Fix secure method configuration global authentication

This fixes a bug in the sample, where the AuthenticationManager it builds
is a local one for the filter chain containing "/login", whereas it was
expecting to override the Boot default, which is "global". The fix is
to extract the authentication configuration out into a
GlobalAuthenticationConfigurerAdapter.

Fixes gh-699

Author: Dave Syer

spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java

@@ -23,10 +23,12 @@
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -70,17 +72,22 @@ public ApplicationSecurity applicationSecurity() {
 		return new ApplicationSecurity();
 	}
 
-	@Order(Ordered.LOWEST_PRECEDENCE - 8)
-	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
-
+	@Order(Ordered.HIGHEST_PRECEDENCE)
+	@Configuration
+	protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
+		
 		@Override
-		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			// @formatter:off
 			auth.inMemoryAuthentication().withUser("admin").password("admin")
 					.roles("ADMIN", "USER").and().withUser("user").password("user")
 					.roles("USER");
 			// @formatter:on
 		}
+	}
+	
+	@Order(Ordered.LOWEST_PRECEDENCE - 8)
+	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
 
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {

spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java

@@ -16,17 +16,19 @@
 
 package sample.ui.method;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
 import java.util.Arrays;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.IntegrationTest;
-import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.boot.test.SpringApplicationConfiguration;
+import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
@@ -39,9 +41,6 @@
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
 /**
  * Basic integration tests for demo application.
  * 
@@ -117,13 +116,19 @@ public void testManagementProtected() throws Exception {
 	}
 
 	@Test
-	@Ignore("https://github.com/spring-projects/spring-boot/issues/699")
 	public void testManagementAuthorizedAccess() throws Exception {
-		ResponseEntity<String> entity = new TestRestTemplate("user", "user")
+		ResponseEntity<String> entity = new TestRestTemplate("admin", "admin")
 				.getForEntity("http://localhost:" + port + "/beans", String.class);
 		assertEquals(HttpStatus.OK, entity.getStatusCode());
 	}
 
+	@Test
+	public void testManagementUnauthorizedAccess() throws Exception {
+		ResponseEntity<String> entity = new TestRestTemplate("user", "user")
+				.getForEntity("http://localhost:" + port + "/beans", String.class);
+		assertEquals(HttpStatus.FORBIDDEN, entity.getStatusCode());
+	}
+
 	private void getCsrf(MultiValueMap<String, String> form, HttpHeaders headers) {
 		ResponseEntity<String> page = new TestRestTemplate().getForEntity(
 				"http://localhost:" + port + "/login", String.class);