我面临的问题是,仅仅通过阅读文档并不能明显解决。在迁移到Sping Boot v2.7.4 / Spring Security v5.7.3时,我重构了配置,不扩展WebSecurityConfigurerAdapter,如下所示:
@Configuration
@EnableWebSecurity
public class CustomSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.
csrf().disable().
logout().disable().
authorizeRequests().anyRequest().permitAll();
return http.build();
}
}调用了上述方法,但是没有任何效果,因为使用了由OAuth2SecurityFilterChainConfiguration创建的SecurityFilterChain示例(我通过检查堆栈中的过滤器列表看到了这一点,例如LogoutFilter,它应该被上述配置禁用)。调试日志:
2022-10-20 15:49:48.790 [main] o.s.b.a.s.DefaultWebSecurityCondition : Condition DefaultWebSecurityCondition on org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$OAuth2SecurityFilterChainConfiguration matched due to AllNestedConditions 2 matched 0 did not; NestedCondition on DefaultWebSecurityCondition.Beans @ConditionalOnMissingBean (types: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter,org.springframework.security.web.SecurityFilterChain; SearchStrategy: all) did not find any beans; NestedCondition on DefaultWebSecurityCondition.Classes @ConditionalOnClass found required classes 'org.springframework.security.web.SecurityFilterChain', 'org.springframework.security.config.annotation.web.builders.HttpSecurity'
2022-10-20 15:49:48.791 [main] a.ConfigurationClassBeanDefinitionReader : Registered bean definition for imported class 'org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$OAuth2SecurityFilterChainConfiguration'
2022-10-20 15:49:48.792 [main] o.s.b.a.condition.OnBeanCondition : Condition OnBeanCondition on org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$OAuth2SecurityFilterChainConfiguration#jwtSecurityFilterChain matched due to @ConditionalOnBean (types: org.springframework.security.oauth2.jwt.JwtDecoder; SearchStrategy: all) found bean 'jwtDecoderByJwkKeySetUri'
...
2022-10-20 15:49:49.082 [main] a.ConfigurationClassBeanDefinitionReader : Registering bean definition for @Bean method com.mycompany.CustomSecurityConfig.filterChain()
...
2022-10-20 15:49:52.276 [main] edFilterInvocationSecurityMetadataSource : Adding web access control expression [authenticated] for any request
2022-10-20 15:50:13.348 [main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@33502cfe, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@729d1428, org.springframework.security.web.context.SecurityContextPersistenceFilter@7d0312a, org.springframework.security.web.header.HeaderWriterFilter@6ca97ddf, org.springframework.security.web.csrf.CsrfFilter@38f569d, org.springframework.security.web.authentication.logout.LogoutFilter@1104ad6a, org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter@74ab8610, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7833407, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@66acaa54, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@115924ba, org.springframework.security.web.session.SessionManagementFilter@6a905513, org.springframework.security.web.access.ExceptionTranslationFilter@5749e633, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@49741e80]
...
2022-10-20 15:50:13.384 [main] edFilterInvocationSecurityMetadataSource : Adding web access control expression [permitAll] for any request
2022-10-20 15:50:17.641 [main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@4a0f4282, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@19d3f4fb, org.springframework.security.web.context.SecurityContextPersistenceFilter@99f75e4, org.springframework.security.web.header.HeaderWriterFilter@118c1faa, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2b6ff016, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5aefdb9e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@43cf97a8, org.springframework.security.web.session.SessionManagementFilter@da5b46f, org.springframework.security.web.access.ExceptionTranslationFilter@11267e87, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@7827cdfc]是否预期bean CustomSecurityConfig.filterChain参与DefaultWebSecurityCondition评估,并且不创建OAuth2SecurityFilterChainConfiguration.jwtSecurityFilterChain。或者DefaultWebSecurityCondition的问题是WebSecurityConfigurerAdapter的示例不再位于上下文中(至于issue #10822,它已被弃用)?
添加@Order()注解的建议不起作用:
@Configuration
@EnableWebSecurity
public class CustomSecurityConfig {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { ...以及进一步尝试排除自动配置类,如下所示:
@SpringBootApplication(excludeName = "org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration.OAuth2SecurityFilterChainConfiguration")
public class Application extends SpringBootServletInitializer { ...失败可能是由于issue #5427,并出现以下错误
java.lang.IllegalStateException: The following classes could not be excluded because they are not auto-configuration classes:
- org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration.OAuth2SecurityFilterChainConfiguration
at org.springframework.boot.autoconfigure.AutoConfigurationImportSelector.handleInvalidExcludes(AutoConfigurationImportSelector.java:222) ~[spring-boot-autoconfigure-2.7.4.jar!/:2.7.4]这个办法也行不通:
@ComponentScan(excludeFilters = {@ComponentScan.Filter(type = FilterType.REGEX, pattern = ".*OAuth2ResourceServerJwtConfiguration.*")})
public class Application extends SpringBootServletInitializer { ...发布前阅读的文档:
- Spring Security without the WebSecurityConfigurerAdapter
- Spring Security: Upgrading the Deprecated WebSecurityConfigurerAdapter
- Spring Security - How to Fix WebSecurityConfigurerAdapter Deprecated
更新
我已经创建了一个small Maven project来演示这个问题。在项目启动后,像这样请求控制器:
$ wget -nv -O - 'http://localhost:8080/spring/test'
Username/Password Authentication Failed.可以看到,自定义配置的SecurityFilterChain不是活动的,因为否则访问将被授予(对于antMatchers( "/**/test").permitAll())。ContextRefreshedEvent侦听器转储两个SecurityFilterChain示例(jwtSecurityFilterChain和filterChain),它们的优先级不可能可靠地配置。
1条答案
按热度按时间qco9c6ql1#
如问题#33103所示,通过@ImportResource从XML导入的bean不参与Sping Boot 自动配置,因此应使用注解执行bean扫描,即@SpringBootApplication(scanBasePackages =“some.package”)-这基本上解决了问题。- dma_k 2022年11月17日9:21
感谢此回复,我找到了解决方案。但由于我们正在使用不同的身份验证方法,所以它可能不适合您。我正在使用这个tutorial中的DaoAuthenticationProvider。然后不使用“WebSecurityConfigurerAdapter”重写为新版本。
希望这个解决方案有帮助。我被折磨了3-4个小时才找到解决方案。
1.我创建了一个名为“config”的子包,它与“models、controller、service等”(或者随便你给它们起什么名字)处于同一级别。x1c 0d1x
1.然后,通过“scanBasePackages”手动导入此包以及其他包。
这里有3个重写的文件在我的“配置”文件夹中。都是从上面提到的教程中重写的。