-
Notifications
You must be signed in to change notification settings - Fork 40.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
actuator overrides security-config from custom WebSecurityConfigurerAdapter #78
Comments
It is expected that the |
essentially, i followed the securing-web guide and got a security config like this (groovy): @Configuration
@EnableWebSecurity
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/dummy").permitAll()
.antMatchers("/secured").hasRole("USER")
.anyRequest().authenticated()
http.formLogin()
.defaultSuccessUrl("/secured")
.loginPage("/login")
http.logout().permitAll()
}
} now if i add the dependency for spring-boot-starter-actuator in my gradle build, the app is asking for basic auth under any url... thanks, zyro |
Right, that's because your configurator callback is unordered, while the |
oh well... i spotted the option for ordering but thought "last wins" with the highest precedence being last :/ i will give thanks for the quick help! |
works. thanks again. closed. |
using actuator in a spring-boot-web project using a custom WebSecurityConfigurerAdapter (@Configuration/@EnableWebSecurity), it seems as if the actuator security auto-config overrides the applications security config.
The text was updated successfully, but these errors were encountered: