From e2862390ee97c49243ae3deb26000065c53a1a1a Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Thu, 3 Sep 2015 17:36:06 +0100 Subject: [PATCH] Allow anonymous access to devtools remote server Previously, if an app had Spring Security on the classpath the remote devtools server would be secured using basic authentication. This prevented RemoteSpringApplication from uploading changes to the server as they would be rejected with a 401. This commit updates RemoteDevToolsAutoConfiguration to allow anonymous access to the remote server. CSRF protection is also disabled so that POST requests without a CSRF token will be accepted. Closes gh-3889 --- spring-boot-devtools/pom.xml | 10 ++++++ .../RemoteDevToolsAutoConfiguration.java | 31 +++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/spring-boot-devtools/pom.xml b/spring-boot-devtools/pom.xml index 58a07b2ba0..b5641034ab 100644 --- a/spring-boot-devtools/pom.xml +++ b/spring-boot-devtools/pom.xml @@ -35,6 +35,16 @@ spring-web true + + org.springframework.security + spring-security-config + true + + + org.springframework.security + spring-security-web + true + javax.servlet javax.servlet-api diff --git a/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java b/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java index e255a362ee..315dc897e5 100644 --- a/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java +++ b/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java @@ -28,6 +28,7 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.boot.devtools.remote.server.AccessManager; import org.springframework.boot.devtools.remote.server.Dispatcher; @@ -47,13 +48,17 @@ import org.springframework.boot.devtools.tunnel.server.RemoteDebugPortProvider; import org.springframework.boot.devtools.tunnel.server.SocketTargetServerConnection; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; import org.springframework.http.server.ServerHttpRequest; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * {@link EnableAutoConfiguration Auto-configuration} for remote development support. * * @author Phillip Webb * @author Rob Winch + * @author Andy Wilkinson * @since 1.3.0 */ @Configuration @@ -151,4 +156,30 @@ public class RemoteDevToolsAutoConfiguration { } + @Configuration + @ConditionalOnClass(WebSecurityConfigurerAdapter.class) + static class RemoteDevToolsSecurityConfiguration { + + @Bean + public RemoteRestartWebSecurityConfigurer remoteRestartWebSecurityConfigurer() { + return new RemoteRestartWebSecurityConfigurer(); + } + + @Order(SecurityProperties.IGNORED_ORDER + 2) + static class RemoteRestartWebSecurityConfigurer extends + WebSecurityConfigurerAdapter { + + @Autowired + private DevToolsProperties properties; + + @Override + public void configure(HttpSecurity http) throws Exception { + http.antMatcher(this.properties.getRemote().getContextPath() + "/**"); + http.csrf().disable(); + } + + } + + } + }