Allow anonymous access to devtools remote server

Previously, if an app had Spring Security on the classpath the remote devtools server would be secured using basic authentication. This prevented RemoteSpringApplication from uploading changes to the server as they would be rejected with a 401. This commit updates RemoteDevToolsAutoConfiguration to allow anonymous access to the remote server. CSRF protection is also disabled so that POST requests without a CSRF token will be accepted. Closes gh-3889
9 years ago · e2862390ee
parent bed5350c8f
commit e2862390ee
2 changed files with 41 additions and 0 deletions
--- a/spring-boot-devtools/pom.xml
+++ b/spring-boot-devtools/pom.xml
@ -35,6 +35,16 @@
 			<artifactId>spring-web</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-config</artifactId>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-web</artifactId>
+			<optional>true</optional>
+		</dependency>
 		<dependency>
 			<groupId>javax.servlet</groupId>
 			<artifactId>javax.servlet-api</artifactId>
--- a/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java
+++ b/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java
@ -28,6 +28,7 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.devtools.remote.server.AccessManager;
 import org.springframework.boot.devtools.remote.server.Dispatcher;
@ -47,13 +48,17 @@ import org.springframework.boot.devtools.tunnel.server.RemoteDebugPortProvider;
 import org.springframework.boot.devtools.tunnel.server.SocketTargetServerConnection;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

 /**
 * {@link EnableAutoConfiguration Auto-configuration} for remote development support.
 *
 * @author Phillip Webb
 * @author Rob Winch
+ * @author Andy Wilkinson
 * @since 1.3.0
 */
@Configuration
@ -151,4 +156,30 @@ public class RemoteDevToolsAutoConfiguration {

 	}

+	@Configuration
+	@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
+	static class RemoteDevToolsSecurityConfiguration {
+
+		@Bean
+		public RemoteRestartWebSecurityConfigurer remoteRestartWebSecurityConfigurer() {
+			return new RemoteRestartWebSecurityConfigurer();
+		}
+
+		@Order(SecurityProperties.IGNORED_ORDER + 2)
+		static class RemoteRestartWebSecurityConfigurer extends
+				WebSecurityConfigurerAdapter {
+
+			@Autowired
+			private DevToolsProperties properties;
+
+			@Override
+			public void configure(HttpSecurity http) throws Exception {
+				http.antMatcher(this.properties.getRemote().getContextPath() + "/**");
+				http.csrf().disable();
+			}
+
+		}
+
+	}
+
 }