fix(auth): make basic authentication configurable and opt-in

gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/AuthConfig.groovy

@@ -22,10 +22,12 @@ import com.netflix.spinnaker.security.User
 import groovy.util.logging.Slf4j
 import org.springframework.beans.factory.InitializingBean
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpMethod
+import org.springframework.security.config.annotation.SecurityBuilder
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler
@@ -43,6 +45,9 @@ class AuthConfig {
   @Autowired
   PermissionRevokingLogoutSuccessHandler permissionRevokingLogoutSuccessHandler
 
+  @Value('${basicAuth.enabled:false}')
+  Boolean basicAuthEnabled
+
   @Bean
   @ConditionalOnMissingBean(UserRolesProvider)
   UserRolesProvider defaultUserRolesProvider() {
@@ -61,9 +66,7 @@ class AuthConfig {
 
   void configure(HttpSecurity http) throws Exception {
     // @formatter:off
-    http
-      .httpBasic()
-        .and()
+    SecurityBuilder result = http
       .authorizeRequests()
         .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
         .antMatchers(PermissionRevokingLogoutSuccessHandler.LOGGED_OUT_URL).permitAll()
@@ -80,6 +83,11 @@ class AuthConfig {
       .csrf()
         .disable()
     // @formatter:on
+
+    if (basicAuthEnabled) {
+      result.httpBasic()
+    }
+
   }
 
   @Component