Add security.basic.authorize-mode property

Add a `security.basic.authorize-mode` property that can be used to
affect how basic security authorization is applied.

Fixes gh-2462

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAuthorizeMode.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2012-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security;
+
+/**
+ * Security authorization modes as specified in {@link SecurityProperties}.
+ *
+ * @author Phillip Webb
+ * @since 1.2.2
+ */
+public enum SecurityAuthorizeMode {
+
+	/**
+	 * Must be a member of one of the security roles.
+	 */
+	ROLE,
+
+	/**
+	 * Must be an authenticated user.
+	 */
+	AUTHENTICATED,
+
+	/**
+	 * No security authorization is setup.
+	 */
+	NONE
+
+}

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -238,6 +238,11 @@ public class SecurityProperties implements SecurityPrerequisite {
 		 */
 		private String[] path = new String[] { "/**" };
 
+		/**
+		 * The security authorize mode to apply.
+		 */
+		private SecurityAuthorizeMode authorizeMode = SecurityAuthorizeMode.ROLE;
+
 		public boolean isEnabled() {
 			return this.enabled;
 		}
@@ -262,6 +267,14 @@ public class SecurityProperties implements SecurityPrerequisite {
 			this.path = paths;
 		}
 
+		public SecurityAuthorizeMode getAuthorizeMode() {
+			return this.authorizeMode;
+		}
+
+		public void setAuthorizeMode(SecurityAuthorizeMode authorizeMode) {
+			this.authorizeMode = authorizeMode;
+		}
+
 	}
 
 	public static class User {

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

@@ -252,8 +252,14 @@ public class SpringBootWebSecurityConfiguration {
 				http.exceptionHandling().authenticationEntryPoint(entryPoint);
 				http.httpBasic().authenticationEntryPoint(entryPoint);
 				http.requestMatchers().antMatchers(paths);
-				String[] role = this.security.getUser().getRole().toArray(new String[0]);
+				String[] roles = this.security.getUser().getRole().toArray(new String[0]);
-				http.authorizeRequests().anyRequest().hasAnyRole(role);
+				SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
+				if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
+					http.authorizeRequests().anyRequest().hasAnyRole(roles);
+				}
+				else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
+					http.authorizeRequests().anyRequest().authenticated();
+				}
 			}
 		}
 

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java

@@ -103,6 +103,37 @@ public class SpringBootWebSecurityConfigurationTests {
 								Matchers.containsString("realm=\"Spring\"")));
 	}
 
+	@Test
+	public void testWebConfigurationFilterChainUnauthenticatedWithAuthorizeModeNone()
+			throws Exception {
+		this.context = SpringApplication.run(VanillaWebConfiguration.class,
+				"--server.port=0", "--security.basic.authorize-mode=none");
+		MockMvc mockMvc = MockMvcBuilders
+				.webAppContextSetup((WebApplicationContext) this.context)
+				.addFilters(
+						this.context.getBean("springSecurityFilterChain", Filter.class))
+				.build();
+		mockMvc.perform(MockMvcRequestBuilders.get("/")).andExpect(
+				MockMvcResultMatchers.status().isNotFound());
+	}
+
+	@Test
+	public void testWebConfigurationFilterChainUnauthenticatedWithAuthorizeModeAuthenticated()
+			throws Exception {
+		this.context = SpringApplication.run(VanillaWebConfiguration.class,
+				"--server.port=0", "--security.basic.authorize-mode=authenticated");
+		MockMvc mockMvc = MockMvcBuilders
+				.webAppContextSetup((WebApplicationContext) this.context)
+				.addFilters(
+						this.context.getBean("springSecurityFilterChain", Filter.class))
+				.build();
+		mockMvc.perform(MockMvcRequestBuilders.get("/"))
+				.andExpect(MockMvcResultMatchers.status().isUnauthorized())
+				.andExpect(
+						MockMvcResultMatchers.header().string("www-authenticate",
+								Matchers.containsString("realm=\"Spring\"")));
+	}
+
 	@Test
 	public void testWebConfigurationFilterChainBadCredentials() throws Exception {
 		this.context = SpringApplication.run(VanillaWebConfiguration.class,
@@ -164,10 +195,8 @@ public class SpringBootWebSecurityConfigurationTests {
 
 		@Autowired
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
-			// @formatter:off
 			auth.inMemoryAuthentication().withUser("dave").password("secret")
 					.roles("USER");
-			// @formatter:on
 		}
 
 		@Override

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -211,6 +211,7 @@ content into your application; rather pick only the properties that you need.
 	security.basic.enabled=true
 	security.basic.realm=Spring
 	security.basic.path= # /**
+	security.basic.authorize-mode= # ROLE, AUTHENTICATED, NONE
 	security.filter-order=0
 	security.headers.xss=false
 	security.headers.cache=false