[bs-129] Split up SecurityConfiguration and makes bits of it optional

* Added security.basic.* and security.sessions
* Also security.enabled (so you can switch it off on command line)

[Fixes #50181269]

spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/autoconfigure/SecurityConfiguration.java

@@ -17,7 +17,7 @@
 package org.springframework.bootstrap.actuate.autoconfigure;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
+import org.springframework.bootstrap.actuate.properties.EndpointsProperties;
 import org.springframework.bootstrap.actuate.properties.SecurityProperties;
 import org.springframework.bootstrap.context.annotation.ConditionalOnClass;
 import org.springframework.bootstrap.context.annotation.ConditionalOnMissingBean;
@@ -33,6 +33,8 @@ import org.springframework.security.config.annotation.web.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.HttpConfiguration;
 import org.springframework.security.config.annotation.web.WebSecurityConfiguration;
 import org.springframework.security.config.annotation.web.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 
 /**
  * @author Dave Syer
@@ -57,30 +59,43 @@ public class SecurityConfiguration {
 	private static class BoostrapWebSecurityConfigurerAdapter extends
 			WebSecurityConfigurerAdapter {
 
-		@Value("${endpoints.health.path:/health}")
-		private String healthPath = "/health";
-
-		@Value("${endpoints.info.path:/info}")
-		private String infoPath = "/info";
-
 		@Autowired
 		private SecurityProperties security;
 
+		@Autowired
+		private EndpointsProperties endpoints;
+
 		@Autowired
 		private AuthenticationEventPublisher authenticationEventPublisher;
 
 		@Override
 		protected void configure(HttpConfiguration http) throws Exception {
-			http.antMatcher("/**").httpBasic().and().anonymous().disable();
 			if (this.security.isRequireSsl()) {
 				http.requiresChannel().antMatchers("/**").requiresSecure();
 			}
-			http.authorizeUrls().antMatchers("/**").hasRole("USER");
+			if (this.security.getBasic().isEnabled()) {
+				http.authenticationEntryPoint(entryPoint())
+						.antMatcher(this.security.getBasic().getPath()).httpBasic()
+						.authenticationEntryPoint(entryPoint()).and().anonymous()
+						.disable();
+				http.authorizeUrls().antMatchers("/**")
+						.hasRole(this.security.getBasic().getRole());
+			}
+			// No cookies for service endpoints by default
+			http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
+		}
+
+		private AuthenticationEntryPoint entryPoint() {
+			BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint();
+			entryPoint.setRealmName(this.security.getBasic().getRealm());
+			return entryPoint;
 		}
 
 		@Override
 		public void configure(WebSecurityConfiguration builder) throws Exception {
-			builder.ignoring().antMatchers(this.healthPath, this.infoPath);
+			builder.ignoring().antMatchers(this.endpoints.getHealth().getPath(),
+					this.endpoints.getInfo().getPath(),
+					this.endpoints.getError().getPath());
 		}
 
 		@Override

spring-bootstrap-actuator/src/main/java/org/springframework/bootstrap/actuate/properties/SecurityProperties.java

@@ -17,9 +17,10 @@
 package org.springframework.bootstrap.actuate.properties;
 
 import org.springframework.bootstrap.context.annotation.ConfigurationProperties;
+import org.springframework.security.config.annotation.web.SessionCreationPolicy;
 
 /**
- * Properties for the security aspects of the service.
+ * Properties for the security aspects of an application.
  * 
  * @author Dave Syer
  */
@@ -28,11 +29,76 @@ public class SecurityProperties {
 
 	private boolean requireSsl;
 
+	private Basic basic = new Basic();
+
+	private SessionCreationPolicy sessions = SessionCreationPolicy.stateless;
+
+	public SessionCreationPolicy getSessions() {
+		return this.sessions;
+	}
+
+	public void setSessions(SessionCreationPolicy sessions) {
+		this.sessions = sessions;
+	}
+
+	public Basic getBasic() {
+		return this.basic;
+	}
+
+	public void setBasic(Basic basic) {
+		this.basic = basic;
+	}
+
 	public boolean isRequireSsl() {
-		return requireSsl;
+		return this.requireSsl;
 	}
 
 	public void setRequireSsl(boolean requireSsl) {
 		this.requireSsl = requireSsl;
 	}
+
+	public static class Basic {
+
+		private boolean enabled = true;
+
+		private String realm = "Spring";
+
+		private String path = "/**";
+
+		private String role = "USER";
+
+		public boolean isEnabled() {
+			return this.enabled;
+		}
+
+		public void setEnabled(boolean enabled) {
+			this.enabled = enabled;
+		}
+
+		public String getRealm() {
+			return this.realm;
+		}
+
+		public void setRealm(String realm) {
+			this.realm = realm;
+		}
+
+		public String getPath() {
+			return this.path;
+		}
+
+		public void setPath(String path) {
+			this.path = path;
+		}
+
+		public String getRole() {
+			return this.role;
+		}
+
+		public void setRole(String role) {
+			this.role = role;
+		}
+
+	}
+
 }

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/main/resources/logging.properties

@@ -4,3 +4,4 @@ handlers = java.util.logging.ConsoleHandler
 java.util.logging.ConsoleHandler.level = FINE
 sun.net.www.protocol.http.HttpURLConnection.level = ALL
 org.springframework.bootstrap.level = ALL
+org.springframework.security.level = ALL

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/EndpointsPropertiesServiceBootstrapApplicationTests.java

@@ -1,4 +1,4 @@
-package org.springframework.bootstrap.sample.service;
+package org.springframework.bootstrap.sample.test;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -13,6 +13,7 @@ import org.junit.After;
 import org.junit.Test;
 import org.springframework.bootstrap.SpringApplication;
 import org.springframework.bootstrap.actuate.properties.EndpointsProperties;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/ManagementAddressServiceBootstrapApplicationTests.java

