Upgrade to Spring Security 5.0.0.BUILD-SNAPSHOT

mbhave · mbhave · commit 8600bd729441 · 2017-10-19T15:39:01.000-07:00
Following some changes in the latest snapshot this includes: - Some updates to oauth2 client auto-config - Security auto-config no longer relies on GlobalAuthenticationConfigurerAdapter - Remove reactive security starter Closes gh-10704
diff --git a/spring-boot-project/spring-boot-autoconfigure/pom.xml b/spring-boot-project/spring-boot-autoconfigure/pom.xml
@@ -523,11 +523,6 @@
 			<artifactId>spring-security-data</artifactId>
 			<optional>true</optional>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-webflux</artifactId>
-			<optional>true</optional>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-jwt-jose</artifactId>
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java
@@ -27,7 +27,7 @@
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
-import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 /**
@@ -42,7 +42,7 @@
  */
 @Configuration
 @ConditionalOnClass({ AuthenticationManager.class,
-		GlobalAuthenticationConfigurerAdapter.class })
+		EnableWebSecurity.class })
 @EnableConfigurationProperties(SecurityProperties.class)
 @Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
 		AuthenticationManagerConfiguration.class, SecurityDataConfiguration.class })
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
@@ -16,14 +16,12 @@
 
 package org.springframework.boot.autoconfigure.security;
 
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
 /**
@@ -36,7 +34,6 @@
  * @author Madhura Bhave
  * @since 2.0.0
  */
-@ConditionalOnClass(EnableWebSecurity.class)
 @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
 @ConditionalOnWebApplication(type = Type.SERVLET)
 public class SpringBootWebSecurityConfiguration {
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/WebSecurityEnablerConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/WebSecurityEnablerConfiguration.java
@@ -17,7 +17,6 @@
 package org.springframework.boot.autoconfigure.security;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -34,7 +33,6 @@
  * @since 2.0.0
  */
 @ConditionalOnBean(WebSecurityConfigurerAdapter.class)
-@ConditionalOnClass(EnableWebSecurity.class)
 @ConditionalOnMissingBean(WebSecurityConfiguration.class)
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
 @EnableWebSecurity
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapter.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapter.java
@@ -76,7 +76,7 @@ private static Builder getBuilder(String registrationId, String configuredProvid
 			throw new IllegalStateException(getErrorMessage(configuredProviderId, registrationId));
 		}
 		Builder builder = (provider != null ? provider.getBuilder(registrationId)
-				: new Builder(registrationId));
+				: ClientRegistration.withRegistrationId(registrationId));
 		if (providers.containsKey(providerId)) {
 			return getBuilder(builder, providers.get(providerId));
 		}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java
@@ -27,15 +27,15 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
-import org.springframework.security.core.userdetails.MapUserDetailsRepository;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsRepository;
 
 /**
  * Default user {@link Configuration} for a reactive web application. Configures a
- * {@link UserDetailsRepository} with a default user and generated password. This
- * backs-off completely if there is a bean of type {@link UserDetailsRepository} or
+ * {@link ReactiveUserDetailsService} with a default user and generated password. This
+ * backs-off completely if there is a bean of type {@link ReactiveUserDetailsService} or
  * {@link ReactiveAuthenticationManager}.
  *
  * @author Madhura Bhave
@@ -44,19 +44,19 @@
 @Configuration
 @ConditionalOnClass({ ReactiveAuthenticationManager.class })
 @ConditionalOnMissingBean({ ReactiveAuthenticationManager.class,
-		UserDetailsRepository.class })
+		ReactiveUserDetailsService.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
 public class ReactiveAuthenticationManagerConfiguration {
 
 	private static final Log logger = LogFactory
 			.getLog(ReactiveAuthenticationManagerConfiguration.class);
 
 	@Bean
-	public MapUserDetailsRepository userDetailsRepository() {
+	public MapReactiveUserDetailsService reactiveUserDetailsService() {
 		String password = UUID.randomUUID().toString();
 		logger.info(String.format("%n%nUsing default security password: %s%n", password));
 		UserDetails user = User.withUsername("user").password(password).roles().build();
-		return new MapUserDetailsRepository(user);
+		return new MapReactiveUserDetailsService(user);
 	}
 
