问题:
没有WebSecurityConfigrerAdapter的Spring Security性
谭志用
我正在尝试更新到Spring Boot 2.7.0-SNAPSHOT。此版本中不推荐使用WebSecurity配置适配器。
旧的WebSecurityConfig with WebSecurityConfigurerAdapter(工作正常):
/**
* SecurityConfig
*
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Autowired
private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Autowired
private OAuth2AuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler;
@Autowired
private OAuth2AuthenticationFailureHandler oAuth2AuthenticationFailureHandler;
@Autowired
private OAuth2UserServiceImpl oAuth2UserServiceImpl;
/**
* for development
*
* @return
*/
@Bean
public PasswordEncoder passwordEncoder() {
// for development
return NoOpPasswordEncoder.getInstance();
}
@Override
public void configure(WebSecurity web) {
// ignoring
web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico", "/oauth2");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/login", "/error", "/message/**").permitAll();
http.authorizeRequests().anyRequest().authenticated();
http.formLogin();
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint("/login"));
http.addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class);
// OAuth2
http.oauth2Login().loginPage("/").defaultSuccessUrl("/home", false);
http.oauth2Login().userInfoEndpoint().userService(oAuth2UserServiceImpl);
http.oauth2Login().successHandler(oAuth2AuthenticationSuccessHandler);
http.oauth2Login().failureHandler(oAuth2AuthenticationFailureHandler);
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login").deleteCookies("JSESSIONID");
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.enableSessionUrlRewriting(false);
}
private MyAuthenticationFilter authenticationFilter() throws Exception {
MyAuthenticationFilter filter = new MyAuthenticationFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
filter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
filter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/authentication", "POST"));
return filter;
}
private AuthenticationEntryPoint authenticationEntryPoint(String loginFormUrl) {
return new MyLoginUrlAuthenticationEntryPoint(loginFormUrl);
}
}
读完这篇博文后,我修改了新的WebSecurityConfig:
/**
* SecurityConfig
*
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Autowired
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Autowired
private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Autowired
private OAuth2AuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler;
@Autowired
private OAuth2AuthenticationFailureHandler oAuth2AuthenticationFailureHandler;
@Autowired
private OAuth2UserServiceImpl oAuth2UserServiceImpl;
/**
* for development
*
* @return
*/
@Bean
public PasswordEncoder passwordEncoder() {
// for development
return NoOpPasswordEncoder.getInstance();
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers(
"/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico", "/oauth2");
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/login", "/error", "/message/**").permitAll();
http.authorizeRequests().anyRequest().authenticated();
http.formLogin();
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint("/login"));
http.addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class);
// OAuth2
http.oauth2Login().loginPage("/").defaultSuccessUrl("/home", false);
http.oauth2Login().userInfoEndpoint().userService(oAuth2UserServiceImpl);
http.oauth2Login().successHandler(oAuth2AuthenticationSuccessHandler);
http.oauth2Login().failureHandler(oAuth2AuthenticationFailureHandler);
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login").deleteCookies("JSESSIONID");
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.enableSessionUrlRewriting(false);
return http.build();
}
private MyAuthenticationFilter authenticationFilter() throws Exception {
MyAuthenticationFilter filter = new MyAuthenticationFilter();
// How can I fix this? ------------------------------------------
filter.setAuthenticationManager(authenticationManagerBean());
// --------------------------------------------------------------
filter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
filter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
filter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/authentication", "POST"));
return filter;
}
private AuthenticationEntryPoint authenticationEntryPoint(String loginFormUrl) {
return new MyLoginUrlAuthenticationEntryPoint(loginFormUrl);
}
}
我能够修复两种方法。(#configure(WebSecurity web)和#configure(HttpSecurity http))
但是,我不知道如何修复authenticationManagerBean()。我从哪里获得AuthenticationManager?
共有3个答案
伍耀
如果要将 AuthenticationManager 注入到其他 Spring 组件中,可以使用以下配置。
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
这种方法为我解决了这个问题,您可以在任何需要的地方注入AuthenticationManager。
编辑:
@EnableWebSecurity
@RequiredArgsConstructor
public class SpringSecurityConfiguration {
private final AuthenticationConfiguration authenticationConfiguration;
@Bean
public AuthenticationManager authenticationManager() throws Exception
{
return authenticationConfiguration.getAuthenticationManager();
}
羊舌承天
这是我花了一天时间配置的整个类。希望能节省你的时间。
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class ApplicationSecurityConfig {
private final UserDetailsService userService;
private final AuthenticationConfiguration configuration;
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
AbstractAuthenticationProcessingFilter filter = new CustomizedAuthenticationFilter(authenticationManager());
filter.setFilterProcessesUrl("/api/login");
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers(HttpMethod.POST, "/api/login").permitAll();
http.authorizeRequests().anyRequest().authenticated();
http.addFilter(filter);
return http.build();
}
@Bean
AuthenticationManager authenticationManager() throws Exception {
return configuration.getAuthenticationManager();
}
@Autowired
void configure(AuthenticationManagerBuilder builder) throws Exception {
builder.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
}
}
狄睿
您可以创建自定义 DSL。这实际上是Spring Security内部的工作方式。
public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
http.addFilterBefore(new MyAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
}
public static MyCustomDsl customDsl() {
return new MyCustomDsl();
}
}
然后,您可以在构建SecurityFilterChain时应用自定义DSL:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.apply(customDsl());
return http.build();
}
类似资料:
-
我正在尝试即将推出的Spring Boot 2.7.0-SNAPSHOT,它使用Spring Security 5.7.0,它不支持WebSecurity配置适配器。 我阅读了这篇博文,但我不确定如何将的默认实现公开给我的JWT授权过滤器。 旧的WebSecurityConfig使用WebSecurityConfig适配器(工作正常): 新的Web安全配置: 正如你所见,我再也没有公开的bean了
-
主要内容:1.入门,2.设置用户名和密码1.入门 1.启动一个SpringBoot项目 2.导入SpringSecurity相关依赖 3.编写Controller TestController.java 用户是user 密码是刚刚的 2.设置用户名和密码 1.在配置文件中设置 2.在配置类中设置 3.自定义实现类 2.1 配置文件中设置 2.2 在配置类中设置 设置用户名为zZZ,密码为root 2.3 自定义实现类 配置类: 业务类:
-
问题内容: 我目前正在评估基于Java的安全框架,我是Spring 3.0用户,因此似乎似乎SpringSecurity是正确的选择,但是Spring安全性似乎受到过分复杂的困扰,它似乎并没有使安全性易于实现, Shiro似乎更加连贯,更容易理解。我正在寻找这两个框架之间的利弊清单。 问题答案: 我也同意Spring Security对我来说感觉太复杂了。当然,他们已经做了一些降低复杂性的事情,例
-
当我POST到时,我会收到由配置的生成的403响应。但是,我希望这个请求是允许的,因为它由覆盖,并且在之前。 诸如之类的请求工作正常。此外,我命中这些 终结点的集成测试也可以正常工作,这表明与 CORS 有关,尽管预检请求为 200。 你知道这个安全配置有什么问题吗? 这是我的CORS配置: 我从调用这些endpoint,这是返回的项目之一。 以下是来自请求的Spring Security调试日志
-
在WAR的情况下,它试图将请求转发到/error页面,并寻找它的处理程序方法(请参见底部的日志)。 最后我得到以下回应: 我该换什么才能得到401?
-
1.导入jar包 web.xml spring-security.xml