@@ -1,4 +1,4 @@
-package org.springframework.bootstrap.sample.service;
+package org.springframework.bootstrap.sample.test;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -13,6 +13,7 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.bootstrap.SpringApplication;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/ManagementServiceBootstrapApplicationTests.java

@@ -1,4 +1,4 @@
-package org.springframework.bootstrap.sample.service;
+package org.springframework.bootstrap.sample.test;
 
 import java.io.IOException;
 import java.util.Map;
@@ -11,6 +11,7 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.bootstrap.SpringApplication;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -61,7 +62,7 @@ public class ManagementServiceBootstrapApplicationTests {
 		@SuppressWarnings("rawtypes")
 		ResponseEntity<Map> entity = getRestTemplate().getForEntity(
 				"http://localhost:" + port, Map.class);
-		assertEquals(HttpStatus.FORBIDDEN, entity.getStatusCode());
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
 	}
 
 	@Test

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/NoManagementServiceBootstrapApplicationTests.java

@@ -1,4 +1,4 @@
-package org.springframework.bootstrap.sample.service;
+package org.springframework.bootstrap.sample.test;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -13,6 +13,7 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.bootstrap.SpringApplication;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/ServiceBootstrapApplicationTests.java

@@ -1,4 +1,4 @@
-package org.springframework.bootstrap.sample.service;
+package org.springframework.bootstrap.sample.test;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -13,6 +13,7 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.bootstrap.SpringApplication;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;
@@ -27,6 +28,7 @@ import org.springframework.web.client.DefaultResponseErrorHandler;
 import org.springframework.web.client.RestTemplate;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 /**
@@ -65,11 +67,11 @@ public class ServiceBootstrapApplicationTests {
 		@SuppressWarnings("rawtypes")
 		ResponseEntity<Map> entity = getRestTemplate().getForEntity(
 				"http://localhost:8080", Map.class);
-		// FIXME: should be UNAUTHORIZED?
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
-		assertEquals(HttpStatus.FORBIDDEN, entity.getStatusCode());
 		@SuppressWarnings("unchecked")
 		Map<String, Object> body = entity.getBody();
-		assertEquals("Wrong body: " + body, "Forbidden", body.get("error"));
+		assertEquals("Wrong body: " + body, "Unauthorized", body.get("error"));
+		assertFalse(entity.getHeaders().containsKey("Set-Cookie"));
 	}
 
 	@Test
@@ -117,7 +119,7 @@ public class ServiceBootstrapApplicationTests {
 	@Test
 	public void testErrorPageDirectAccess() throws Exception {
 		@SuppressWarnings("rawtypes")
-		ResponseEntity<Map> entity = getRestTemplate("user", "password").getForEntity(
+		ResponseEntity<Map> entity = getRestTemplate().getForEntity(
 				"http://localhost:8080/error", Map.class);
 		assertEquals(HttpStatus.OK, entity.getStatusCode());
 		@SuppressWarnings("unchecked")

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/ShutdownServiceBootstrapApplicationTests.java

@@ -1,4 +1,4 @@
-package org.springframework.bootstrap.sample.service;
+package org.springframework.bootstrap.sample.test;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -13,6 +13,7 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.bootstrap.SpringApplication;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;

spring-bootstrap-samples/spring-bootstrap-actuator-sample/src/test/java/org/springframework/bootstrap/sample/test/UnsecureServiceBootstrapApplicationTests.java

@@ -0,0 +1,81 @@
+package org.springframework.bootstrap.sample.test;
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.concurrent.Callable;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.bootstrap.SpringApplication;
+import org.springframework.bootstrap.sample.service.ServiceBootstrapApplication;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.client.ClientHttpResponse;
+import org.springframework.web.client.DefaultResponseErrorHandler;
+import org.springframework.web.client.RestTemplate;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Integration tests for unsecured service endpoints (even with Spring Security on
+ * classpath).
+ * 
+ * @author Dave Syer
+ * 
+ */
+public class UnsecureServiceBootstrapApplicationTests {
+
+	private static ConfigurableApplicationContext context;
+
+	@BeforeClass
+	public static void start() throws Exception {
+		Future<ConfigurableApplicationContext> future = Executors
+				.newSingleThreadExecutor().submit(
+						new Callable<ConfigurableApplicationContext>() {
+							@Override
+							public ConfigurableApplicationContext call() throws Exception {
+								return (ConfigurableApplicationContext) SpringApplication
+										.run(ServiceBootstrapApplication.class,
+												"--security.basic.enabled=false");
+							}
+						});
+		context = future.get(10, TimeUnit.SECONDS);
+	}
+
+	@AfterClass
+	public static void stop() {
+		if (context != null) {
+			context.close();
+		}
+	}
+
+	@Test
+	public void testHome() throws Exception {
+		@SuppressWarnings("rawtypes")
+		ResponseEntity<Map> entity = getRestTemplate().getForEntity(
+				"http://localhost:8080", Map.class);
+		assertEquals(HttpStatus.OK, entity.getStatusCode());
+		@SuppressWarnings("unchecked")
+		Map<String, Object> body = entity.getBody();
+		assertEquals("Hello Phil", body.get("message"));
+		assertFalse(entity.getHeaders().containsKey("Set-Cookie"));
+	}
+
+	private RestTemplate getRestTemplate() {
+		RestTemplate restTemplate = new RestTemplate();
+		restTemplate.setErrorHandler(new DefaultResponseErrorHandler() {
+			@Override
+			public void handleError(ClientHttpResponse response) throws IOException {
+			}
+		});
+		return restTemplate;
+
+	}
+
+}