Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

actuator overrides security-config from custom WebSecurityConfigurerAdapter #78

Closed
zyro23 opened this issue Oct 7, 2013 · 5 comments
Closed

actuator overrides security-config from custom WebSecurityConfigurerAdapter #78

zyro23 opened this issue Oct 7, 2013 · 5 comments

Comments

@zyro23
Copy link

zyro23 commented Oct 7, 2013

using actuator in a spring-boot-web project using a custom WebSecurityConfigurerAdapter (@Configuration/@EnableWebSecurity), it seems as if the actuator security auto-config overrides the applications security config.
@dsyer
Copy link
Member

dsyer commented Oct 7, 2013

It is expected that the SecurityAutoConfiguration would provide some defaults that you might otherwise have to provide in your own configuration. You can always disable the SecurityAutoConfiguration (by excluding it in @EnableAutoConfiguration), but I'd rather hear the details and try and see how to change things if necessary. You might need to describe your use case in a bit more detail to see if we need to explicitly support it or not.

@zyro23
Copy link
Author

zyro23 commented Oct 8, 2013

essentially, i followed the securing-web guide and got a security config like this (groovy):

@Configuration
@EnableWebSecurity
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/login").permitAll()
            .antMatchers("/dummy").permitAll()
            .antMatchers("/secured").hasRole("USER")
            .anyRequest().authenticated()

        http.formLogin()
            .defaultSuccessUrl("/secured")
            .loginPage("/login")

        http.logout().permitAll()
    }

}

now if i add the dependency for spring-boot-starter-actuator in my gradle build, the app is asking for basic auth under any url...

thanks, zyro

@dsyer
Copy link
Member

dsyer commented Oct 8, 2013

Right, that's because your configurator callback is unordered, while the SecurityAutoConfiguration contains one that has @Order(Ordered.LOWEST_PRECEDENCE - 5). I suggest maybe you add @Order(Ordered.LOWEST_PRECEDENCE - 10) to yours.

@zyro23
Copy link
Author

zyro23 commented Oct 8, 2013

oh well... i spotted the option for ordering but thought "last wins" with the highest precedence being last :/

i will give @Order(Ordered.LOWEST_PRECEDENCE - 10) a spin in a few hours and comment here if i succeeded - then this could be closed of course.

thanks for the quick help!

@zyro23
Copy link
Author

zyro23 commented Oct 8, 2013

works. thanks again. closed.

@zyro23 zyro23 closed this as completed Oct 8, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dsyer @zyro23