SEC-2789: Add Default WebSecurityConfigurerAdapter

2025-07-04 01:32:14 +00:00 · 2014-12-09 13:21:32 -06:00 · 2014-12-09 13:21:32 -06:00 · 62e127e978
commit 62e127e978
parent 3171cc4364
5 changed files with 23 additions and 19 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/configuration/AutowireBeanFactoryObjectPostProcessor.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/configuration/AutowireBeanFactoryObjectPostProcessor.java
@ -62,6 +62,7 @@ final class AutowireBeanFactoryObjectPostProcessor implements ObjectPostProcesso
            Class<?> type = object.getClass();
            throw new RuntimeException("Could not postProcess " + object + " of type " + type, e);
        }
        autowireBeanFactory.autowireBean(object);
        if(result instanceof DisposableBean) {
            disposableBeans.add((DisposableBean) result);
        }
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java
@ -38,6 +38,7 @@ import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.context.DelegatingApplicationListener;
@ -73,6 +74,9 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
    private ClassLoader beanClassLoader;
    @Autowired(required = false)
    private ObjectPostProcessor<Object> objectObjectPostProcessor;
    @Bean
    public static DelegatingApplicationListener delegatingApplicationListener() {
        return new DelegatingApplicationListener();
@ -93,7 +97,8 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
    public Filter springSecurityFilterChain() throws Exception {
        boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty();
        if(!hasConfigurers) {
-            throw new IllegalStateException("At least one non-null instance of "+ WebSecurityConfigurer.class.getSimpleName()+" must be exposed as a @Bean when using @EnableWebSecurity. Hint try extending "+ WebSecurityConfigurerAdapter.class.getSimpleName());
+            WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess(new WebSecurityConfigurerAdapter() {});
            webSecurity.apply(adapter);
        }
        return webSecurity.build();
    }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.groovy
@ -16,6 +16,7 @@
 package org.springframework.security.config.annotation.web.configurers
 import org.springframework.beans.factory.BeanCreationException
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.AnnotationConfigApplicationContext
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
@ -23,6 +24,8 @@ import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.ObjectPostProcessor
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.builders.WebSecurity
@ -50,32 +53,29 @@ import org.springframework.security.web.util.matcher.AnyRequestMatcher
 * @author Rob Winch
 */
 class DefaultFiltersTests extends BaseSpringSpec {
    def missingConfigMessage = "At least one non-null instance of "+ WebSecurityConfigurer.class.getSimpleName()+" must be exposed as a @Bean when using @EnableWebSecurity. Hint try extending "+ WebSecurityConfigurerAdapter.class.getSimpleName()
-    def "DefaultSecurityFilterChainBuilder cannot be null"() {
+    def "Default the WebSecurityConfigurerAdapter"() {
        when:
        context = new AnnotationConfigApplicationContext(FilterChainProxyBuilderMissingConfig)
        then:
-        BeanCreationException e = thrown()
+        context.getBean(FilterChainProxy) != null
        e.message.contains missingConfigMessage
    }
    @EnableWebSecurity
-    static class FilterChainProxyBuilderMissingConfig { }
+    static class FilterChainProxyBuilderMissingConfig {
-
+        @Autowired
-    def "FilterChainProxyBuilder no DefaultSecurityFilterChainBuilder specified"() {
+        public void configureGlobal(AuthenticationManagerBuilder auth) {
-        when:
+            auth
-        context = new AnnotationConfigApplicationContext(FilterChainProxyBuilderNoSecurityFilterBuildersConfig)
+                .inMemoryAuthentication()
-        then:
+                    .withUser("user").password("password").roles("USER")
-        BeanCreationException e = thrown()
+        }
        e.message.contains missingConfigMessage
    }
    @EnableWebSecurity
    static class FilterChainProxyBuilderNoSecurityFilterBuildersConfig {
        @Bean
-        public WebSecurity filterChainProxyBuilder() {
+        public WebSecurity filterChainProxyBuilder(ObjectPostProcessor<Object> opp) {
-            new WebSecurity()
+            new WebSecurity(opp)
                .ignoring()
                    .antMatchers("/resources/**")
        }
--- a/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/hellomvc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -3,11 +3,10 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
@EnableWebMvcSecurity
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {
    @Autowired
    public void registerGlobalAuthentication(
--- a/samples/helloworld-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/helloworld-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -1,12 +1,11 @@
 package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.*	;
 import org.springframework.security.config.annotation.web.configuration.*;
@EnableWebSecurity
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {