if user also adds @EnableWebMvcSecurity. The problem is that the ordering
of the init() and configure() methods in the Spring Security configurers
can force things to happen too early unless we are careful. It's still a bit
twitchy I would say, but this relatively small change seems to fix the GS guide
and not break any existing tests.
I added a sample which mimic ths GS guide so we get an integration test that
executes the new code paths.
Fixes gh-1364
Actually the web-secure sample is misusing
security.basic.enabled=false (IMO) - it should be a flag
to say that you want to temporarily disable the basic security
fallback on application endpoins, not way to disable all
security autoconfiguration.
Added test case to web-secure sample to ensure a user
can log in.
Fixes gh-979
Rename the RestTemplates to TestRestTemplate to help indicate that it's
primarily intended for testing. Also now extend RestTemplate to allow
direct use, rather than via factory methods.
Fixes gh-599
If the user explicitly disables the basic security features and forgets to
@EnableWebSecurity, and yet still wants a bean of type
WebSecurityConfigurerAdapter, he is trying to use a custom
security setup and the app would fail in a confusing way without
this change.
Fixes gh-568
Makes them a lot more readable IMO, and also enables @Autowiring
from the context into the test case (sweeet). I added @DirtiesContext
to all of them as well to be on the safe side, but possbly that can be
optimized in some way as well.
Long package names are really unnecessary in samples and they
just clutter things up. Also Spring Loaded doesn't work with
org.sfw packages, so to demo that technology you need a
different package name.
The management endpoints were still all mixed up
with the user endpoints. Fixed that and extracted
user endpoints in to conditional block so not
protected if path explicitly set to empty string.
[#53029715]
The ErrorEndpoint now handles text/html requests differently, delegating
to a View named "error". This view will not exist by default so the user
will see an ugly 500 error, but it's easy to fix and there isn't a good
to provide a default.
[Fixes#51214943]
Example: web UI with publicly available static assets
# application.properties:
security.ignored: /css/**,/script/**
Example: web UI with publicly available everything, but secure
management endpoints.
# application.properties:
# Empty path for basic security (default is /**)
security.basic.path=
[Fixes#50721675]
User adds @OnManagementContext to a bean or @Configuration and
it should be included in the management context (if there is one)
whether it is the main context or a child.
Makes it easy to secure the management endpoints and keep
the rest open (see actuator-ui-sample).
[#50721675]
* MessageSource created automatically (location
spring.messages.basename:messages)
* Thymeleaf configured automatically to look for
templates in classpath:/templates
* Added static resource handlers for classpath:/static
and classpath:/
[Fixes#49832165] [bs-118] Support for thymeleaf templates
Dave Syer
Phillip Webb
Dave Syer
Javier Gayoso
Phillip Webb
Dave Syer