Integrate Spring Security

43653a62 · Yiming Liu · ab54e424 · 43653a62 · 43653a62 · 43653a62
17 changed file
--- a/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/AppController.java
+++ b/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/AppController.java
@@ -6,6 +6,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -16,6 +17,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.App;
 import com.ctrip.apollo.biz.service.AdminService;
 import com.ctrip.apollo.biz.service.AppService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.AppDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -30,18 +32,19 @@ public class AppController {
  private AdminService adminService;

  @RequestMapping(path = "/apps", method = RequestMethod.POST)
-  public ResponseEntity<AppDTO> create(@RequestBody AppDTO dto) {
+  public ResponseEntity<AppDTO> create(@RequestBody AppDTO dto, @ActiveUser UserDetails user) {
    App entity = BeanUtils.transfrom(App.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
    entity = adminService.createNewApp(entity);
    dto = BeanUtils.transfrom(AppDTO.class, entity);
    return ResponseEntity.status(HttpStatus.CREATED).body(dto);
  }

  @RequestMapping(path = "/apps/{appId}", method = RequestMethod.DELETE)
-  public void delete(@PathVariable("appId") String appId) {
+  public void delete(@PathVariable("appId") String appId, @ActiveUser UserDetails user) {
    App entity = appService.findOne(appId);
    if (entity == null) throw new NotFoundException("app not found for appId " + appId);
-    appService.delete(entity.getId(), "who");
+    appService.delete(entity.getId(), user.getUsername());
  }

  @RequestMapping("/apps")
@@ -64,13 +67,15 @@ public class AppController {
  }

  @RequestMapping(path = "/apps/{appId}", method = RequestMethod.PUT)
-  public AppDTO update(@PathVariable("appId") String appId, @RequestBody AppDTO dto) {
+  public AppDTO update(@PathVariable("appId") String appId, @RequestBody AppDTO dto,
+      @ActiveUser UserDetails user) {
    if (!appId.equals(dto.getAppId())) {
      throw new IllegalArgumentException(String
          .format("Path variable %s is not equals to object field %s", appId, dto.getAppId()));
    }
    App entity = appService.findOne(appId);
    if (entity == null) throw new NotFoundException("app not found for appId " + appId);
+    entity.setDataChangeLastModifiedBy(user.getUsername());
    entity = appService.update(BeanUtils.transfrom(App.class, dto));
    return BeanUtils.transfrom(AppDTO.class, entity);
  }

--- a/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ClusterController.java
+++ b/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ClusterController.java
@@ -5,6 +5,7 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.Cluster;
 import com.ctrip.apollo.biz.service.ClusterService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.ClusterDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -29,8 +31,9 @@ public class ClusterController {

  @RequestMapping(path = "/apps/{appId}/clusters", method = RequestMethod.POST)
  public ResponseEntity<ClusterDTO> create(@PathVariable("appId") String appId,
-      @RequestBody ClusterDTO dto) {
+      @RequestBody ClusterDTO dto, @ActiveUser UserDetails user) {
    Cluster entity = BeanUtils.transfrom(Cluster.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
    entity = clusterService.save(entity);
    dto = BeanUtils.transfrom(ClusterDTO.class, entity);
    return ResponseEntity.status(HttpStatus.CREATED).body(dto);
@@ -38,11 +41,11 @@ public class ClusterController {

  @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}", method = RequestMethod.DELETE)
  public void delete(@PathVariable("appId") String appId,
-      @PathVariable("clusterName") String clusterName) {
+      @PathVariable("clusterName") String clusterName, @ActiveUser UserDetails user) {
    Cluster entity = clusterService.findOne(appId, clusterName);
    if (entity == null)
      throw new NotFoundException("cluster not found for clusterName " + clusterName);
-    clusterService.delete(entity.getId(), "who");
+    clusterService.delete(entity.getId(), user.getUsername());
  }

