zoukankan      html  css  js  c++  java
  • 直接使用security.basic.path无效|——springboot2.0以上的security的配置

    问题

    springcloud 版本 为 Finchley.RELEASE
    springboot 版本为 2.0.3.RELEASE

    现在有需求,/swagger-ui.html 页面需要添加登录认证,但是本来的接口不需要登录认证

    升级springboot之前的做法是直接在application.yml 文件中添加以下配置:

    security:
      basic:
        enabled: true # 启用SpringSecurity的安全配置项
        path: /swagger-ui.html
      user:
        name: aijianzi  # 认证用户名
        password: course # 认证密码
        role:        # 授权角色
        - USER

    升级后这种配置就出错了,连编译都出错,如下图:

    解决过程

    查找源代码,找到如下:
    来自:https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide

    Security
    Spring Boot 2 greatly simplifies the default security configuration and makes adding custom security easy. Rather than having several security-related auto-configurations, Spring Boot now has a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter.

    You are affected if you were using any of the following properties:

    security.basic.authorize-mode
    security.basic.enabled
    security.basic.path
    security.basic.realm
    security.enable-csrf
    security.headers.cache
    security.headers.content-security-policy
    security.headers.content-security-policy-mode
    security.headers.content-type
    security.headers.frame
    security.headers.hsts
    security.headers.xss
    security.ignored
    security.require-ssl
    security.sessions

       翻译:Spring Boot 2极大地简化了默认的安全配置,并使添加定制安全性变得更加容易。Spring Boot并没有使用几个与安全相关的自动配置,而是在添加自己的WebSecurityConfigurerAdapter时就有了一个单独的行为。如果您使用以下属性,您将受到影响

    再找到:https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Security-2.0

    Security Auto-configuration
    Spring Boot 2.0 does not provide separate auto-configuration for user-defined endpoints and actuator endpoints. When Spring Security is on the classpath, the auto-configuration secures all endpoints by default. It adds the @EnableWebSecurity annotation and relies on Spring Security’s content-negotiation strategy to determine whether to use httpBasic or formLogin. A user with a a default username and generated password is added, which can be used to login.

        翻译:Spring Boot 2.0没有为用户定义的端点和执行器端点提供单独的自动配置。当Spring Security在类路径上时,自动配置默认为所有端点。它添加了@EnableWebSecurity 注释,并依赖于Spring Security的内容协商策略来决定是否使用httpBasic或formLogin。添加了一个默认用户名和生成密码的用户,这可以用来登录。

    解决

        对于不同的URL,安全性是不同的,关键在于重载WebSecurityConfigurerAdapter 类的configure(HttpSecurity) 方法。具体可以参考以上的两个链接

        我的完整实现如下:

    1、pom.xml 中添加依赖:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    2、application.yml 文件中配置登录用户名和密码(如果只到这里,那么所有的请求都会被拦截)

    spring:
      security:
      user:
        name: admin
        password: admin

    3、添加自定义的配置类,注解@Configuration @EnableWebSecurity

    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    
    /**
     * @author jiashubing
     * @since 2018/7/16
     */
    @Configuration
    @EnableWebSecurity
    public class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    //普通的接口不需要校验
                    .antMatchers("/courseApi/**").permitAll()
                    // swagger页面需要添加登录校验
                    .antMatchers("/swagger-ui.html").authenticated()
                    .and()
                    .formLogin();
        }
    }

    当然也可以配置成需要某个角色的用户才能查看某些URL,百度关键词【SpringSecurity拦截请求

    原创文章,欢迎转载,转载请注明出处!

  • 相关阅读:
    协程,纤程(Fiber),或者绿色线程(GreenThread)
    好用的 Chrome 插件
    内存泄露
    Serilog 是 ASP.NET Core 的一个插件,可以简化日志记录
    ES6-类(Class)
    规范-Git打标签与版本控制
    必会必知git
    Ubuntu 16.04安装CrossOver容器来安装QQ(终极解决办法,亲测有效)
    Ubuntu 16.04安装UML工具StarUML 2
    Ubuntu 16.04升级4.7.0内核后导致Compiz奔溃,问题:compiz[4852]: segfault at 48 ip 00007f88cae087f0 sp 00007ffce354c268 error 4 in libscale.so
  • 原文地址:https://www.cnblogs.com/acm-bingzi/p/springboot-security.html
Copyright © 2011-2022 走看看