Integrate Spring Security

apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/AppController.java

@@ -6,6 +6,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -16,6 +17,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.App;
 import com.ctrip.apollo.biz.service.AdminService;
 import com.ctrip.apollo.biz.service.AppService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.AppDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -30,18 +32,19 @@ public class AppController {
   private AdminService adminService;
 
   @RequestMapping(path = "/apps", method = RequestMethod.POST)
-  public ResponseEntity<AppDTO> create(@RequestBody AppDTO dto) {
+  public ResponseEntity<AppDTO> create(@RequestBody AppDTO dto, @ActiveUser UserDetails user) {
     App entity = BeanUtils.transfrom(App.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
     entity = adminService.createNewApp(entity);
     dto = BeanUtils.transfrom(AppDTO.class, entity);
     return ResponseEntity.status(HttpStatus.CREATED).body(dto);
   }
 
   @RequestMapping(path = "/apps/{appId}", method = RequestMethod.DELETE)
-  public void delete(@PathVariable("appId") String appId) {
+  public void delete(@PathVariable("appId") String appId, @ActiveUser UserDetails user) {
     App entity = appService.findOne(appId);
     if (entity == null) throw new NotFoundException("app not found for appId " + appId);
-    appService.delete(entity.getId(), "who");
+    appService.delete(entity.getId(), user.getUsername());
   }
 
   @RequestMapping("/apps")
@@ -64,13 +67,15 @@ public class AppController {
   }
 
   @RequestMapping(path = "/apps/{appId}", method = RequestMethod.PUT)
-  public AppDTO update(@PathVariable("appId") String appId, @RequestBody AppDTO dto) {
+  public AppDTO update(@PathVariable("appId") String appId, @RequestBody AppDTO dto,
+      @ActiveUser UserDetails user) {
     if (!appId.equals(dto.getAppId())) {
       throw new IllegalArgumentException(String
           .format("Path variable %s is not equals to object field %s", appId, dto.getAppId()));
     }
     App entity = appService.findOne(appId);
     if (entity == null) throw new NotFoundException("app not found for appId " + appId);
+    entity.setDataChangeLastModifiedBy(user.getUsername());
     entity = appService.update(BeanUtils.transfrom(App.class, dto));
     return BeanUtils.transfrom(AppDTO.class, entity);
   }

apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ClusterController.java

@@ -5,6 +5,7 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.Cluster;
 import com.ctrip.apollo.biz.service.ClusterService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.ClusterDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -29,8 +31,9 @@ public class ClusterController {
 
   @RequestMapping(path = "/apps/{appId}/clusters", method = RequestMethod.POST)
   public ResponseEntity<ClusterDTO> create(@PathVariable("appId") String appId,
-      @RequestBody ClusterDTO dto) {
+      @RequestBody ClusterDTO dto, @ActiveUser UserDetails user) {
     Cluster entity = BeanUtils.transfrom(Cluster.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
     entity = clusterService.save(entity);
     dto = BeanUtils.transfrom(ClusterDTO.class, entity);
     return ResponseEntity.status(HttpStatus.CREATED).body(dto);
@@ -38,11 +41,11 @@ public class ClusterController {
 
   @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}", method = RequestMethod.DELETE)
   public void delete(@PathVariable("appId") String appId,
-      @PathVariable("clusterName") String clusterName) {
+      @PathVariable("clusterName") String clusterName, @ActiveUser UserDetails user) {
     Cluster entity = clusterService.findOne(appId, clusterName);
     if (entity == null)
       throw new NotFoundException("cluster not found for clusterName " + clusterName);
-    clusterService.delete(entity.getId(), "who");
+    clusterService.delete(entity.getId(), user.getUsername());
   }
 
   @RequestMapping("/apps/{appId}/clusters")
@@ -55,18 +58,21 @@ public class ClusterController {
   public ClusterDTO get(@PathVariable("appId") String appId,
       @PathVariable("clusterName") String clusterName) {
     Cluster cluster = clusterService.findOne(appId, clusterName);
+    if (cluster == null) throw new NotFoundException("cluster not found for name " + clusterName);
     return BeanUtils.transfrom(ClusterDTO.class, cluster);
   }
 