  @RequestMapping("/apps/{appId}/clusters")
@@ -55,18 +58,21 @@ public class ClusterController {
  public ClusterDTO get(@PathVariable("appId") String appId,
      @PathVariable("clusterName") String clusterName) {
    Cluster cluster = clusterService.findOne(appId, clusterName);
+    if (cluster == null) throw new NotFoundException("cluster not found for name " + clusterName);
    return BeanUtils.transfrom(ClusterDTO.class, cluster);
  }

  @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}", method = RequestMethod.PUT)
  public ClusterDTO update(@PathVariable("appId") String appId,
-      @PathVariable("clusterName") String clusterName, @RequestBody ClusterDTO dto) {
+      @PathVariable("clusterName") String clusterName, @RequestBody ClusterDTO dto,
+      @ActiveUser UserDetails user) {
    if (!clusterName.equals(dto.getName())) {
      throw new IllegalArgumentException(String
          .format("Path variable %s is not equals to object field %s", clusterName, dto.getName()));
    }
    Cluster entity = clusterService.findOne(appId, clusterName);
    if (entity == null) throw new NotFoundException("cluster not found for name " + clusterName);
+    entity.setDataChangeLastModifiedBy(user.getUsername());
    entity = clusterService.update(BeanUtils.transfrom(Cluster.class, dto));
    return BeanUtils.transfrom(ClusterDTO.class, entity);
  }

--- a/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ItemController.java
+++ b/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ItemController.java
@@ -5,6 +5,7 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.Item;
 import com.ctrip.apollo.biz.service.ItemService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.ItemDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -28,18 +30,19 @@ public class ItemController {
  private ItemService itemService;

  @RequestMapping(path = "/items/", method = RequestMethod.POST)
-  public ResponseEntity<ItemDTO> create(@RequestBody ItemDTO dto) {
+  public ResponseEntity<ItemDTO> create(@RequestBody ItemDTO dto, @ActiveUser UserDetails user) {
    Item entity = BeanUtils.transfrom(Item.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
    entity = itemService.save(entity);
    dto = BeanUtils.transfrom(ItemDTO.class, entity);
    return ResponseEntity.status(HttpStatus.CREATED).body(dto);
  }

  @RequestMapping(path = "/items/{itemId}", method = RequestMethod.DELETE)
-  public void delete(@PathVariable("itemId") long itemId) {
+  public void delete(@PathVariable("itemId") long itemId, @ActiveUser UserDetails user) {
    Item entity = itemService.findOne(itemId);
    if (entity == null) throw new NotFoundException("item not found for itemId " + itemId);
-    itemService.delete(entity.getId(), "who");
+    itemService.delete(entity.getId(), user.getUsername());
  }

  @RequestMapping("/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items")
@@ -53,13 +56,16 @@ public class ItemController {
  @RequestMapping("/items/{itemId}")
  public ItemDTO get(@PathVariable("itemId") long itemId) {
    Item item = itemService.findOne(itemId);
+    if (item == null) throw new NotFoundException("item not found for itemId " + itemId);
    return BeanUtils.transfrom(ItemDTO.class, item);
  }

  @RequestMapping(path = "/item/{itemId}", method = RequestMethod.PUT)
-  public ItemDTO update(@PathVariable("itemId") long itemId, @RequestBody ItemDTO dto) {
+  public ItemDTO update(@PathVariable("itemId") long itemId, @RequestBody ItemDTO dto,
+      @ActiveUser UserDetails user) {
    Item entity = itemService.findOne(itemId);
    if (entity == null) throw new NotFoundException("item not found for itemId " + itemId);
+    entity.setDataChangeLastModifiedBy(user.getUsername());
    entity = itemService.update(BeanUtils.transfrom(Item.class, dto));
    return BeanUtils.transfrom(ItemDTO.class, entity);
  }

--- a/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ItemSetController.java
+++ b/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ItemSetController.java
@@ -3,12 +3,14 @@ package com.ctrip.apollo.adminservice.controller;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;

 import com.ctrip.apollo.biz.service.ItemSetService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.core.dto.ItemChangeSets;

 @RestController
@@ -18,8 +20,8 @@ public class ItemSetController {
  private ItemSetService itemSetService;