 }
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/jpa/JpaUserDetailsTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/jpa/JpaUserDetailsTests.java
@@ -25,9 +25,7 @@
 import org.springframework.boot.autoconfigure.jdbc.EmbeddedDataSourceConfiguration;
 import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.user.SecurityConfig;
 import org.springframework.boot.test.context.SpringBootContextLoader;
-import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Import;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ContextConfiguration;
@@ -57,7 +55,6 @@ public static void main(String[] args) throws Exception {
 	@Import({ EmbeddedDataSourceConfiguration.class, DataSourceAutoConfiguration.class,
 			HibernateJpaAutoConfiguration.class,
 			PropertyPlaceholderAutoConfiguration.class, SecurityAutoConfiguration.class })
-	@ComponentScan(basePackageClasses = SecurityConfig.class)
 	public static class Main {
 
 	}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapterTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapterTests.java
@@ -78,7 +78,7 @@ public void getClientRegistrationsWhenUsingDefinedProviderShouldAdapt()
 		assertThat(adapted.getAuthorizationGrantType()).isEqualTo(
 				org.springframework.security.oauth2.core.AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(adapted.getRedirectUri()).isEqualTo("http://example.com/redirect");
-		assertThat(adapted.getScope()).containsExactly("scope");
+		assertThat(adapted.getScopes()).containsExactly("scope");
 		assertThat(adapted.getClientName()).isEqualTo("clientName");
 	}
 
@@ -112,7 +112,7 @@ public void getClientRegistrationsWhenUsingCommonProviderShouldAdapt()
 				org.springframework.security.oauth2.core.AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(adapted.getRedirectUri()).isEqualTo(
 				"{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{registrationId}");
-		assertThat(adapted.getScope()).containsExactly("openid", "profile", "email",
+		assertThat(adapted.getScopes()).containsExactly("openid", "profile", "email",
 				"address", "phone");
 		assertThat(adapted.getClientName()).isEqualTo("Google");
 	}
@@ -151,7 +151,7 @@ public void getClientRegistrationsWhenUsingCommonProviderWithOverrideShouldAdapt
 		assertThat(adapted.getAuthorizationGrantType()).isEqualTo(
 				org.springframework.security.oauth2.core.AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(adapted.getRedirectUri()).isEqualTo("http://example.com/redirect");
-		assertThat(adapted.getScope()).containsExactly("scope");
+		assertThat(adapted.getScopes()).containsExactly("scope");
 		assertThat(adapted.getClientName()).isEqualTo("clientName");
 	}
 
@@ -196,7 +196,7 @@ public void getClientRegistrationsWhenProviderNotSpecifiedShouldUseRegistrationI
 				org.springframework.security.oauth2.core.AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(adapted.getRedirectUri()).isEqualTo(
 				"{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{registrationId}");
-		assertThat(adapted.getScope()).containsExactly("openid", "profile", "email",
+		assertThat(adapted.getScopes()).containsExactly("openid", "profile", "email",
 				"address", "phone");
 		assertThat(adapted.getClientName()).isEqualTo("Google");
 	}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2WebSecurityConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2WebSecurityConfigurationTests.java
@@ -36,7 +36,7 @@
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.AuthorizationCodeAuthenticationFilter;
-import org.springframework.security.oauth2.client.web.AuthorizationCodeRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
@@ -97,7 +97,7 @@ private List<Filter> getAuthCodeFilters(AssertableApplicationContext context) {
 				.getField(filterChains.get(0), "filters");
 		List<Filter> oauth2Filters = filters.stream()
 				.filter((f) -> f instanceof AuthorizationCodeAuthenticationFilter
-						|| f instanceof AuthorizationCodeRequestRedirectFilter)
+						|| f instanceof AuthorizationRequestRedirectFilter)
 				.collect(Collectors.toList());
 		return oauth2Filters.stream()
 				.filter((f) -> f instanceof AuthorizationCodeAuthenticationFilter)
@@ -111,7 +111,7 @@ private boolean isEqual(ClientRegistration reg1, ClientRegistration reg2) {
 				&& ObjectUtils.nullSafeEquals(reg1.getClientName(), reg2.getClientName());
 		result = result && ObjectUtils.nullSafeEquals(reg1.getClientSecret(),
 				reg2.getClientSecret());
-		result = result && ObjectUtils.nullSafeEquals(reg1.getScope(), reg2.getScope());
+		result = result && ObjectUtils.nullSafeEquals(reg1.getScopes(), reg2.getScopes());
 		result = result && ObjectUtils.nullSafeEquals(reg1.getRedirectUri(),
 				reg2.getRedirectUri());
 		result = result && ObjectUtils.nullSafeEquals(reg1.getRegistrationId(),
@@ -154,7 +154,7 @@ public ClientRegistrationRepository clientRegistrationRepository() {
 		}
 
