Add security.management.enabled flag

13 years ago · 8467a66e84
3 changed files with 26 additions and 14 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
@ -234,26 +234,28 @@ public class SecurityAutoConfiguration {
				@@ -234,26 +234,28 @@ public class SecurityAutoConfiguration {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {

-			if (this.security.isRequireSsl()) {
-				http.requiresChannel().anyRequest().requiresSecure();
-			}
-
-			String[] paths = getEndpointPaths(true);
-			if (this.security.getBasic().isEnabled() && paths.length > 0) {
+			String[] paths = getEndpointPaths(true); // secure endpoints
+			if (paths.length > 0 && this.security.getManagement().isEnabled()) {
+				// Always protect them if present
+				if (this.security.isRequireSsl()) {
+					http.requiresChannel().anyRequest().requiresSecure();
+				}
 				http.exceptionHandling().authenticationEntryPoint(entryPoint());
 				http.requestMatchers().antMatchers(paths);
 				http.authorizeRequests().anyRequest()
 						.hasRole(this.security.getManagement().getRole()) //
 						.and().httpBasic() //
 						.and().anonymous().disable();
-			}
-			// No cookies for management endpoints by default
-			http.csrf().disable();
-			http.sessionManagement().sessionCreationPolicy(
-					this.security.getManagement().getSessions());

-			SecurityAutoConfiguration.configureHeaders(http.headers(),
-					this.security.getHeaders());
+				// No cookies for management endpoints by default
+				http.csrf().disable();
+				http.sessionManagement().sessionCreationPolicy(
+						this.security.getManagement().getSessions());
+
+				SecurityAutoConfiguration.configureHeaders(http.headers(),
+						this.security.getHeaders());
+
+			}

 		}

--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
@ -195,6 +195,8 @@ public class SecurityProperties {
				@@ -195,6 +195,8 @@ public class SecurityProperties {

 	public static class Management {

+		private boolean enabled = true;
+
 		private String role = "ADMIN";

 		private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS;
@ -215,6 +217,14 @@ public class SecurityProperties {
				@@ -215,6 +217,14 @@ public class SecurityProperties {
 			return this.role;
 		}

+		public boolean isEnabled() {
+			return this.enabled;
+		}
+
+		public void setEnabled(boolean enabled) {
+			this.enabled = enabled;
+		}
+
 	}

 	public static class User {
--- a/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java
+++ b/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/autoconfigure/ReactorCompilerAutoConfiguration.java
@ -23,7 +23,7 @@ import org.springframework.boot.cli.compiler.CompilerAutoConfiguration;
				@@ -23,7 +23,7 @@ import org.springframework.boot.cli.compiler.CompilerAutoConfiguration;
 import org.springframework.boot.cli.compiler.DependencyCustomizer;

 /**
- * {@link CompilerAutoConfiguration} for the Recator.
+ * {@link CompilerAutoConfiguration} for the Reactor.
 * 
 * @author Dave Syer
 */