   @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}", method = RequestMethod.PUT)
   public ClusterDTO update(@PathVariable("appId") String appId,
-      @PathVariable("clusterName") String clusterName, @RequestBody ClusterDTO dto) {
+      @PathVariable("clusterName") String clusterName, @RequestBody ClusterDTO dto,
+      @ActiveUser UserDetails user) {
     if (!clusterName.equals(dto.getName())) {
       throw new IllegalArgumentException(String
           .format("Path variable %s is not equals to object field %s", clusterName, dto.getName()));
     }
     Cluster entity = clusterService.findOne(appId, clusterName);
     if (entity == null) throw new NotFoundException("cluster not found for name " + clusterName);
+    entity.setDataChangeLastModifiedBy(user.getUsername());
     entity = clusterService.update(BeanUtils.transfrom(Cluster.class, dto));
     return BeanUtils.transfrom(ClusterDTO.class, entity);
   }

apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ItemController.java

@@ -5,6 +5,7 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.Item;
 import com.ctrip.apollo.biz.service.ItemService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.ItemDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -28,18 +30,19 @@ public class ItemController {
   private ItemService itemService;
 
   @RequestMapping(path = "/items/", method = RequestMethod.POST)
-  public ResponseEntity<ItemDTO> create(@RequestBody ItemDTO dto) {
+  public ResponseEntity<ItemDTO> create(@RequestBody ItemDTO dto, @ActiveUser UserDetails user) {
     Item entity = BeanUtils.transfrom(Item.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
     entity = itemService.save(entity);
     dto = BeanUtils.transfrom(ItemDTO.class, entity);
     return ResponseEntity.status(HttpStatus.CREATED).body(dto);
   }
 
   @RequestMapping(path = "/items/{itemId}", method = RequestMethod.DELETE)
-  public void delete(@PathVariable("itemId") long itemId) {
+  public void delete(@PathVariable("itemId") long itemId, @ActiveUser UserDetails user) {
     Item entity = itemService.findOne(itemId);
     if (entity == null) throw new NotFoundException("item not found for itemId " + itemId);
-    itemService.delete(entity.getId(), "who");
+    itemService.delete(entity.getId(), user.getUsername());
   }
 
   @RequestMapping("/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items")
@@ -53,13 +56,16 @@ public class ItemController {
   @RequestMapping("/items/{itemId}")
   public ItemDTO get(@PathVariable("itemId") long itemId) {
     Item item = itemService.findOne(itemId);
+    if (item == null) throw new NotFoundException("item not found for itemId " + itemId);
     return BeanUtils.transfrom(ItemDTO.class, item);
   }
 
   @RequestMapping(path = "/item/{itemId}", method = RequestMethod.PUT)
-  public ItemDTO update(@PathVariable("itemId") long itemId, @RequestBody ItemDTO dto) {
+  public ItemDTO update(@PathVariable("itemId") long itemId, @RequestBody ItemDTO dto,
+      @ActiveUser UserDetails user) {
     Item entity = itemService.findOne(itemId);
     if (entity == null) throw new NotFoundException("item not found for itemId " + itemId);
+    entity.setDataChangeLastModifiedBy(user.getUsername());
     entity = itemService.update(BeanUtils.transfrom(Item.class, dto));
     return BeanUtils.transfrom(ItemDTO.class, entity);
   }

apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ItemSetController.java

@@ -3,12 +3,14 @@ package com.ctrip.apollo.adminservice.controller;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
 import com.ctrip.apollo.biz.service.ItemSetService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.core.dto.ItemChangeSets;
 
 @RestController
@@ -18,8 +20,8 @@ public class ItemSetController {
   private ItemSetService itemSetService;
 
   @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/itemset", method = RequestMethod.POST)
-  public ResponseEntity<Void> create(@RequestBody ItemChangeSets changeSet) {
-    itemSetService.updateSet(changeSet);
+  public ResponseEntity<Void> create(@RequestBody ItemChangeSets changeSet, @ActiveUser UserDetails user) {
+    itemSetService.updateSet(changeSet, user.getUsername());
     return ResponseEntity.status(HttpStatus.OK).build();
   }
 }

apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/NamespaceController.java

@@ -5,6 +5,7 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.Namespace;
 import com.ctrip.apollo.biz.service.NamespaceService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.NamespaceDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -29,7 +31,8 @@ public class NamespaceController {
 
