問(wèn)題
springcloud 版本 為 Finchley.RELEASE
springboot 版本為 2.0.3.RELEASE
現(xiàn)在有需求,/swagger-ui.html 頁(yè)面需要添加登錄認(rèn)證,但是本來(lái)的接口不需要登錄認(rèn)證
升級(jí)springboot之前的做法是直接在application.yml 文件中添加以下配置:
升級(jí)后這種配置就出錯(cuò)了,連編譯都出錯(cuò),如下圖:
解決過(guò)程
查找源代碼,找到如下:
來(lái)自:https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide
Security
Spring Boot 2 greatly simplifies the default security configuration and makes adding custom security easy. Rather than having several security-related auto-configurations, Spring Boot now has a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter.You are affected if you were using any of the following properties:
security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessions
翻譯:Spring Boot 2極大地簡(jiǎn)化了默認(rèn)的安全配置,并使添加定制安全性變得更加容易。Spring Boot并沒(méi)有使用幾個(gè)與安全相關(guān)的自動(dòng)配置,而是在添加自己的WebSecurityConfigurerAdapter時(shí)就有了一個(gè)單獨(dú)的行為。如果您使用以下屬性,您將受到影響
再找到:https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Security-2.0
Security Auto-configuration
Spring Boot 2.0 does not provide separate auto-configuration for user-defined endpoints and actuator endpoints. When Spring Security is on the classpath, the auto-configuration secures all endpoints by default. It adds the @EnableWebSecurity annotation and relies on Spring Security's content-negotiation strategy to determine whether to use httpBasic or formLogin. A user with a a default username and generated password is added, which can be used to login.
翻譯:Spring Boot 2.0沒(méi)有為用戶(hù)定義的端點(diǎn)和執(zhí)行器端點(diǎn)提供單獨(dú)的自動(dòng)配置。當(dāng)Spring Security在類(lèi)路徑上時(shí),自動(dòng)配置默認(rèn)為所有端點(diǎn)。它添加了@EnableWebSecurity 注釋?zhuān)⒁蕾?lài)于Spring Security的內(nèi)容協(xié)商策略來(lái)決定是否使用httpBasic或formLogin。添加了一個(gè)默認(rèn)用戶(hù)名和生成密碼的用戶(hù),這可以用來(lái)登錄。
解決
對(duì)于不同的URL,安全性是不同的,關(guān)鍵在于重載WebSecurityConfigurerAdapter 類(lèi)的configure(HttpSecurity) 方法。具體可以參考以上的兩個(gè)鏈接
我的完整實(shí)現(xiàn)如下:
1、pom.xml 中添加依賴(lài):
|
1
2
3
4
|
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId></dependency> |
2、application.yml 文件中配置登錄用戶(hù)名和密碼(如果只到這里,那么所有的請(qǐng)求都會(huì)被攔截)
|
1
2
3
4
5
|
spring: security: user: name: admin password: admin |
3、添加自定義的配置類(lèi),注解@Configuration @EnableWebSecurity
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;/** * @author jiashubing * @since 2018/7/16 */@Configuration@EnableWebSecuritypublic class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //普通的接口不需要校驗(yàn) .antMatchers("/courseApi/**").permitAll() // swagger頁(yè)面需要添加登錄校驗(yàn) .antMatchers("/swagger-ui.html").authenticated() .and() .formLogin(); }} |
當(dāng)然也可以配置成需要某個(gè)角色的用戶(hù)才能查看某些URL
以上就是本文的全部?jī)?nèi)容,希望對(duì)大家的學(xué)習(xí)有所幫助,也希望大家多多支持服務(wù)器之家。
原文鏈接:https://www.cnblogs.com/acm-bingzi/p/springboot-security.html
