Try*_*usz 5 java spring spring-security spring-boot
我想禁用安全链中的一个Spring Security过滤器.
我已经看到Prevent Spring Boot注册了一个servlet过滤器问题 - 并且接受应该可以工作,但遗憾的是不行.
使用代码:
@Bean
public FilterRegistrationBean registration(AnonymousAuthenticationFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
Spring Boot会及时宣布没有合格的bean,这很难过:
由以下原因引起:org.springframework.beans.factory.NoSuchBeanDefinitionException:找不到类型为[org.springframework.security.web.authentication.AnonymousAuthenticationFilter]的限定bean依赖:预期至少有1个bean可以作为此依赖项的autowire候选者.依赖注释:{}
创建另一个bean之后:
@SuppressWarnings("deprecation") // Oh, there be dragons
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
return new AnonymousAuthenticationFilter();
}
我被攻击了
引起:java.lang.IllegalArgumentException:[断言失败] - 此String参数必须具有长度; 它不能为null或为空
这是完全明白的; Asserts afterPropertiesSet()方法https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java阻止我使用默认值构造函数.使用另一种方法:
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
// it will be disabled anyway so...
return new AnonymousAuthenticationFilter("_", new Object(), new ArrayList<GrantedAuthority>());
}
一切都更好:
INFO 4916 --- [ost-startStop-1] osbcembedded.FilterRegistrationBean:过滤器anonymousAuthenticationFilter未注册(禁用)
DEBUG 4916 --- [ost-startStop-1] ossecurity.web.FilterChainProxy:初始化过滤器'springSecurityFilterChain'
DEBUG 4916 --- [ost-startStop-1] ossecurity.web.FilterChainProxy:过滤'springSecurityFilterChain'成功配置
但在获得一些资源后我得到了:
DEBUG 4916 --- [nio-8080-exec-3] ossecurity.web.FilterChainProxy:/用户位于附加滤波链中的10位置13; 触发过滤器:'AnonymousAuthenticationFilter'
DEBUG 4916 --- [nio-8080-exec-3] osswaAnonymousAuthenticationFilter:填充带有匿名标记的SecurityContextHolder:'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420:Principal:anonymousUser; 证书:[保护]; 认证:真实; 详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@255f8:RemoteIpAddress:127.0.0.1; SessionId:6B9D974A4634548750FE78C18F62A6B0; 授权机构:ROLE_ANONYMOUS'
由于某种原因,AnonymousAuthenticationFilter仍然有效.问题:有没有办法在Spring Boot应用程序中禁用此类过滤器?
Rob*_*nch 32
Spring Security捆绑了HttpSecurity配置中的所有过滤器.要禁用匿名身份验证,请使用以下命令:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
...
}
...
}
如果要禁用Spring Security中的所有默认值,可以将true传递给父类构造函数以禁用默认值.例如:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public SecurityConfig() {
super(true);
}
...
}
| 归档时间: |
|
| 查看次数: |
12029 次 |
| 最近记录: |