SEC-2191: Remove AuthenticationManagerBuilder default constructor

This ensures that users must choose what ObjectPostProcessor is being used
with AuthenticationManagerBuilder. To make things easier for users, we now
automatically add an AuthenticationManagerBuilder object that can be used
for creating an AuthenticationManager with @Autowired.

config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

@@ -23,6 +23,8 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.DelegatingFilterProxy;
@@ -51,6 +53,7 @@ import com.google.inject.internal.ImmutableList.Builder;
  *            The type of this builder (that is returned by the base class)
  */
 public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>> extends AbstractSecurityBuilder<O> {
+    private final Log logger = LogFactory.getLog(getClass());
 
     private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers =
             new LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>>();
@@ -95,6 +98,27 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
         this.allowConfigurersOfSameType = allowConfigurersOfSameType;
     }
 
+
+    /**
+     * Similar to {@link #build()} and {@link #getObject()} but checks the state
+     * to determine if {@link #build()} needs to be called first.
+     *
+     * @return the result of {@link #build()} or {@link #getObject()}. If an
+     *         error occurs while building, returns null.
+     */
+    public O getOrBuild() {
+        if(isUnbuilt()) {
+            try {
+                return build();
+            } catch(Exception e) {
+                logger.debug("Failed to perform build. Returning null", e);
+                return null;
+            }
+        } else {
+            return getObject();
+        }
+    }
+
     /**
      * Applies a {@link SecurityConfigurerAdapter} to this
      * {@link SecurityBuilder} and invokes
@@ -370,6 +394,16 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
         return result;
     }
 
+    /**
+     * Determines if the object is unbuilt.
+     * @return true, if unbuilt else false
+     */
+    private boolean isUnbuilt() {
+        synchronized(configurers) {
+            return buildState == BuildState.UNBUILT;
+        }
+    }
+
     /**
      * The build state for the application
      *

config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java

@@ -54,9 +54,10 @@ public class AuthenticationManagerBuilder extends AbstractConfiguredSecurityBuil
 
     /**
      * Creates a new instance
+     * @param the {@link ObjectPostProcessor} instance to use.
      */
-    public AuthenticationManagerBuilder() {
+    public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
-        super(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR,true);
+        super(objectPostProcessor,true);
     }
 
     /**

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.authentication.configuration;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+
+/**
+ * Exports the authentication {@link Configuration}
+ *
+ * @author Rob Winch
+ * @since 3.2
+ *
+ */
+@Configuration
+public class AuthenticationConfiguration {
+
+    @Bean
+    public AuthenticationManagerBuilder authenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
+        return new AuthenticationManagerBuilder(objectPostProcessor);
+    }
+}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.java

@@ -23,6 +23,7 @@ import org.springframework.context.annotation.AdviceMode;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.Ordered;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration;
 
 /**
@@ -43,7 +44,7 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
 @Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
 @Target(value={java.lang.annotation.ElementType.TYPE})
 @Documented
-@Import({GlobalMethodSecuritySelector.class,ObjectPostProcessorConfiguration.class})
+@Import({GlobalMethodSecuritySelector.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class})
 public @interface EnableGlobalMethodSecurity {
 
     /**

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -21,8 +21,11 @@ import java.util.List;
 import java.util.Map;
 
 import org.aopalliance.intercept.MethodInterceptor;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.aop.framework.ProxyFactoryBean;
 import org.springframework.aop.target.LazyInitTargetSource;
+import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.ApplicationContext;
@@ -74,6 +77,7 @@ import org.springframework.util.Assert;
  */
 @Configuration
 public class GlobalMethodSecurityConfiguration implements ImportAware {
+    private static final Log logger = LogFactory.getLog(GlobalMethodSecurityConfiguration.class);
     private ApplicationContext context;
     private ObjectPostProcessor<Object> objectPostProcessor = new ObjectPostProcessor<Object>() {
         @Override
@@ -82,7 +86,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
         }
     };
     private AuthenticationManager authenticationManager;
-    private AuthenticationManagerBuilder auth = new AuthenticationManagerBuilder();
+    private AuthenticationManagerBuilder auth = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
     private boolean disableAuthenticationRegistry;
     private AnnotationAttributes enableMethodSecurity;
     private MethodSecurityExpressionHandler expressionHandler;
@@ -236,6 +240,13 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
             if(!disableAuthenticationRegistry) {
                 authenticationManager = auth.build();
             }
+            if(authenticationManager == null) {
+                try {
+                    authenticationManager = context.getBean(AuthenticationManagerBuilder.class).getOrBuild();
+                } catch(NoSuchBeanDefinitionException e) {
+                    logger.debug("Could not obtain the AuthenticationManagerBuilder. This is ok for now, we will try using an AuthenticationManager directly",e);
+                }
+            }
             if(authenticationManager == null) {
                 authenticationManager = lazyBean(AuthenticationManager.class);
             }

config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java

@@ -20,6 +20,7 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.Target;
 
 import org.springframework.context.annotation.Import;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration;
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 
@@ -76,7 +77,7 @@ import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 @Retention(value=java.lang.annotation.RetentionPolicy.RUNTIME)
 @Target(value={java.lang.annotation.ElementType.TYPE})
 @Documented
-@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class})
+@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class,AuthenticationConfiguration.class})
 public @interface EnableWebSecurity {
 
