禁用spring boot前prod环境的websecurity

col17t5w  于 2021-07-05  发布在  Java
关注(0)|答案(4)|浏览(423)

我想用认证来证明我们在生产上的大张旗鼓。这是伟大的,当我试图访问招摇它需要密码和用户名。我希望这个功能只用于生产环境。不知道如何为不同的配置文件/环境禁用它。我尝试了基于.yml属性的if-else,但这导致了其他问题。post和update方法开始返回403禁止。下面是示例代码:

@Configuration
@EnableWebSecurity
@Profile("!test")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Value("${server.environment}")
    private String environment;

    @Value("${swagger.user}")
    private String swaggerUser;

    @Value("${swagger.password}")
    private String swaggerPass;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if("stage".equals(environment) || "prod".equals(environment)){
            LOGGER.info("Environment: " + environment + " swagger authentication is on");
            http.csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/v2/api-docs").authenticated()
                    .and()
                    .httpBasic();
        } else {
            http.csrf().disable();
            LOGGER.info("Environment: " + environment + " swagger authentication is off");
        }

    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
    }

我曾尝试禁用整个websecurityconfig bean,但没有成功,因为存在依赖项,现在每次它都要求登录。
试过这个,没用:

@Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/**").permitAll();
        }
jchrr9hc

jchrr9hc1#

您可以尝试添加 WebSecurityConfig 这将允许你的招摇过市,免费使用 @ConditionalOnProperty 根据application.yml中的属性确定应使用哪个实现。

lvmkulzt

lvmkulzt2#

建议的方法是为生产和预发布环境创建另一个类,而不是使用if-else。您可能需要允许其他端点使用 permitAll() 或者需要添加基于权限的方法,例如 hasRole() . 还要确保在控制器上没有任何安全注解,例如 @PreAuthorized, @Secured 等。
推荐方法:
prod或staging环境的安全配置

@Configuration
@EnableWebSecurity
@Profile("prod")
public class WebSecurityProductionConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityProductionConfig.class);

    @Value("${server.environment}")
    private String environment;

    @Value("${swagger.user}")
    private String swaggerUser;

    @Value("${swagger.password}")
    private String swaggerPass;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        LOGGER.info("Environment: " + environment + " swagger authentication is on");

        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/v2/api-docs").authenticated()
            .antMatchers("**/**").permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
    }
}

dev和其他环境的安全配置

@Configuration
@EnableWebSecurity
@Profile("!prod")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    LOGGER.info("Security configuration for the non prod env is loaded");
        http
            .csrf().disable()
            .authorizeRequests().antMatchers("**/**").permitAll();
    }

}

否则方法

@Configuration
@EnableWebSecurity
@Profile("!test")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Value("${server.environment}")
    private String environment;

    @Value("${swagger.user}")
    private String swaggerUser;

    @Value("${swagger.password}")
    private String swaggerPass;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();

        if ("stage".equals(environment) || "prod".equals(environment)) {
            LOGGER.info("Environment: " + environment + " swagger authentication is on");
            http
                .authorizeRequests()
                .antMatchers("/v2/api-docs").authenticated();
        } else {
            http.authorizeRequests().antMatchers("**/**").permitAll();
            LOGGER.info("Environment: " + environment + " swagger authentication is off");
        }
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
    }
}
bmvo0sr5

bmvo0sr53#

从一开始你的方法看起来不错,
创建一个名为“test”的配置文件,其配置如下: application-test.properties spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.securityautoconfiguration
然后通过添加@profile(“!和我看到的一样
通过活动测试配置文件禁止使用没有安全配置的测试配置文件 java --spring.profiles.active=test -jar yourapp.jarmvn spring-boot:run -Dspring-boot.run.arguments=--spring.profiles.active=test

yk9xbfzb

yk9xbfzb4#

如果您只想为prod环境配置安全性,那么只需要为prod环境实现websecurityconfigureradapter。

@Profile("prod")
    @Configuration
    public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
                http.csrf().disable()
                        .authorizeRequests()
                        .antMatchers("/v2/api-docs").authenticated()
                        .and()
                        .httpBasic();
        }
    }

有关更多信息,请访问此博客:https://www.baeldung.com/spring-security-disable-profile

相关问题