   @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces", method = RequestMethod.POST)
   public ResponseEntity<NamespaceDTO> create(@PathVariable("appId") String appId,
-      @PathVariable("clusterName") String clusterName, @RequestBody NamespaceDTO dto) {
+      @PathVariable("clusterName") String clusterName, @RequestBody NamespaceDTO dto,
+      @ActiveUser UserDetails user) {
     if (!appId.equals(dto.getAppId())) {
       throw new IllegalArgumentException(String
           .format("Path variable %s is not equals to object field %s", appId, dto.getAppId()));
@@ -39,6 +42,7 @@ public class NamespaceController {
           "Path variable %s is not equals to object field %s", clusterName, dto.getClusterName()));
     }
     Namespace entity = BeanUtils.transfrom(Namespace.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
     entity = namespaceService.save(entity);
     dto = BeanUtils.transfrom(NamespaceDTO.class, entity);
     return ResponseEntity.status(HttpStatus.CREATED).body(dto);
@@ -47,11 +51,11 @@ public class NamespaceController {
   @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}", method = RequestMethod.DELETE)
   public void delete(@PathVariable("appId") String appId,
       @PathVariable("clusterName") String clusterName,
-      @PathVariable("namespaceName") String namespaceName) {
+      @PathVariable("namespaceName") String namespaceName, @ActiveUser UserDetails user) {
     Namespace entity = namespaceService.findOne(appId, clusterName, namespaceName);
     if (entity == null) throw new NotFoundException(
         String.format("namespace not found for %s %s %s", appId, clusterName, namespaceName));
-    namespaceService.delete(entity.getId(), "who");
+    namespaceService.delete(entity.getId(), user.getUsername());
   }
 
   @RequestMapping("/apps/{appId}/clusters/{clusterName}/namespaces")
@@ -82,7 +86,8 @@ public class NamespaceController {
   @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}", method = RequestMethod.PUT)
   public NamespaceDTO update(@PathVariable("appId") String appId,
       @PathVariable("clusterName") String clusterName,
-      @PathVariable("namespaceName") String namespaceName, @RequestBody NamespaceDTO dto) {
+      @PathVariable("namespaceName") String namespaceName, @RequestBody NamespaceDTO dto,
+      @ActiveUser UserDetails user) {
     if (!appId.equals(dto.getAppId())) {
       throw new IllegalArgumentException(String
           .format("Path variable %s is not equals to object field %s", appId, dto.getAppId()));
@@ -99,6 +104,7 @@ public class NamespaceController {
     Namespace entity = namespaceService.findOne(appId, clusterName, namespaceName);
     if (entity == null) throw new NotFoundException(
         String.format("namespace not found for %s %s %s", appId, clusterName, namespaceName));
+    entity.setDataChangeLastModifiedBy(user.getUsername());
     entity = namespaceService.update(BeanUtils.transfrom(Namespace.class, dto));
     return BeanUtils.transfrom(NamespaceDTO.class, entity);
   }

apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ReleaseController.java

@@ -3,6 +3,7 @@ package com.ctrip.apollo.adminservice.controller;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -13,6 +14,7 @@ import com.ctrip.apollo.biz.entity.Release;
 import com.ctrip.apollo.biz.service.ConfigService;
 import com.ctrip.apollo.biz.service.ReleaseService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.ReleaseDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -47,12 +49,12 @@ public class ReleaseController {
 
   @RequestMapping("/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/releases/latest")
   public ReleaseDTO getLatest(@PathVariable("appId") String appId,
-                              @PathVariable("clusterName") String clusterName,
-                              @PathVariable("namespaceName") String namespaceName) {
+      @PathVariable("clusterName") String clusterName,
+      @PathVariable("namespaceName") String namespaceName) {
     Release release = configService.findRelease(appId, clusterName, namespaceName);
     if (release == null) {
-      throw new NotFoundException(
-          String.format("latest release not found for %s %s %s", appId, clusterName, namespaceName));
+      throw new NotFoundException(String.format("latest release not found for %s %s %s", appId,
+          clusterName, namespaceName));
     } else {
       return BeanUtils.transfrom(ReleaseDTO.class, release);
     }
@@ -62,8 +64,10 @@ public class ReleaseController {
   public ReleaseDTO buildRelease(@PathVariable("appId") String appId,
       @PathVariable("clusterName") String clusterName,
       @PathVariable("namespaceName") String namespaceName, @RequestParam("name") String name,
-      @RequestParam(name = "comment", required = false) String comment) {
-    Release release = releaseService.buildRelease(name, comment, appId, clusterName, namespaceName, "who");
+      @RequestParam(name = "comment", required = false) String comment,
+      @ActiveUser UserDetails user) {
+    Release release = releaseService.buildRelease(name, comment, appId, clusterName, namespaceName,
+        user.getUsername());
     return BeanUtils.transfrom(ReleaseDTO.class, release);
   }
 }

apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/AbstractControllerTest.java