 		private ClientRegistration getClientRegistration(String id, String userInfoUri) {
-			ClientRegistration.Builder builder = new ClientRegistration.Builder(id);
+			ClientRegistration.Builder builder = ClientRegistration.withRegistrationId(id);
 			builder.clientName("foo").clientId("foo")
 					.clientAuthenticationMethod(
 							org.springframework.security.oauth2.core.ClientAuthenticationMethod.BASIC)
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveSecurityAutoConfigurationTests.java
@@ -29,14 +29,14 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.server.reactive.HttpHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
-import org.springframework.security.config.annotation.web.reactive.HttpSecurityConfiguration;
+import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfiguration;
 import org.springframework.security.config.annotation.web.reactive.WebFluxSecurityConfiguration;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.userdetails.MapUserDetailsRepository;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsRepository;
-import org.springframework.security.web.server.WebFilterChainFilter;
+import org.springframework.security.web.server.WebFilterChainProxy;
 import org.springframework.web.reactive.config.EnableWebFlux;
 import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
 
@@ -58,11 +58,11 @@ public void enablesWebFluxSecurity() {
 				.withConfiguration(
 						AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class))
 				.run((context) -> {
-					assertThat(context).getBean(HttpSecurityConfiguration.class)
+					assertThat(context).getBean(ServerHttpSecurityConfiguration.class)
 							.isNotNull();
 					assertThat(context).getBean(WebFluxSecurityConfiguration.class)
 							.isNotNull();
-					assertThat(context).getBean(WebFilterChainFilter.class).isNotNull();
+					assertThat(context).getBean(WebFilterChainProxy.class).isNotNull();
 				});
 	}
 
@@ -72,9 +72,9 @@ public void configuresADefaultUser() {
 				.withConfiguration(
 						AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class))
 				.run((context) -> {
-					UserDetailsRepository userDetailsRepository = context
-							.getBean(UserDetailsRepository.class);
-					assertThat(userDetailsRepository.findByUsername("user").block())
+					ReactiveUserDetailsService userDetailsService = context
+							.getBean(ReactiveUserDetailsService.class);
+					assertThat(userDetailsService.findByUsername("user").block())
 							.isNotNull();
 				});
 	}
@@ -85,13 +85,13 @@ public void doesNotConfigureDefaultUserIfUserDetailsRepositoryAvailable() {
 				.withConfiguration(
 						AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class))
 				.run((context) -> {
-					UserDetailsRepository userDetailsRepository = context
-							.getBean(UserDetailsRepository.class);
-					assertThat(userDetailsRepository.findByUsername("user").block())
+					ReactiveUserDetailsService userDetailsService = context
+							.getBean(ReactiveUserDetailsService.class);
+					assertThat(userDetailsService.findByUsername("user").block())
 							.isNull();
-					assertThat(userDetailsRepository.findByUsername("foo").block())
+					assertThat(userDetailsService.findByUsername("foo").block())
 							.isNotNull();
-					assertThat(userDetailsRepository.findByUsername("admin").block())
+					assertThat(userDetailsService.findByUsername("admin").block())
 							.isNotNull();
 				});
 	}
@@ -103,7 +103,7 @@ public void doesNotConfigureDefaultUserIfAuthenticationManagerAvailable() {
 						TestConfig.class)
 				.withConfiguration(
 						AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class))
-				.run((context) -> assertThat(context).getBean(UserDetailsRepository.class)
+				.run((context) -> assertThat(context).getBean(ReactiveUserDetailsService.class)
 						.isNull());
 	}
 
