我已经使用Spring Security在Spring Boot Application中实现了身份验证。
控制身份验证的主类应该是websecurityconfig:
@Configuration
@EnableWebSecurity
@PropertySource(value = { "classpath:/config/application.properties" })
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(
SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/ristore/**").authenticated()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(new SimpleUrlAuthenticationFailureHandler());
}
由于我正在进行OAuth,因此我也有AuthServerConfig和ResourceServerConfig。我的主要应用程序类如下所示:
@SpringBootApplication
@EnableSpringDataWebSupport
@EntityScan({"org.mdacc.ristore.fm.models"})
public class RistoreWebApplication extends SpringBootServletInitializer
{
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedOrigins("*");
}
};
}
public static void main( String[] args )
{
SpringApplication.run(RistoreWebApplication.class, args);
}
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(RistoreWebApplication.class);
}
}
由于我们正在进行代码整合,因此我们需要暂时关闭身份验证。但是,我尝试了以下方法,似乎没有任何工作。当我点击这些休息时,我仍然得到401.
注释掉与安全相关的所有类别的注释,包括@Configuration,@EnableWebSecurity。在Spring boot Security Disable security中,有人建议在底部添加@EnableWebSecurity将禁用身份验证,我认为没有任何意义。无论如何都试过了,没用。
通过删除所有安全性内容来修改websecurityconfig,并且仅执行此操作
http
.authorizeRequests()
.anyRequest().permitAll();
Disable Basic Authentication while using Spring Security Java configuration。也没帮助。
删除安全自动配置
@EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})
spring-boot-actuator。所以没试试。
禁用弹簧安全的正确方法是什么?
答案 0 :(得分:11)
正如@Maciej Walkowiak所提到的,你应该为你的主要课程做这件事:
@SpringBootApplication(exclude = org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class)
public class MainClass {
答案 1 :(得分:2)
试试这个
1->在安全配置中注释注释@EnableWebSecurity
// @ EnableWebSecurity
2->在安全配置中添加这些行
spring.security.enabled =假
management.security.enabled =假
security.basic.enabled =假
答案 2 :(得分:0)
对我有用的是这个。创建WebFilter和PermitAll请求交换并禁用CSRF。
@Bean
public SecurityWebFilterChain chain(ServerHttpSecurity http, AuthenticationWebFilter webFilter) {
return http.authorizeExchange().anyExchange().permitAll().and()
.csrf().disable()
.build();
}
只需将这段代码放在@SpringBootApplication类中,就可以像魅力一样工作
@SpringBootApplication
public class ConverterApplication {
public static void main(String[] args) {
SpringApplication.run(ConverterApplication.class, args);
}
@Bean
public SecurityWebFilterChain chain(ServerHttpSecurity http, AuthenticationWebFilter webFilter) {
return http.authorizeExchange().anyExchange().permitAll().and()
.csrf().disable()
.build();
}