@@ -15,7 +15,7 @@ import com.ctrip.apollo.AdminServiceTestConfiguration;
 @WebIntegrationTest(randomPort = true)
 public abstract class AbstractControllerTest {
 
-  RestTemplate restTemplate = new TestRestTemplate();
+  RestTemplate restTemplate = new TestRestTemplate("user", "");
 
   @Value("${local.server.port}")
   int port;

apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/ItemSetControllerTest.java

@@ -5,6 +5,7 @@ import java.util.List;
 import org.junit.Assert;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.jdbc.Sql;
@@ -44,7 +45,7 @@ public class ItemSetControllerTest extends AbstractControllerTest {
     Assert.assertEquals("application", namespace.getNamespaceName());
 
     ItemChangeSets itemSet = new ItemChangeSets();
-    itemSet.setModifyBy("created");
+    restTemplate = new TestRestTemplate("created", "");
 
     int createdSize = 3;
     for (int i = 0; i < createdSize; i++) {
@@ -91,8 +92,8 @@ public class ItemSetControllerTest extends AbstractControllerTest {
     Assert.assertEquals("application", namespace.getNamespaceName());
 
     ItemChangeSets createChangeSet = new ItemChangeSets();
-    createChangeSet.setModifyBy("created");
-
+    restTemplate = new TestRestTemplate("created", "");
+    
     int createdSize = 3;
     for (int i = 0; i < createdSize; i++) {
       ItemDTO item = new ItemDTO();
@@ -115,8 +116,8 @@ public class ItemSetControllerTest extends AbstractControllerTest {
             ItemDTO[].class);
 
     ItemChangeSets udpateChangeSet = new ItemChangeSets();
-    udpateChangeSet.setModifyBy("updated");
-
+    restTemplate = new TestRestTemplate("updated", "");
+    
     int updatedSize = 2;
     for (int i = 0; i < updatedSize; i++) {
       items[i].setValue("updated_value_" + i);
@@ -160,8 +161,8 @@ public class ItemSetControllerTest extends AbstractControllerTest {
     Assert.assertEquals("application", namespace.getNamespaceName());
 
     ItemChangeSets createChangeSet = new ItemChangeSets();
-    createChangeSet.setModifyBy("created");
-
+    restTemplate = new TestRestTemplate("created", "");
+    
     int createdSize = 3;
     for (int i = 0; i < createdSize; i++) {
       ItemDTO item = new ItemDTO();
@@ -184,8 +185,8 @@ public class ItemSetControllerTest extends AbstractControllerTest {
             ItemDTO[].class);
 
     ItemChangeSets deleteChangeSet = new ItemChangeSets();
-    deleteChangeSet.setModifyBy("deleted");
-
+    restTemplate = new TestRestTemplate("deleted", "");
+    
     int deletedSize = 1;
     for (int i = 0; i < deletedSize; i++) {
       items[i].setValue("deleted_value_" + i);

apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/TestWebSecurityConfig.java

+package com.ctrip.apollo.adminservice.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@Order(99)
+public class TestWebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http.httpBasic();
+    http.csrf().disable();
+  }
+
+  @Autowired
+  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    auth.inMemoryAuthentication().withUser("user").password("").roles("USER");
+    auth.inMemoryAuthentication().withUser("apollo").password("").roles("USER", "ADMIN");
+    auth.inMemoryAuthentication().withUser("created").password("").roles("TEST");
+    auth.inMemoryAuthentication().withUser("updated").password("").roles("TEST");
+    auth.inMemoryAuthentication().withUser("deleted").password("").roles("TEST");
+  }
+}

apollo-biz/src/main/java/com/ctrip/apollo/biz/service/ItemSetService.java

@@ -21,15 +21,15 @@ public class ItemSetService {
   private AuditService auditService;
 
   @Transactional
-  public void updateSet(ItemChangeSets changeSet) {
+  public void updateSet(ItemChangeSets changeSet, String owner) {
     if (changeSet.getCreateItems() != null) {
       for (ItemDTO item : changeSet.getCreateItems()) {
         Item entity = BeanUtils.transfrom(Item.class, item);
-        entity.setDataChangeCreatedBy(changeSet.getModifyBy());
-        entity.setDataChangeLastModifiedBy(changeSet.getModifyBy());
+        entity.setDataChangeCreatedBy(owner);
+        entity.setDataChangeLastModifiedBy(owner);
         itemRepository.save(entity);
       }
-      auditService.audit("ItemSet", null, Audit.OP.INSERT, changeSet.getModifyBy());
+      auditService.audit("ItemSet", null, Audit.OP.INSERT, owner);
     }
 
