在使用SpringBoot2.7
或者SpringSecurity5.7
以上版本时,会提示:
在 Spring Security 5.7.0-M2 中,我们弃用了
WebSecurityConfigurerAdapter
,因为我们鼓励用户转向基于组件的安全配置。
所以之前那种通过继承WebSecurityConfigurerAdapter
的方式的配置组件是不行的。
同时也会遇到很多问题,例如:
在向SpringSecurity过滤器链中添加过滤器时(例如:JWT支持,第三方验证),我们需要注入AuthenticationManager
对象等问题。
故在此记录一下SpringSecurity的一些基础配置项:
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
}
@Bean
public ReloadableResourceBundleMessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
// 设置中文配置
messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");
return messageSource;
}
@Bean
@ConditionalOnMissingBean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@ConditionalOnMissingBean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// Remove the ROLE_ prefix
return new GrantedAuthorityDefaults("");
}
/**
* 认证管理器,登录的时候参数会传给 authenticationManager
*/
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
import com.example.websocket.chat.security.filer.CustomUsernamePasswordAuthenticationFilter;
import com.example.websocket.chat.security.filer.JwtAuthenticationFilter;
import com.example.websocket.chat.security.handler.*;
import com.example.websocket.chat.security.service.JwtStoreService;
import com.example.websocket.chat.security.service.impl.UserDetailsServiceImpl;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import javax.annotation.Resource;
/**
* @author zhong
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SpringSecurityConfig {
@Resource
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Resource
private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Resource
private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
@Resource
private CustomLogoutHandler customLogoutHandler;
@Resource
private CustomLogoutSuccessHandler customLogoutSuccessHandler;
@Resource
private CustomAccessDeniedHandler customAccessDeniedHandler;
@Resource
private SecurityProperties securityProperties;
@Resource
private JwtStoreService jwtStoreService;
@Resource
private UserDetailsServiceImpl userDetailsService;
@Resource
private AuthenticationConfiguration authenticationConfiguration;
/**
* 静态文件放行
*/
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers(securityProperties.getStaticPaths());
}
/**
* 取消ROLE_前缀
*/
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// Remove the ROLE_ prefix
return new GrantedAuthorityDefaults("");
}
/**
* 设置密码编码器
*/
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 设置中文配置
*/
@Bean
public ReloadableResourceBundleMessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");
return messageSource;
}
/**
* 认证管理器,登录的时候参数会传给 authenticationManager
*/
@Bean
public AuthenticationManager authenticationManager() throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
/**
* 设置默认认证提供
*/
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
final DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
/**
* 安全配置
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationConfiguration authenticationConfiguration) throws Exception {
// 表单
http.formLogin()
// 登录成功处理器
.successHandler(customAuthenticationSuccessHandler)
// 登录错误处理器
.failureHandler(customAuthenticationFailureHandler)
.and()
//添加登录逻辑拦截器,不使用默认的UsernamePasswordAuthenticationFilter
.addFilterBefore(
new CustomUsernamePasswordAuthenticationFilter(
authenticationManager(),
customAuthenticationSuccessHandler,
customAuthenticationFailureHandler
)
, UsernamePasswordAuthenticationFilter.class)
//添加token验证过滤器
.addFilterBefore(new JwtAuthenticationFilter(jwtStoreService), LogoutFilter.class);
//退出
http
.logout()
// URL
.logoutUrl("/user/logout")
// 登出处理
.addLogoutHandler(customLogoutHandler)
// 登出成功处理
.logoutSuccessHandler(customLogoutSuccessHandler);
//拦截设置
http
.authorizeRequests()
//公开以下urls
.antMatchers(securityProperties.getPublicPaths()).permitAll()
//其他路径必须验证
.anyRequest().authenticated();
//异常处理
http
.exceptionHandling()
// 未登录处理
.authenticationEntryPoint(customAuthenticationEntryPoint)
// 无权限处理
.accessDeniedHandler(customAccessDeniedHandler);
//关闭session
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 关闭cors
http.cors().disable();
// 关闭csrf
http.csrf().disable();
// 关闭headers
http.headers().frameOptions().disable();
return http.build();
}
}