更新到最新的 Spring Security - 替换已弃用的方法

Question

我正在尝试删除下面已弃用的方法（csrf（），authorizeHttpRequests（），sessionManagement（））。我该如何编写这段代码呢？

这是代码：

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.csrf().disable()
                .authorizeHttpRequests()
                .requestMatchers("/api/**", "/signup/", "/signin/").permitAll()
                .and()
                .authorizeHttpRequests().requestMatchers("/api/search/", "/api/profile/", "/signout/").authenticated()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authenticationProvider(authenticationProvider())
                .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class).build();
                //telling spring boot to use my own class JwtAuthFilter first before using your filter with username and password

    }

IDE 正在为 csrf()、authorizeHttpRequests()、sessionManagement() 生成错误

• 我可以删除csrf吗？我有一个前端 React 应用程序与我的 Spring Boot 后端连接。
• 我可以使用authorizeRequests()代替authorizeHttpRequests()吗
• 我应该使用什么来代替 sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

Answer 1

你的 SecurityFilterChain Bean 看起来像这样：

  @Bean
  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.csrf(AbstractHttpConfigurer::disable);
    http.authorizeHttpRequests(rQ -> {
           rQ.requestMatchers("/api/**", "/signup/", "/signin/").permitAll();
           rQ.requestMatchers("/api/search/", "/api/profile/", "/signout/").authenticated();
         });
    http.sessionManagement(sessionAuthenticationStrategy ->
        sessionAuthenticationStrategy.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    http.authenticationProvider(authenticationProvider());
    http.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
    return http.build();
  }

迁移指南