欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

Springboot配置security basic path无效解决方案

程序员文章站 2022-06-22 10:09:35
问题springcloud 版本 为 finchley.releasespringboot 版本为 2.0.3.release现在有需求,/swagger-ui.html 页面需要添加登录认证,但是本...

问题

springcloud 版本 为 finchley.release

springboot 版本为 2.0.3.release

现在有需求,/swagger-ui.html 页面需要添加登录认证,但是本来的接口不需要登录认证

升级springboot之前的做法是直接在application.yml 文件中添加以下配置:

security:
 basic:
  enabled: true # 启用springsecurity的安全配置项
  path: /swagger-ui.html
 user:
  name: aijianzi # 认证用户名
  password: course # 认证密码
  role:    # 授权角色
  - user

升级后这种配置就出错了,连编译都出错,如下图:

解决过程

查找源代码,找到如下:

来自:https://github.com/spring-projects/spring-boot/wiki/spring-boot-2.0-migration-guide

security
spring boot 2 greatly simplifies the default security configuration and makes adding custom security easy. rather than having several security-related auto-configurations, spring boot now has a single behavior that backs off as soon as you add your own websecurityconfigureradapter.

you are affected if you were using any of the following properties:

security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessions

翻译:spring boot 2极大地简化了默认的安全配置,并使添加定制安全性变得更加容易。spring boot并没有使用几个与安全相关的自动配置,而是在添加自己的websecurityconfigureradapter时就有了一个单独的行为。如果您使用以下属性,您将受到影响

再找到:https://github.com/spring-projects/spring-boot/wiki/spring-boot-security-2.0

security auto-configuration
spring boot 2.0 does not provide separate auto-configuration for user-defined endpoints and actuator endpoints. when spring security is on the classpath, the auto-configuration secures all endpoints by default. it adds the @enablewebsecurity annotation and relies on spring security's content-negotiation strategy to determine whether to use httpbasic or formlogin. a user with a a default username and generated password is added, which can be used to login.

翻译:spring boot 2.0没有为用户定义的端点和执行器端点提供单独的自动配置。当spring security在类路径上时,自动配置默认为所有端点。它添加了@enablewebsecurity 注释,并依赖于spring security的内容协商策略来决定是否使用httpbasic或formlogin。添加了一个默认用户名和生成密码的用户,这可以用来登录。

解决

对于不同的url,安全性是不同的,关键在于重载websecurityconfigureradapter 类的configure(httpsecurity) 方法。具体可以参考以上的两个链接

我的完整实现如下:

1、pom.xml 中添加依赖:

<dependency>
  <groupid>org.springframework.boot</groupid>
  <artifactid>spring-boot-starter-security</artifactid>
</dependency>

2、application.yml 文件中配置登录用户名和密码(如果只到这里,那么所有的请求都会被拦截)

spring:
 security:
 user:
  name: admin
  password: admin

3、添加自定义的配置类,注解@configuration @enablewebsecurity

import org.springframework.context.annotation.configuration;
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;

/**
 * @author jiashubing
 * @since 2018/7/16
 */
@configuration
@enablewebsecurity
public class actuatorwebsecurityconfigurationadapter extends websecurityconfigureradapter {
  @override
  protected void configure(httpsecurity http) throws exception {
    http
        .authorizerequests()
        //普通的接口不需要校验
        .antmatchers("/courseapi/**").permitall()
        // swagger页面需要添加登录校验
        .antmatchers("/swagger-ui.html").authenticated()
        .and()
        .formlogin();
  }
}

当然也可以配置成需要某个角色的用户才能查看某些url

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。