     if (changeSet.getUpdateItems() != null) {
@@ -37,20 +37,20 @@ public class ItemSetService {
         Item entity = BeanUtils.transfrom(Item.class, item);
         Item managedItem = itemRepository.findOne(entity.getId());
         BeanUtils.copyEntityProperties(entity, managedItem);
-        managedItem.setDataChangeLastModifiedBy(changeSet.getModifyBy());
+        managedItem.setDataChangeLastModifiedBy(owner);
         itemRepository.save(managedItem);
       }
-      auditService.audit("ItemSet", null, Audit.OP.UPDATE, changeSet.getModifyBy());
+      auditService.audit("ItemSet", null, Audit.OP.UPDATE, owner);
     }
 
     if (changeSet.getDeleteItems() != null) {
       for (ItemDTO item : changeSet.getDeleteItems()) {
         Item entity = BeanUtils.transfrom(Item.class, item);
-        entity.setDataChangeLastModifiedBy(changeSet.getModifyBy());
+        entity.setDataChangeLastModifiedBy(owner);
         itemRepository.save(entity);
         itemRepository.delete(item.getId());
       }
-      auditService.audit("ItemSet", null, Audit.OP.DELETE, changeSet.getModifyBy());
+      auditService.audit("ItemSet", null, Audit.OP.DELETE, owner);
     }
   }
 }

apollo-biz/src/test/java/com/ctrip/apollo/biz/service/AdminServiceTest.java

@@ -59,9 +59,6 @@ public class AdminServiceTest {
 
     List<Audit> audits = auditService.findByOwner(owner);
     Assert.assertEquals(4, audits.size());
-    for(Audit audit : audits){
-      System.out.println(audit);
-    }
   }
 
 }

apollo-common/pom.xml

@@ -22,6 +22,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-actuator</artifactId>

apollo-common/src/main/java/com/ctrip/apollo/common/controller/ActiveUser.java

+package com.ctrip.apollo.common.controller;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+
+@Target({ElementType.PARAMETER, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@AuthenticationPrincipal
+public @interface ActiveUser {
+
+}

apollo-common/src/main/java/com/ctrip/apollo/common/controller/WebMvcConfig.java

@@ -15,11 +15,11 @@ public class WebMvcConfig extends WebMvcConfigurerAdapter {
 
   @Override
   public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
+    PageableHandlerMethodArgumentResolver pageResolver =
+        new PageableHandlerMethodArgumentResolver();
+    pageResolver.setFallbackPageable(new PageRequest(0, 10));
 
-    PageableHandlerMethodArgumentResolver resolver = new PageableHandlerMethodArgumentResolver();
-    resolver.setFallbackPageable(new PageRequest(0, 10));
-
-    argumentResolvers.add(resolver);
+    argumentResolvers.add(pageResolver);
   }
 
   @Override

apollo-common/src/main/java/com/ctrip/apollo/common/controller/WebSecurityConfig.java

+package com.ctrip.apollo.common.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http.httpBasic();
+    http.csrf().disable();
+  }
+
+  @Autowired
+  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    auth.inMemoryAuthentication().withUser("user").password("").roles("USER").and()
+        .withUser("apollo").password("").roles("USER", "ADMIN");
+  }
+}

apollo-core/src/main/java/com/ctrip/apollo/core/dto/ItemChangeSets.java

@@ -8,7 +8,6 @@ import java.util.List;
  */
 public class ItemChangeSets {
 
-  private String modifyBy;
   private List<ItemDTO> createItems = new LinkedList<>();
   private List<ItemDTO> updateItems = new LinkedList<>();
   private List<ItemDTO> deleteItems = new LinkedList<>();
@@ -49,12 +48,4 @@ public class ItemChangeSets {
     this.deleteItems = deleteItems;
   }
 
-  public String getModifyBy() {
-    return modifyBy;
-  }
-
-  public void setModifyBy(String modifyBy) {
-    this.modifyBy = modifyBy;
-  }
-
 }

apollo-portal/src/main/java/com/ctrip/apollo/portal/service/ConfigService.java

@@ -147,7 +147,6 @@ public class ConfigService {
     ItemChangeSets changeSets = resolver.resolve(namespaceId, configText,
         itemAPI.findItems(appId, env, clusterName, namespaceName));
     try {
-      changeSets.setModifyBy(model.getModifyBy());
       enrichChangeSetBaseInfo(changeSets);
       itemAPI.updateItems(appId, env, clusterName, namespaceName, changeSets);
     } catch (Exception e) {