  @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/itemset", method = RequestMethod.POST)
-  public ResponseEntity<Void> create(@RequestBody ItemChangeSets changeSet) {
-    itemSetService.updateSet(changeSet);
+  public ResponseEntity<Void> create(@RequestBody ItemChangeSets changeSet, @ActiveUser UserDetails user) {
+    itemSetService.updateSet(changeSet, user.getUsername());
    return ResponseEntity.status(HttpStatus.OK).build();
  }
 }
--- a/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/NamespaceController.java
+++ b/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/NamespaceController.java
@@ -5,6 +5,7 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,6 +15,7 @@ import org.springframework.web.bind.annotation.RestController;
 import com.ctrip.apollo.biz.entity.Namespace;
 import com.ctrip.apollo.biz.service.NamespaceService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.NamespaceDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -29,7 +31,8 @@ public class NamespaceController {

  @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces", method = RequestMethod.POST)
  public ResponseEntity<NamespaceDTO> create(@PathVariable("appId") String appId,
-      @PathVariable("clusterName") String clusterName, @RequestBody NamespaceDTO dto) {
+      @PathVariable("clusterName") String clusterName, @RequestBody NamespaceDTO dto,
+      @ActiveUser UserDetails user) {
    if (!appId.equals(dto.getAppId())) {
      throw new IllegalArgumentException(String
          .format("Path variable %s is not equals to object field %s", appId, dto.getAppId()));
@@ -39,6 +42,7 @@ public class NamespaceController {
          "Path variable %s is not equals to object field %s", clusterName, dto.getClusterName()));
    }
    Namespace entity = BeanUtils.transfrom(Namespace.class, dto);
+    entity.setDataChangeCreatedBy(user.getUsername());
    entity = namespaceService.save(entity);
    dto = BeanUtils.transfrom(NamespaceDTO.class, entity);
    return ResponseEntity.status(HttpStatus.CREATED).body(dto);
@@ -47,11 +51,11 @@ public class NamespaceController {
  @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}", method = RequestMethod.DELETE)
  public void delete(@PathVariable("appId") String appId,
      @PathVariable("clusterName") String clusterName,
-      @PathVariable("namespaceName") String namespaceName) {
+      @PathVariable("namespaceName") String namespaceName, @ActiveUser UserDetails user) {
    Namespace entity = namespaceService.findOne(appId, clusterName, namespaceName);
    if (entity == null) throw new NotFoundException(
        String.format("namespace not found for %s %s %s", appId, clusterName, namespaceName));
-    namespaceService.delete(entity.getId(), "who");
+    namespaceService.delete(entity.getId(), user.getUsername());
  }

  @RequestMapping("/apps/{appId}/clusters/{clusterName}/namespaces")
@@ -82,7 +86,8 @@ public class NamespaceController {
  @RequestMapping(path = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}", method = RequestMethod.PUT)
  public NamespaceDTO update(@PathVariable("appId") String appId,
      @PathVariable("clusterName") String clusterName,
-      @PathVariable("namespaceName") String namespaceName, @RequestBody NamespaceDTO dto) {
+      @PathVariable("namespaceName") String namespaceName, @RequestBody NamespaceDTO dto,
+      @ActiveUser UserDetails user) {
    if (!appId.equals(dto.getAppId())) {
      throw new IllegalArgumentException(String
          .format("Path variable %s is not equals to object field %s", appId, dto.getAppId()));
@@ -99,6 +104,7 @@ public class NamespaceController {
    Namespace entity = namespaceService.findOne(appId, clusterName, namespaceName);
    if (entity == null) throw new NotFoundException(
        String.format("namespace not found for %s %s %s", appId, clusterName, namespaceName));
+    entity.setDataChangeLastModifiedBy(user.getUsername());
    entity = namespaceService.update(BeanUtils.transfrom(Namespace.class, dto));
    return BeanUtils.transfrom(NamespaceDTO.class, entity);
  }

