在Spring Boot 1.3.1.RELEASE应用程序启动期间,我注意到日志中有以下行:
Using default security password: d60d96ca-1285-41c9-aed7-d5688af74688
它是什么意思以及如何解决它?
我怀疑我的应用程序配置中存在一些问题:
应用:
@SpringBootApplication
@EnableOAuth2Client
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
WebSecurityConfiguration:
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private OAuth2ClientContext oauth2ClientContext;
@Value("${ok.client.publicKey}")
private String okClientPublicKey;
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.headers().frameOptions().disable()
.and().logout()
.and().antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/index.html", "/home.html").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/"))
.and().logout().logoutSuccessUrl("/").permitAll()
.and().csrf().csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
// @formatter:on
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Bean
public FilterRegistrationBean oauth2ClientFilterRegistration(OAuth2ClientContextFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(filter);
registration.setOrder(-100);
return registration;
}
@Bean
@ConfigurationProperties("ok")
ClientResources ok() {
return new ClientResources();
}
private Filter ssoFilter() {
CompositeFilter filter = new CompositeFilter();
List<Filter> filters = new ArrayList<>();
filters.add(ssoFilter(ok(), "/login/ok"));
filter.setFilters(filters);
return filter;
}
private Filter ssoFilter(ClientResources client, String path) {
OAuth2ClientAuthenticationProcessingFilter clientFilter = new OAuth2ClientAuthenticationProcessingFilter(path);
OAuth2RestTemplate clientTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext);
clientFilter.setRestTemplate(clientTemplate);
OkUsersClient okUsersClient = new OkUsersClient(client.getResource().getUserInfoUri(), okClientPublicKey,
client.getClient().getClientSecret(), clientTemplate);
clientFilter.setTokenServices(new OkUserInfoTokenServices(okUsersClient, client.getClient().getClientId()));
clientFilter.setAuthenticationSuccessHandler(new UrlParameterAuthenticationHandler());
return clientFilter;
}
class UrlParameterAuthenticationHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
String targetUrl = determineTargetUrl(request, response);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
String queryString = HttpUtils.removeParams(request.getQueryString(), "state", "code");
targetUrl = !StringUtils.isEmpty(queryString) ? targetUrl + "?" + queryString : targetUrl;
getRedirectStrategy().sendRedirect(request, response, targetUrl);
}
}
class ClientResources {
private OAuth2ProtectedResourceDetails client = new AuthorizationCodeResourceDetails();
private ResourceServerProperties resource = new ResourceServerProperties();
public OAuth2ProtectedResourceDetails getClient() {
return client;
}
public ResourceServerProperties getResource() {
return resource;
}
}
}
application.yml:
server:
port: 8443
ssl:
key-store: keystore.p12
key-store-password: ***
keyStoreType: PKCS12
keyAlias: tomcat
spring:
aop:
proxy-target-class: true
ok:
client:
accessTokenUri: https://api.ok.ru/oauth/token.do
userAuthorizationUri: https://connect.ok.ru/oauth/authorize
clientId: ***
clientSecret: ***
publicKey: ***
authenticationScheme: query
clientAuthenticationScheme: form
resource:
userInfoUri: https://api.ok.ru/fb.do
logging:
file: application.log
level:
org.springframework: INFO
答案 0 :(得分:3)
如果您的项目中有Spring Security(因为EnableOAuth2Client),并且没有指定用户和密码,Spring Boot会为您创建至少一个安全密码(您可能希望在manual) )
如果Spring Security在类路径上,那么Web应用程序将是 默认情况下,在所有HTTP端点上使用“基本”身份验证。 要向Web应用程序添加方法级安全性,您还可以添加 @EnableGlobalMethodSecurity,带有您想要的设置。额外 可以在Spring Security Reference中找到信息。
默认的AuthenticationManager只有一个用户('用户'用户名) 和随机密码,在应用程序启动时以INFO级别打印 向上)
使用默认安全密码:78fa095d-3f4c-48b1-ad50-e24c31d5cf35
您应该在application.properties中设置这些值以避免它:
string[100]转换为您的application.yml,它将如下所示:
security.user.name=...
security.user.password=...
security.user.role=...