Make default management security back off with Authorization server

wilkinsona · wilkinsona · commit 7666a02247a4 · 2025-08-19T12:07:11.000+01:00
Fixes gh-46841
diff --git a/module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerAutoConfiguration.java b/module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerAutoConfiguration.java
@@ -21,6 +21,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
+import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Import;
@@ -42,7 +43,7 @@
  * @since 4.0.0
  * @see OAuth2AuthorizationServerJwtAutoConfiguration
  */
-@AutoConfiguration(before = SecurityAutoConfiguration.class,
+@AutoConfiguration(before = { SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class },
 		beforeName = "org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration")
 @ConditionalOnClass(OAuth2Authorization.class)
 @ConditionalOnWebApplication(type = Type.SERVLET)
diff --git a/module/spring-boot-security-oauth2-authorization-server/src/test/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerAutoConfigurationTests.java b/module/spring-boot-security-oauth2-authorization-server/src/test/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerAutoConfigurationTests.java
@@ -19,6 +19,7 @@
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
@@ -165,6 +166,19 @@ void authorizationServerSettingsBacksOffWhenAuthorizationServerSettingsBeanPrese
 			});
 	}
 
+	@Test
+	void causesManagementWebSecurityAutoConfigurationToBackOff() {
+		this.contextRunner
+			.withPropertyValues(CLIENT_PREFIX + ".foo.registration.client-id=abcd",
+					CLIENT_PREFIX + ".foo.registration.client-secret=secret",
+					CLIENT_PREFIX + ".foo.registration.client-authentication-methods=client_secret_basic",
+					CLIENT_PREFIX + ".foo.registration.authorization-grant-types=client_credentials",
+					CLIENT_PREFIX + ".foo.registration.scopes=test")
+			.withConfiguration(AutoConfigurations.of(ManagementWebSecurityAutoConfiguration.class))
+			.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
+				.doesNotHaveBean("managementSecurityFilterChain"));
+	}
+
 	@Configuration
 	static class TestRegisteredClientRepositoryConfiguration {
 
