SpringBoot 3 没有 WebSecurityConfigurerAdapter 错误

Question

我使用的是 Spring Boot 3，没有 WebSecurityConfigurationAdapter。以下为代码。但是 .authorizeRequests().antMatchers("/api/auth/**").permitAll(); 它给出错误。附屏幕截图。

1. 我想允许“/api/auth/**”。

2. AuthorizeRequests() 似乎在 SpringBoot 3 中已弃用。有其他选择吗？？？

3. @EnableGlobalMethodSecurity(prePostEnabled=true) 似乎也已弃用。任何新的解决方案。

提前致谢。

package com.example.tokenAuth.security;

import com.example.tokenAuth.security.jwt.AuthEntryPointJwt;
import com.example.tokenAuth.security.jwt.AuthTokenFilter;
import com.example.tokenAuth.security.services.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;


@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig 
{
    @Autowired
    UserDetailsServiceImpl userDetailsService; 
    
    @Autowired
    private AuthEntryPointJwt unauthorizedHandler;
    
    @Bean
    public AuthTokenFilter authenticationJwtTokenFilter() 
    {
    return new AuthTokenFilter();
    }    
    
    @Bean
    public DaoAuthenticationProvider authenticationProvider() 
    {
      DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
      authProvider.setUserDetailsService(userDetailsService);
      authProvider.setPasswordEncoder(passwordEncoder());
   
      return authProvider;
    }    
    
    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfiguration) throws Exception 
    {
        return authConfiguration.getAuthenticationManager();
    }    
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception
    {
        http.cors().and().csrf().disable()
                    .exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
                .and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .authorizeHttpRequests((authz) -> authz.anyRequest().permitAll())
                .authorizeRequests().antMatchers("/api/auth/**").permitAll();
//                .antMatchers("/api/test/**").permitAll()
               // .anyRequest().authenticated();
                http.authenticationProvider(authenticationProvider());
        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
                 
        return http.build();
    }
    
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() 
    {
        return (web) -> web.debug(true).ignoring().anyRequest();
    }    

    @Bean
    public PasswordEncoder passwordEncoder() 
    {
            return new BCryptPasswordEncoder();
    }
}

示例取自： https: //www.bezkoder.com/spring-boot-jwt-authentication/

Answer 1

建议首先升级到 Spring Security 5.8，修复弃用问题，然后升级到 6.0。

请参考Spring Security 的Preparing to 6.0指南。

1. antMatchers, mvcMatchers,regexMatchers已替换为requestMatchers,请参阅此处。
2. authorizeHttpRequests()从5.6开始推荐的方法，参见这里。
3. @EnableGlobalMethodSecurity已被取代@EnableMethodSecurity，请参阅此处。

所有这些更改也都包含在该方法的 javadoc 弃用通知中。

Spring Security 6.0.0-RC1 变更日志