--- a/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ReleaseController.java
+++ b/apollo-adminservice/src/main/java/com/ctrip/apollo/adminservice/controller/ReleaseController.java
@@ -3,6 +3,7 @@ package com.ctrip.apollo.adminservice.controller;
 import java.util.List;

 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -13,6 +14,7 @@ import com.ctrip.apollo.biz.entity.Release;
 import com.ctrip.apollo.biz.service.ConfigService;
 import com.ctrip.apollo.biz.service.ReleaseService;
 import com.ctrip.apollo.biz.service.ViewService;
+import com.ctrip.apollo.common.controller.ActiveUser;
 import com.ctrip.apollo.common.utils.BeanUtils;
 import com.ctrip.apollo.core.dto.ReleaseDTO;
 import com.ctrip.apollo.core.exception.NotFoundException;
@@ -51,8 +53,8 @@ public class ReleaseController {
      @PathVariable("namespaceName") String namespaceName) {
    Release release = configService.findRelease(appId, clusterName, namespaceName);
    if (release == null) {
-      throw new NotFoundException(
-          String.format("latest release not found for %s %s %s", appId, clusterName, namespaceName));
+      throw new NotFoundException(String.format("latest release not found for %s %s %s", appId,
+          clusterName, namespaceName));
    } else {
      return BeanUtils.transfrom(ReleaseDTO.class, release);
    }
@@ -62,8 +64,10 @@ public class ReleaseController {
  public ReleaseDTO buildRelease(@PathVariable("appId") String appId,
      @PathVariable("clusterName") String clusterName,
      @PathVariable("namespaceName") String namespaceName, @RequestParam("name") String name,
-      @RequestParam(name = "comment", required = false) String comment) {
-    Release release = releaseService.buildRelease(name, comment, appId, clusterName, namespaceName, "who");
+      @RequestParam(name = "comment", required = false) String comment,
+      @ActiveUser UserDetails user) {
+    Release release = releaseService.buildRelease(name, comment, appId, clusterName, namespaceName,
+        user.getUsername());
    return BeanUtils.transfrom(ReleaseDTO.class, release);
  }
 }
--- a/apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/AbstractControllerTest.java
+++ b/apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/AbstractControllerTest.java
@@ -15,7 +15,7 @@ import com.ctrip.apollo.AdminServiceTestConfiguration;
 @WebIntegrationTest(randomPort = true)
 public abstract class AbstractControllerTest {

-  RestTemplate restTemplate = new TestRestTemplate();
+  RestTemplate restTemplate = new TestRestTemplate("user", "");

  @Value("${local.server.port}")
  int port;

--- a/apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/ItemSetControllerTest.java
+++ b/apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/ItemSetControllerTest.java
@@ -5,6 +5,7 @@ import java.util.List;
 import org.junit.Assert;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.TestRestTemplate;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.jdbc.Sql;
@@ -44,7 +45,7 @@ public class ItemSetControllerTest extends AbstractControllerTest {
    Assert.assertEquals("application", namespace.getNamespaceName());

    ItemChangeSets itemSet = new ItemChangeSets();
-    itemSet.setModifyBy("created");
+    restTemplate = new TestRestTemplate("created", "");

    int createdSize = 3;
    for (int i = 0; i < createdSize; i++) {
@@ -91,7 +92,7 @@ public class ItemSetControllerTest extends AbstractControllerTest {
    Assert.assertEquals("application", namespace.getNamespaceName());

    ItemChangeSets createChangeSet = new ItemChangeSets();
-    createChangeSet.setModifyBy("created");
+    restTemplate = new TestRestTemplate("created", "");
    
    int createdSize = 3;
    for (int i = 0; i < createdSize; i++) {
@@ -115,7 +116,7 @@ public class ItemSetControllerTest extends AbstractControllerTest {
            ItemDTO[].class);

    ItemChangeSets udpateChangeSet = new ItemChangeSets();
-    udpateChangeSet.setModifyBy("updated");
+    restTemplate = new TestRestTemplate("updated", "");
    
    int updatedSize = 2;
    for (int i = 0; i < updatedSize; i++) {
@@ -160,7 +161,7 @@ public class ItemSetControllerTest extends AbstractControllerTest {
    Assert.assertEquals("application", namespace.getNamespaceName());

