View Javadoc
1   package cn.home1.cloud.netflix.eureka;
2   
3   import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
4   
5   import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
6   import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
7   import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
8   import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
9   import org.springframework.boot.autoconfigure.security.SecurityDataConfiguration;
10  import org.springframework.boot.autoconfigure.security.SecurityProperties;
11  import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
12  import org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration;
13  import org.springframework.boot.autoconfigure.security.servlet.WebSecurityEnablerConfiguration;
14  import org.springframework.boot.context.properties.EnableConfigurationProperties;
15  import org.springframework.context.ApplicationEventPublisher;
16  import org.springframework.context.annotation.Bean;
17  import org.springframework.context.annotation.Configuration;
18  import org.springframework.context.annotation.Import;
19  import org.springframework.core.annotation.Order;
20  import org.springframework.security.authentication.AuthenticationEventPublisher;
21  import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
22  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
23  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
24  
25  /**
26   * see: https://github.com/spring-projects/spring-boot/issues/12323
27   * see: {@link org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration}
28   * see: https://spring.io/blog/2017/09/15/security-changes-in-spring-boot-2-0-m4
29   */
30  @Configuration
31  @ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
32  @ConditionalOnProperty(prefix = "spring.security", name = "enabled", havingValue = "true")
33  @EnableConfigurationProperties(SecurityProperties.class)
34  @Import({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
35      SecurityDataConfiguration.class})
36  public class ApplicationSecurityAutoConfiguration {
37  
38      @Bean
39      @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
40      public DefaultAuthenticationEventPublisher authenticationEventPublisher(
41          ApplicationEventPublisher publisher) {
42          return new DefaultAuthenticationEventPublisher(publisher);
43      }
44  
45      @ConditionalOnProperty(prefix = "spring.security", name = "enabled", havingValue = "true")
46      @Configuration
47      @Order(SecurityProperties.BASIC_AUTH_ORDER)
48      static class ApplicationWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
49  
50          @Override
51          protected void configure(final HttpSecurity http) throws Exception {
52              //super.configure(http); // default config
53              http //
54                  .authorizeRequests() //
55                  .requestMatchers(EndpointRequest.to("health", "info")).permitAll() //
56                  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR") //
57                  .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() //
58                  .antMatchers("/**").hasRole("USER") //
59                  .and() //
60                  .formLogin().disable() //
61                  .httpBasic().and() //
62                  .sessionManagement().sessionCreationPolicy(STATELESS).and() //
63              ;
64          }
65      }
66  }