@@ -127,12 +127,12 @@ public ReactiveWebServerFactory reactiveWebServerFactory() {
 	static class UserConfig {
 
 		@Bean
-		public MapUserDetailsRepository userDetailsRepository() {
+		public MapReactiveUserDetailsService userDetailsService() {
 			UserDetails foo = User.withUsername("foo").password("foo").roles("USER")
 					.build();
 			UserDetails admin = User.withUsername("admin").password("admin")
 					.roles("USER", "ADMIN").build();
-			return new MapUserDetailsRepository(foo, admin);
+			return new MapReactiveUserDetailsService(foo, admin);
 		}
 
 	}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/user/SecurityConfig.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/user/SecurityConfig.java
diff --git a/spring-boot-project/spring-boot-dependencies/pom.xml b/spring-boot-project/spring-boot-dependencies/pom.xml
@@ -154,7 +154,7 @@
 		<spring-plugin.version>1.2.0.RELEASE</spring-plugin.version>
 		<spring-restdocs.version>1.2.2.RELEASE</spring-restdocs.version>
 		<spring-retry.version>1.2.1.RELEASE</spring-retry.version>
-		<spring-security.version>5.0.0.M5</spring-security.version>
+		<spring-security.version>5.0.0.BUILD-SNAPSHOT</spring-security.version>
 		<spring-session.version>2.0.0.M5</spring-session.version>
 		<spring-session-data-mongodb.version>2.0.0.M4</spring-session-data-mongodb.version>
 		<spring-social.version>2.0.0.M4</spring-social.version>
diff --git a/spring-boot-project/spring-boot-docs/pom.xml b/spring-boot-project/spring-boot-docs/pom.xml
@@ -712,11 +712,6 @@
 			<artifactId>spring-security-test</artifactId>
 			<optional>true</optional>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-webflux</artifactId>
-			<optional>true</optional>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.session</groupId>
 			<artifactId>spring-session-core</artifactId>
diff --git a/spring-boot-project/spring-boot-starters/pom.xml b/spring-boot-project/spring-boot-starters/pom.xml
@@ -58,7 +58,6 @@
 		<module>spring-boot-starter-quartz</module>
 		<module>spring-boot-starter-reactor-netty</module>
 		<module>spring-boot-starter-security</module>
-		<module>spring-boot-starter-security-reactive</module>
 		<module>spring-boot-starter-social-facebook</module>
 		<module>spring-boot-starter-social-twitter</module>
 		<module>spring-boot-starter-social-linkedin</module>
diff --git a/spring-boot-project/spring-boot-starters/spring-boot-starter-security-reactive/pom.xml b/spring-boot-project/spring-boot-starters/spring-boot-starter-security-reactive/pom.xml
diff --git a/spring-boot-project/spring-boot-starters/spring-boot-starter-security-reactive/src/main/resources/META-INF/spring.provides b/spring-boot-project/spring-boot-starters/spring-boot-starter-security-reactive/src/main/resources/META-INF/spring.provides
diff --git a/spring-boot-samples/spring-boot-sample-secure-webflux/pom.xml b/spring-boot-samples/spring-boot-sample-secure-webflux/pom.xml
diff --git a/spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java b/spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java
diff --git a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/security/method/SampleMethodSecurityApplication.java b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/security/method/SampleMethodSecurityApplication.java

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ private static Builder getBuilder(String registrationId, String configuredProvid`
`76`	`76`	`throw new IllegalStateException(getErrorMessage(configuredProviderId, registrationId));`
`77`	`77`	`}`
`78`	`78`	`Builder builder = (provider != null ? provider.getBuilder(registrationId)`
`79`		`- : new Builder(registrationId));`
	`79`	`+ : ClientRegistration.withRegistrationId(registrationId));`
`80`	`80`	`if (providers.containsKey(providerId)) {`
`81`	`81`	`return getBuilder(builder, providers.get(providerId));`
`82`	`82`	`}`