    ItemChangeSets createChangeSet = new ItemChangeSets();
-    createChangeSet.setModifyBy("created");
+    restTemplate = new TestRestTemplate("created", "");
    
    int createdSize = 3;
    for (int i = 0; i < createdSize; i++) {
@@ -184,7 +185,7 @@ public class ItemSetControllerTest extends AbstractControllerTest {
            ItemDTO[].class);

    ItemChangeSets deleteChangeSet = new ItemChangeSets();
-    deleteChangeSet.setModifyBy("deleted");
+    restTemplate = new TestRestTemplate("deleted", "");
    
    int deletedSize = 1;
    for (int i = 0; i < deletedSize; i++) {

--- a/apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/TestWebSecurityConfig.java
+++ b/apollo-adminservice/src/test/java/com/ctrip/apollo/adminservice/controller/TestWebSecurityConfig.java
+package com.ctrip.apollo.adminservice.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@Order(99)
+public class TestWebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http.httpBasic();
+    http.csrf().disable();
+  }
+
+  @Autowired
+  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    auth.inMemoryAuthentication().withUser("user").password("").roles("USER");
+    auth.inMemoryAuthentication().withUser("apollo").password("").roles("USER", "ADMIN");
+    auth.inMemoryAuthentication().withUser("created").password("").roles("TEST");
+    auth.inMemoryAuthentication().withUser("updated").password("").roles("TEST");
+    auth.inMemoryAuthentication().withUser("deleted").password("").roles("TEST");
+  }
+}
--- a/apollo-biz/src/main/java/com/ctrip/apollo/biz/service/ItemSetService.java
+++ b/apollo-biz/src/main/java/com/ctrip/apollo/biz/service/ItemSetService.java
@@ -21,15 +21,15 @@ public class ItemSetService {
  private AuditService auditService;

  @Transactional
-  public void updateSet(ItemChangeSets changeSet) {
+  public void updateSet(ItemChangeSets changeSet, String owner) {
    if (changeSet.getCreateItems() != null) {
      for (ItemDTO item : changeSet.getCreateItems()) {
        Item entity = BeanUtils.transfrom(Item.class, item);
-        entity.setDataChangeCreatedBy(changeSet.getModifyBy());
-        entity.setDataChangeLastModifiedBy(changeSet.getModifyBy());
+        entity.setDataChangeCreatedBy(owner);
+        entity.setDataChangeLastModifiedBy(owner);
        itemRepository.save(entity);
      }
-      auditService.audit("ItemSet", null, Audit.OP.INSERT, changeSet.getModifyBy());
+      auditService.audit("ItemSet", null, Audit.OP.INSERT, owner);
    }

    if (changeSet.getUpdateItems() != null) {
@@ -37,20 +37,20 @@ public class ItemSetService {
        Item entity = BeanUtils.transfrom(Item.class, item);
        Item managedItem = itemRepository.findOne(entity.getId());
        BeanUtils.copyEntityProperties(entity, managedItem);
-        managedItem.setDataChangeLastModifiedBy(changeSet.getModifyBy());
+        managedItem.setDataChangeLastModifiedBy(owner);
        itemRepository.save(managedItem);
      }
-      auditService.audit("ItemSet", null, Audit.OP.UPDATE, changeSet.getModifyBy());
+      auditService.audit("ItemSet", null, Audit.OP.UPDATE, owner);
    }

    if (changeSet.getDeleteItems() != null) {
      for (ItemDTO item : changeSet.getDeleteItems()) {
        Item entity = BeanUtils.transfrom(Item.class, item);
-        entity.setDataChangeLastModifiedBy(changeSet.getModifyBy());
+        entity.setDataChangeLastModifiedBy(owner);
        itemRepository.save(entity);
        itemRepository.delete(item.getId());
      }
-      auditService.audit("ItemSet", null, Audit.OP.DELETE, changeSet.getModifyBy());
+      auditService.audit("ItemSet", null, Audit.OP.DELETE, owner);
    }
  }
 }
--- a/apollo-biz/src/test/java/com/ctrip/apollo/biz/service/AdminServiceTest.java
+++ b/apollo-biz/src/test/java/com/ctrip/apollo/biz/service/AdminServiceTest.java
@@ -59,9 +59,6 @@ public class AdminServiceTest {

