Skip to content

Polish Spring Security Samples #5052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Polish Spring Security Samples #5052

wants to merge 1 commit into from

Conversation

rwinch
Copy link
Member

@rwinch rwinch commented Jan 29, 2016

Fixes gh-2589

@rwinch rwinch mentioned this pull request Jan 29, 2016
Closed
@philwebb philwebb added this to the 1.3.3 milestone Feb 2, 2016
wilkinsona
wilkinsona reviewed Feb 10, 2016
View reviewed changes
spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
@@ -2185,17 +2184,15 @@ to the home page at "/" and keep the default for everything else:

[source,java,indent=0]
----
@Configuration
@EnableWebSecurity
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will switch off all of Boot's web security configuration as SpringBootWebSecurityConfiguration is @ConditionalOnMissingBean(WebSecurityConfiguration.class). Doesn't that mean that "and keep the default for everything else" is no longer true?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already not true because this WebSecurityConfigurerAdapter will be invoked (rather than the ones configure by Spring Boot) regardless of if @EnableWebSecurity.

Admittedly, it does give you slightly different results since the ignored patterns are no longer used. However, the intent is to address:

The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either @EnableWebSecurity, @EnableGlobalMethodSecurity, or @EnableGlobalAuthentication. Doing otherwise has unpredictable results.

The reason for this is because we need to ensure any classes that are configuring AuthenticationManagerBuilder are instantiated before we build the AuthenticationManager. In practice, this is done using EnableGlobalAuthenticationAutowiredConfigurer which eagerly initializes beans that are annotated (or meta-annotated) with @EnableGlobalAuthentication.

These instructions are likely a big part of the reason users experience ordering issues with Spring Security and Spring Boot.

@philwebb philwebb modified the milestones: 1.3.3, 1.3.4 Feb 26, 2016
@wilkinsona
Copy link
Member

@rwinch Any thoughts on my comments?

@philwebb philwebb modified the milestones: 1.4.0.RC1, 1.3.4 Apr 12, 2016
@snicoll
Copy link
Member

snicoll commented May 19, 2016

@rwinch ping

@philwebb philwebb modified the milestones: 1.4.0.RC1, 1.4.0 May 25, 2016
@snicoll snicoll added the type: documentation A documentation update label Jul 13, 2016
@philwebb philwebb removed this from the 1.4.0 milestone Jul 27, 2016
@philwebb
Copy link
Member

We're going to revisit security entirely in 2.0.

@philwebb philwebb closed this Jan 11, 2017
@philwebb philwebb added the status: declined A suggestion or change that we don't feel we should currently apply label Jan 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply type: documentation A documentation update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rwinch @wilkinsona @snicoll @philwebb