Property' security.basic.enabled'不推荐使用:安全自动配置不再可自定义

时间:2018-04-08 11:58:01

标签: java spring-boot spring-security

我正在使用 spring-boot-starter-parent 版本 2.0.1.RELEASE 开展 Spring Cloud 项目。

我收到警告,看起来像

  

Property' security.basic.enabled'不推荐使用:安全自动配置不再可自定义。改为提供您自己的WebSecurityConfigurer bean。

安全性:   基本:     enabled:在Spring安全最新版本中禁用false。

请你指导一下我应该用什么?

application.yml 

---
server:
  port: 8888

security:
  basic:
    enabled: false

spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls

          search-paths:
          - 'station*'
          repos:
            perf:
              pattern:
                - '*/perf'
              uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls-perf
              search-paths:
               - 'station*'

的pom.xml 

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.1.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
        <spring-cloud.version>Finchley.BUILD-SNAPSHOT</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-server</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

    <repositories>
        <repository>
            <id>spring-snapshots</id>
            <name>Spring Snapshots</name>
            <url>https://repo.spring.io/snapshot</url>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </repository>
        <repository>
            <id>spring-milestones</id>
            <name>Spring Milestones</name>
            <url>https://repo.spring.io/milestone</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>

enter image description here

这是我的测试课程。

@RunWith(SpringRunner.class)
@SpringBootTest
public class PluralsightSpringcloudM2ConfigserverGitApplicationTests {

    @Test
    public void contextLoads() {
    }

}

enter image description here

与其他问题无关

5 个答案:

答案 0 :(得分:11)

Spring Boot 2.0更改了其自动配置(包括一些属性),现在只需添加自己的WebSecurityConfigurerAdapter就可以退出一个行为。默认配置类似于

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .and()
        .httpBasic();
}

默认情况下配置具有生成密码的单个用户。要自定义此用户,请使用spring.security.user下的属性。

spring.security.user.name=user # Default user name.
spring.security.user.password= # Password for the default user name.
spring.security.user.roles= # Granted roles for the default user name.

从Spring Boot 2开始,以下属性已被删除:

security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessions

替换(如果存在)可以在这里找到:Appendix A. Common application properties

要明确:如果您创建自定义WebSecurityConfigurerAdapter,则默认安全配置将替换为您的自定义配置:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // For example: Use only Http Basic and not form login.
        http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }
}

有关更多信息,请访问Spring 2.0 Migration Guide

答案 1 :(得分:4)

如果您使用Spring反应安全,我们需要做这样的事情,

@Bean
  public SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange().anyExchange().permitAll();
    return http.build();
  }

还有另一个stackoverflow帖子,Spring boot 2.0 disable default security

答案 2 :(得分:3)

我会在你的测试课上尝试以下内容:

  

@SpringBootTest(属性= “spring.autoconfigure.exclude = org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration”)

会在测试类的上下文中禁用spring-security的自动配置。

编辑:如果它不限于测试类上下文,则同样适用于:

  

@SpringBootApplication(排除= “org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration”)

或以其他方式,在您的application.yaml中,您可以:

  

spring.autoconfigure.exclude = org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

答案 3 :(得分:3)

这是因为,当您编写security.basic.enabled = false时,基本上是告诉应用程序我不在乎安全性,并允许所有请求。在Spring Boot 2.0之后,您不能只编写该配置以使该应用程序不安全。您需要编写一些代码来做到这一点。或者,您也可以复制以下内容。

package com.LockheedMartin.F22Simulator;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }
}

通过这种方式,您应该从application.properties中删除security.basic.enabled = false,因为spring 2.*.*不再理解该属性,并且如果您具有正确的Intellij设置,您应该看到警告{{1 }}。

答案 4 :(得分:2)

这样我就能解决这个问题。不过不确定。我刚刚更正了 application.yml 

---
server:
  port: 8888


spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls

          search-paths:
          - 'station*'
          repos:
            perf:
              pattern:
                - '*/perf'
              uri: https://github.com/rseroter/pluralsight-spring-cloudconfig-wa-tolls-perf
              search-paths:
               - 'station*'
  security:
    user:
      name: test
      password: test

当我访问网址时: http://localhost:8888/s1rates/default ,它询问了我的用户名和密码,我得到了以下结果。

enter image description here

相关问题
最新问题