     /**

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java

@@ -58,8 +58,8 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
         }
     };
 
-    private final AuthenticationManagerBuilder authenticationBuilder = new AuthenticationManagerBuilder();
+    private final AuthenticationManagerBuilder authenticationBuilder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR);
-    private final AuthenticationManagerBuilder parentAuthenticationBuilder = new AuthenticationManagerBuilder() {
+    private final AuthenticationManagerBuilder parentAuthenticationBuilder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR) {
         @Override
         public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
             authenticationBuilder.eraseCredentials(eraseCredentials);
@@ -193,13 +193,19 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
         if(!authenticationManagerInitialized) {
             registerAuthentication(parentAuthenticationBuilder);
             if(disableAuthenticationRegistration) {
+                try {
+                    authenticationManager = context.getBean(AuthenticationManagerBuilder.class).getOrBuild();
+                } catch(NoSuchBeanDefinitionException e) {
+                    logger.debug("Could not obtain the AuthenticationManagerBuilder. This is ok for now, we will try using an AuthenticationManager directly",e);
+                }
+                if(authenticationManager == null) {
                     try {
                         authenticationManager = context.getBean(AuthenticationManager.class);
                     } catch(NoSuchBeanDefinitionException e) {
                         logger.debug("The AuthenticationManager was not found. This is ok for now as it may not be required.",e);
                     }
+                }
             } else {
-                authenticationManagerInitialized = true;
                 authenticationManager = parentAuthenticationBuilder.build();
             }
             authenticationManagerInitialized = true;

config/src/test/groovy/org/springframework/security/config/annotation/BaseSpringSpec.groovy

@@ -57,7 +57,7 @@ abstract class BaseSpringSpec extends Specification {
         chain = new MockFilterChain()
     }
 
-    AuthenticationManagerBuilder authenticationBldr = new AuthenticationManagerBuilder().inMemoryAuthentication().and()
+    AuthenticationManagerBuilder authenticationBldr = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR).inMemoryAuthentication().and()
 
     def cleanup() {
         SecurityContextHolder.clearContext()

config/src/test/groovy/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.groovy

@@ -38,7 +38,7 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
         setup:
             ObjectPostProcessor opp = Mock()
             AuthenticationProvider provider = Mock()
-            AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder().objectPostProcessor(opp)
+            AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR).objectPostProcessor(opp)
         when: "Adding an AuthenticationProvider"
             builder.authenticationProvider(provider)
             builder.build()
@@ -51,7 +51,7 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
         setup:
             AuthenticationEventPublisher aep = Mock()
         when:
-            AuthenticationManager am = new AuthenticationManagerBuilder()
+            AuthenticationManager am = new AuthenticationManagerBuilder(ObjectPostProcessor.QUIESCENT_POSTPROCESSOR)
                 .authenticationEventPublisher(aep)
                 .inMemoryAuthentication()
                     .and()

config/src/test/groovy/org/springframework/security/config/annotation/authentication/BaseAuthenticationConfig.groovy

@@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.authentication
 
 import java.rmi.registry.Registry;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
@@ -33,6 +34,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
  */
 @Configuration
 class BaseAuthenticationConfig {
+    @Autowired
     protected void registerAuthentication(
                 AuthenticationManagerBuilder auth) throws Exception {
         auth
@@ -40,11 +42,4 @@ class BaseAuthenticationConfig {
                 .withUser("user").password("password").roles("USER").and()
                 .withUser("admin").password("password").roles("USER", "ADMIN").and()
     }
-
-    @Bean
-    public AuthenticationManager authenticationManager() {
-        AuthenticationManagerBuilder registry = new AuthenticationManagerBuilder();
-        registerAuthentication(registry);
-        return registry.build();
-    }
 }

config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy

@@ -15,6 +15,7 @@
  */
 package org.springframework.security.config.annotation.method.configuration
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.access.AccessDeniedException
@@ -65,14 +66,12 @@ public class SampleEnableGlobalMethodSecurityTests extends BaseSpringSpec {
             return new MethodSecurityServiceImpl()
         }
 
-        @Bean
+        @Autowired
-        public AuthenticationManager authenticationManager() throws Exception {
+        public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
-            return new AuthenticationManagerBuilder()
+            auth
                 .inMemoryAuthentication()
                     .withUser("user").password("password").roles("USER").and()
-                    .withUser("admin").password("password").roles("USER", "ADMIN").and()
+                    .withUser("admin").password("password").roles("USER", "ADMIN");
-                    .and()
-                .build();
         }
     }
 

config/src/test/groovy/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.groovy

@@ -15,6 +15,7 @@
  */
 package org.springframework.security.config.annotation.web
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.core.annotation.Order
@@ -272,14 +273,12 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseWebSpecuritySpe
     @Configuration
     @EnableWebSecurity
     public static class SampleMultiHttpSecurityConfig {
-        @Bean
+        @Autowired
-        public AuthenticationManager authenticationManager() {
+        public void registerAuthentication(AuthenticationManagerBuilder auth) {
-            return new AuthenticationManagerBuilder()
+            auth
                 .inMemoryAuthentication()
                     .withUser("user").password("password").roles("USER").and()
-                        .withUser("admin").password("password").roles("USER", "ADMIN").and()
+                    .withUser("admin").password("password").roles("USER", "ADMIN");
-                        .and()
-                    .build();
         }
 
         @Configuration