更新到 Spring Security 6.0 - 替换已删除和已弃用的功能以保护请求
nhu*_*uvy 68 java spring spring-security spring-boot
我正在尝试升级到 Spring Boot 3.0.0 和 Spring Security 6.0。
我发现保护请求的方法authorizeRequests()已被弃用。还有方法antMatchers()和@EnableGlobalMethodSecurity注释也已删除。如何升级我的安全配置?
我的代码:
package org.sid.securityservice.config;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
private RsakeysConfig rsakeysConfig;
private PasswordEncoder passwordEncoder;
public SecurityConfig(RsakeysConfig rsakeysConfig, PasswordEncoder passwordEncoder) {
this.rsakeysConfig = rsakeysConfig;
this.passwordEncoder = passwordEncoder;
}
//@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
@Bean
public AuthenticationManager authenticationManager(UserDetailsService userDetailsService){
var authProvider = new DaoAuthenticationProvider();
authProvider.setPasswordEncoder(passwordEncoder);
authProvider.setUserDetailsService(userDetailsService);
return new ProviderManager(authProvider);
}
@Bean
public UserDetailsService inMemoryUserDetailsManager(){
return new InMemoryUserDetailsManager(
User.withUsername("user1").password(passwordEncoder.encode("1234")).authorities("USER").build(),
User.withUsername("user2").password(passwordEncoder.encode("1234")).authorities("USER").build(),
User.withUsername("admin").password(passwordEncoder.encode("1234")).authorities("USER","ADMIN").build()
);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.csrf(csrf->csrf.disable())
.authorizeRequests(auth->auth.antMatchers("/token/**").permitAll())
.authorizeRequests(auth->auth.anyRequest().authenticated())
.sessionManagement(sess->sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.httpBasic(Customizer.withDefaults())
.build();
}
@Bean
JwtDecoder jwtDecoder(){
return NimbusJwtDecoder.withPublicKey(rsakeysConfig.publicKey()).build();
}
@Bean
JwtEncoder jwtEncoder(){
JWK jwk= new RSAKey.Builder(rsakeysConfig.publicKey()).privateKey(rsakeysConfig.privateKey()).build();
JWKSource<SecurityContext> jwkSource= new ImmutableJWKSet<>(new JWKSet(jwk));
return new NimbusJwtEncoder(jwkSource);
}
}
这是 IDE 向我展示的内容(删除 authorizeRequests() 并缺少 antMatchers() 以红色突出显示):
Ale*_*nko 151
在 Spring Security 6.0 中,
antMatchers()以及其他用于保护请求的配置方法(即 mvcMatchers() 和 regexMatchers())已从API 中删除。
引入了重载方法requestMatchers()作为保护请求的统一方法。的风格requestMatchers()促进了已删除方法支持的所有限制请求的方式。
还有方法authorizeRequests()authorizeHttpRequests()(您可以在此处找到有关这些更改的更多信息)。
这就是SecurityFilterChainSpring Security 6.0 中的定义方式:
public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth
.requestMatchers("/token/**").permitAll()
.anyRequest().authenticated()
)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.httpBasic(Customizer.withDefaults())
.build();
}
关于已弃用的注释@EnableGlobalMethodSecurity@EnableMethodSecurity. 此更改背后的基本原理是,启用和所需的@EnableMethodSecurity属性默认设置为。prePostEnabled@PreAuthorize/@PostAuthorize@PreFilter/@PostFiltertrue
所以你不再需要编写prePostEnabled = true,只需用注释你的配置类@EnableMethodSecurity就足够了。
- @AlexanderIvanchenko - 这条线似乎不起作用 - > `.requestMatchers("/token/**").permitAll()`。升级到Spring 6.0时,`/token/**`路径需要认证。是否还需要添加其他内容才能允许“permitAll”?谢谢! (4认同)
| 归档时间: |
|
| 查看次数: |
120186 次 |
| 最近记录: |