Skip to content

Disable default security configuration when SecurityFilterChain bean is present #22739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eleftherias opened this issue Aug 5, 2020 · 3 comments
Closed

Disable default security configuration when SecurityFilterChain bean is present #22739

eleftherias opened this issue Aug 5, 2020 · 3 comments
Assignees
@mbhave
Labels
type: enhancement A general enhancement
Milestone
2.4.0-M3

Comments

@eleftherias
Copy link

Spring Security is adding an enhancement that allows configuring HTTP security by exposing a SecurityFilterChain bean.
In this case, there is no need to extend WebSecurityConfigurerAdapter.
See spring-projects/spring-security#8804.

Currently Spring Boot applies a default security configuration when no WebSecurityConfigurerAdapter bean is present.
Going forward, it should also check if a SecurityFilterChain bean is present before applying a default security configuration.
@bclozel bclozel added the type: enhancement A general enhancement label Aug 5, 2020
@bclozel bclozel added this to the 2.4.x milestone Aug 5, 2020
@mbhave
Copy link
Contributor

mbhave commented Aug 5, 2020

@eleftherias Would you suggest updating our smoke tests and auto-configuration to use the SecurityFilterChain bean instead of extending WebSecurityConfigurerAdapter too?

@eleftherias
Copy link
Author

Yes, using the SecurityFilterChain bean will be the recommended approach going forward.

@mbhave mbhave self-assigned this Aug 11, 2020
@mbhave mbhave added the for: team-attention An issue we'd like other members of the team to review label Aug 12, 2020
@philwebb philwebb removed the for: team-attention An issue we'd like other members of the team to review label Aug 12, 2020
@mbhave
Copy link
Contributor

mbhave commented Aug 14, 2020

Spring Security still needs to make some changes for making WebSecurity work with bean style SecurityFilterChain. We use WebSecurity to configure ignored paths for the Cloud Foundry actuators. Until that's sorted we can't move to the bean style config for our own auto-configurations. We should open a separate issue for #22739 (comment) once that's done.

@mbhave mbhave closed this as completed in bbbbe8e Aug 14, 2020
@mbhave mbhave modified the milestones: 2.4.x, 2.4.0-M3 Aug 14, 2020
@eleftherias eleftherias mentioned this issue Sep 21, 2020
Closed
@snicoll snicoll mentioned this issue Nov 24, 2020
Closed
@mbhave mbhave mentioned this issue Dec 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbhave mbhave

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.4.0-M3
Development

No branches or pull requests
4 participants
@bclozel @philwebb @mbhave @eleftherias