    List<Audit> audits = auditService.findByOwner(owner);
    Assert.assertEquals(4, audits.size());
-    for(Audit audit : audits){
-      System.out.println(audit);
-    }
  }

 }
--- a/apollo-common/pom.xml
+++ b/apollo-common/pom.xml
@@ -22,6 +22,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-actuator</artifactId>

--- a/apollo-common/src/main/java/com/ctrip/apollo/common/controller/ActiveUser.java
+++ b/apollo-common/src/main/java/com/ctrip/apollo/common/controller/ActiveUser.java
+package com.ctrip.apollo.common.controller;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+
+@Target({ElementType.PARAMETER, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@AuthenticationPrincipal
+public @interface ActiveUser {
+
+}
--- a/apollo-common/src/main/java/com/ctrip/apollo/common/controller/WebMvcConfig.java
+++ b/apollo-common/src/main/java/com/ctrip/apollo/common/controller/WebMvcConfig.java
@@ -15,11 +15,11 @@ public class WebMvcConfig extends WebMvcConfigurerAdapter {

  @Override
  public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
+    PageableHandlerMethodArgumentResolver pageResolver =
+        new PageableHandlerMethodArgumentResolver();
+    pageResolver.setFallbackPageable(new PageRequest(0, 10));

-    PageableHandlerMethodArgumentResolver resolver = new PageableHandlerMethodArgumentResolver();
-    resolver.setFallbackPageable(new PageRequest(0, 10));
-
-    argumentResolvers.add(resolver);
+    argumentResolvers.add(pageResolver);
  }

  @Override

--- a/apollo-common/src/main/java/com/ctrip/apollo/common/controller/WebSecurityConfig.java
+++ b/apollo-common/src/main/java/com/ctrip/apollo/common/controller/WebSecurityConfig.java
+package com.ctrip.apollo.common.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http.httpBasic();
+    http.csrf().disable();
+  }
+
+  @Autowired
+  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    auth.inMemoryAuthentication().withUser("user").password("").roles("USER").and()
+        .withUser("apollo").password("").roles("USER", "ADMIN");
+  }
+}
--- a/apollo-core/src/main/java/com/ctrip/apollo/core/dto/ItemChangeSets.java
+++ b/apollo-core/src/main/java/com/ctrip/apollo/core/dto/ItemChangeSets.java
@@ -8,7 +8,6 @@ import java.util.List;
 */
 public class ItemChangeSets {

-  private String modifyBy;
  private List<ItemDTO> createItems = new LinkedList<>();
  private List<ItemDTO> updateItems = new LinkedList<>();
  private List<ItemDTO> deleteItems = new LinkedList<>();
@@ -49,12 +48,4 @@ public class ItemChangeSets {
    this.deleteItems = deleteItems;
  }

-  public String getModifyBy() {
-    return modifyBy;
-  }
-
-  public void setModifyBy(String modifyBy) {
-    this.modifyBy = modifyBy;
-  }
-
 }
--- a/apollo-portal/src/main/java/com/ctrip/apollo/portal/service/ConfigService.java
+++ b/apollo-portal/src/main/java/com/ctrip/apollo/portal/service/ConfigService.java
@@ -147,7 +147,6 @@ public class ConfigService {
    ItemChangeSets changeSets = resolver.resolve(namespaceId, configText,
        itemAPI.findItems(appId, env, clusterName, namespaceName));
    try {
-      changeSets.setModifyBy(model.getModifyBy());
      enrichChangeSetBaseInfo(changeSets);
      itemAPI.updateItems(appId, env, clusterName, namespaceName, changeSets);
    } catch (Exception e) {