @EnableWebSecurity
-    static class FilterChainProxyBuilderMissingConfig { }
-
-    def "FilterChainProxyBuilder no DefaultSecurityFilterChainBuilder specified"() {
-        when:
-        context = new AnnotationConfigApplicationContext(FilterChainProxyBuilderNoSecurityFilterBuildersConfig)
-        then:
-        BeanCreationException e = thrown()
-        e.message.contains missingConfigMessage
+    static class FilterChainProxyBuilderMissingConfig {
+        @Autowired
+        public void configureGlobal(AuthenticationManagerBuilder auth) {
+            auth
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
    }

    @EnableWebSecurity
    static class FilterChainProxyBuilderNoSecurityFilterBuildersConfig {
        @Bean
-        public WebSecurity filterChainProxyBuilder() {
-            new WebSecurity()
+        public WebSecurity filterChainProxyBuilder(ObjectPostProcessor<Object> opp) {
+            new WebSecurity(opp)
                .ignoring()
                    .antMatchers("/resources/**")
        }
--- a/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -3,11 +3,10 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@EnableWebMvcSecurity
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {

    @Autowired
    public void registerGlobalAuthentication(
--- a/samples/helloworld-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/helloworld-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -1,12 +1,11 @@
 package org.springframework.security.samples.config;

 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.*	;
 import org.springframework.security.config.annotation.web.configuration.*;

@EnableWebSecurity
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {