001/* 002 * Copyright 2012-2015 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.boot.autoconfigure.security; 018 019import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 020import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; 021import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; 022import org.springframework.boot.context.properties.EnableConfigurationProperties; 023import org.springframework.context.ApplicationEventPublisher; 024import org.springframework.context.annotation.Bean; 025import org.springframework.context.annotation.Configuration; 026import org.springframework.context.annotation.Import; 027import org.springframework.security.authentication.AuthenticationEventPublisher; 028import org.springframework.security.authentication.AuthenticationManager; 029import org.springframework.security.authentication.DefaultAuthenticationEventPublisher; 030import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter; 031import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 032 033/** 034 * {@link EnableAutoConfiguration Auto-configuration} for Spring Security. Provides an 035 * {@link AuthenticationManager} based on configuration bound to a 036 * {@link SecurityProperties} bean. There is one user (named "user") whose password is 037 * random and printed on the console at INFO level during startup. In a webapp this 038 * configuration also secures all web endpoints (except some well-known static resource 039 * locations) with HTTP basic security. To replace all the default behaviours in a webapp 040 * provide a {@code @Configuration} with {@code @EnableWebSecurity}. To just add your own 041 * layer of application security in front of the defaults, add a {@code @Configuration} of 042 * type {@link WebSecurityConfigurerAdapter}. 043 * 044 * @author Dave Syer 045 * @author Andy Wilkinson 046 */ 047@Configuration 048@ConditionalOnClass({ AuthenticationManager.class, 049 GlobalAuthenticationConfigurerAdapter.class }) 050@EnableConfigurationProperties 051@Import({ SpringBootWebSecurityConfiguration.class, 052 AuthenticationManagerConfiguration.class, 053 BootGlobalAuthenticationConfiguration.class, SecurityDataConfiguration.class }) 054public class SecurityAutoConfiguration { 055 056 @Bean 057 @ConditionalOnMissingBean(AuthenticationEventPublisher.class) 058 public DefaultAuthenticationEventPublisher authenticationEventPublisher( 059 ApplicationEventPublisher publisher) { 060 return new DefaultAuthenticationEventPublisher(publisher); 061 } 062 063 @Bean 064 @ConditionalOnMissingBean 065 public SecurityProperties securityProperties() { 066 return new SecurityProperties(); 067 } 068 069}