Merge pull request #1250 from stormpath/issue/1238

Ensure that a default WebSecurityConfigurerAdapter is loaded if one is not specified

Author: dogeared

docs/source/tutorial.rst

@@ -239,7 +239,7 @@ disable it. That's where the ``application.properties`` files comes in:
 .. code-block:: java
     :linenos:
 
-    security.basic.enabled = false
+    stormpath.spring.security.enabled = false
 
 That property disables Spring Security and avoids our Spring Security integration to be loaded.
 
@@ -899,6 +899,14 @@ As you can see from the examples above, Stormpath provides powerful oauth2 Token
 ``/oauth/token`` endpoint. There is no additional coding required on your part to make use of the Token Management
 feature.
 
+#if( $springboot )
+You may notice that there is no class in this part of the tutorial that extends ``WebSecurityConfigurerAdapter``.
+In this particular case, *all* user-defined paths are locked down. This is the default for Spring Security and the
+Stormpath Spring Security integration follows suit.
+
+If you fire up the tutorial app and browse to the home page: http://localhost:8080/, you will be redirected to `/login`.
+#end
+
 .. _wrapping-up:
 
 Wrapping Up

examples/spring-security-spring-boot-webmvc-bare-bones/src/main/java/com/stormpath/spring/boot/examples/SpringSecurityWebAppConfig.java

@@ -33,7 +33,10 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -45,6 +48,8 @@
 import javax.servlet.Filter;
 import javax.servlet.Servlet;
 
+import static org.springframework.boot.autoconfigure.security.SecurityProperties.ACCESS_OVERRIDE_ORDER;
+
 /**
  * @since 1.0.RC5
  */
@@ -179,4 +184,12 @@ public StormpathWrapperFilter stormpathWrapperFilter() {
         return super.stormpathWrapperFilter();
     }
 
+    // Fix for: https://github.com/stormpath/stormpath-sdk-java/issues/1238
+    // If stormpath is enabled, we don't want the spring security default definition
+    @Order(ACCESS_OVERRIDE_ORDER)
+    @Configuration
+    protected static class SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter {
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {}
+    }
 }

extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/main/java/com/stormpath/spring/boot/autoconfigure/StormpathWebSecurityAutoConfiguration.java

@@ -19,4 +19,4 @@
 #
 #stormpath.application.href = https://api.stormpath.com/v1/applications/YOUR_APPLICATION_ID_HERE
 
-security.basic.enabled = false
+stormpath.spring.security.enabled = false

tutorials/spring-boot/00-the-basics/src/main/resources/application.properties

@@ -19,4 +19,4 @@
 #
 #stormpath.application.href = https://api.stormpath.com/v1/applications/YOUR_APPLICATION_ID_HERE
 
-security.basic.enabled = false
+stormpath.spring.security.enabled = false

tutorials/spring-boot/01-some-access-controls/src/main/resources/application.properties

@@ -19,4 +19,4 @@
 #
 #stormpath.application.href = https://api.stormpath.com/v1/applications/YOUR_APPLICATION_ID_HERE
 
-security.basic.enabled = false
+stormpath.spring.security.enabled = false