Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting security.management.enabled to false disables security for the entire application #100

Closed
nebhale opened this issue Oct 28, 2013 · 0 comments
Closed

Setting security.management.enabled to false disables security for the entire application #100

nebhale opened this issue Oct 28, 2013 · 0 comments

Comments

@nebhale
Copy link
Member

nebhale commented Oct 28, 2013

Currently, using the default auto-configuration for Spring Security, if the user sets security.management.enabed=false (I did it via the YAML, but it should work using any method) the security will be disabled for all endpoints, including the application endpoints.
@dsyer dsyer closed this as completed in 63a2d06 Oct 31, 2013
gigfork pushed a commit to boostrack/spring-boot that referenced this issue Apr 21, 2014
Explicitly disable security on management endpoints if requested
ae1abbc 
Previously the management endpoint filter was applied to all requests
if the user had disabled security.management.enabled, but since it
had no security applied it was letting all requests through.

The fix was to explicitly exclude the whole enclosing configuration
and carefully ignore the management endpoints in the normal security
chain.

Fixes spring-projectsgh-100.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nebhale