Uploaded image for project: 'Spring Web Flow'
  1. Spring Web Flow
  2. SWF-1753

Redundant default security when spring-security-core in the classpath

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.5.1
    • Fix Version/s: None
    • Component/s: Integration: Security
    • Labels:

      Description

      We decided to implement separate security lib in our project. It will be shared among loads of our services. We created an @EnableApiKeyAuth annotation that imports our custom security config which implies the protection of all requests via a specific header. However, if we are going to use our library, but don't want to put this annotation in the application class, the default authentication will be enabled because of the presence of the spring-security-core in our lib's classpath. The obvious way to fix it is to exclude SecurityAutoConfiguration, but it's inconvenient since we are obliged to do that in every service where we don't want to use the aforementioned annotation. I implemented the so-called DefaultSecurityConfiguration in our security lib that is enabled only if there is no WebSecurityConfigurerAdapter in the application context. I suggest that this behavior is quite irrational. Could you fix it in the nearest time, please?

        Attachments

          Activity

            People

            Assignee:
            rstoya05-aop Rossen Stoyanchev
            Reporter:
            ilyaokonechnikov IlyaOkonechnikov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: