Spring Boot 2.0.1
Not sure if this is a Spring Boot or pure Spring issue. I have two Configuration Beans to handle Security depending which Profile is active. If the profile is 'develop' the full authentication should apply (OAuth2). When the profile is any other then "permitAll" should apply.
WebSecurityConfig.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Profile({"develop"})
@Order(101)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
LOG.trace("Configuring OAuth2 Resource HTTP Security");
http.csrf().disable().and().authorizeRequests().antMatchers("/**").fullyAuthenticated();
}
}
DisabledWebSecurityConfig.java
@Configuration
@EnableWebSecurity
@Profile({"!develop"})
@Order(102)
public class DisabledWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
LOG.trace("Configuring OAuth2 Resource HTTP Security");
http.csrf().disable().and().authorizeRequests().antMatchers("/**").permitAll();
}
}
Now, when I start my service with a profile other then 'develop' no security applies and I can reach any of my REST endpoints without doing a prior login or sending a token. But when I start my service with the profile 'develop' the behaviour is the same: Non of my endpoints is secured. Only when I delete DisabledWebSecurityConfig.java completely my security for profile 'develop' requires full authentication.
Is this because @Profile in combination with extending WebSecurityConfigurerAdapter doesn't work? It looks like the Profile-annotation is completely ignored?
Comment From: thlaegler
Workaround:
When I replace the annotations @Profile with @ConditionalOnExpression("${my.security.enabled: ...}") on both WebSecurityConfigs it works. But why?
Comment From: snicoll
@thlaegler I don't know what is going on here and I can't guess based on the code snippet you've provided. To be sure, please share a sample that we can run ourselves (it doesn't need to be that complex, just two different security configs showcasing the problem you've described).
Comment From: thlaegler
Hi @snicoll,
I try to prepare an example. Unfortunately the Annotation @cConditionalOnExpression("${my.security.enabled: ...}") didn't solved the problem either. In the mean time I found in the logs following lines while start-up:
2018-05-03 11:28:59.178 DEBUG 9351 --- [ main] eGlobalAuthenticationAutowiredConfigurer : Eagerly initializing {org.springframework.boot.autoconfigure.security.servlet.WebSecurityEnablerConfiguration=org.springframework.boot.autoconfigure.security.servlet.WebSecurityEnablerConfiguration$$EnhancerBySpringCGLIB$$9a3d049c@7baf7e2c}
2018-05-03 11:28:59.192 INFO 9351 --- [ main] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: b6a549fc-259c-489a-a4f2-2aaf30e0fb2a
2018-05-03 11:28:59.243 DEBUG 9351 --- [ main] s.s.c.a.w.c.WebSecurityConfigurerAdapter : Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).
2018-05-03 11:29:29.443 DEBUG 9351 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
And my two WebSecurityConfig classes are not loaded. I added a @Init method and set a breakpoint but the my classes are never initialized.
After playing around with different solutions I changed the second @Profile annotation to @Profile({"staging", "integration", "production"}) instead of @Profile({"!develop", "!qa"}). Now it's working.
So from my perspective this issue could be closed. But there are still some question marks around this area.
Comment From: srivdya94
Hi I have tried doing the same but even removing ! and adding the required environments didnot work for me. Can you please help me in this my example is the same as yours and even tried with @Order annotation as well