新版SpringSecurity配置（SpringBoot＞2.7&SpringSecurity＞5.7）

spring boot java spring spring security 2023-09-21 05:09:50 470人浏览安东尼

摘要

新版springSecurityConfig 在使用SpringBoot2.7或者SpringSecurity5.7以上版本时，会提示：在 Spring Security 5.7.0-M2 中，

新版springSecurityConfig

在使用SpringBoot2.7或者SpringSecurity5.7以上版本时，会提示：

在 Spring Security 5.7.0-M2 中，我们弃用了WEBSecurityConfigurerAdapter，因为我们鼓励用户转向基于组件的安全配置。

所以之前那种通过继承WebSecurityConfigurerAdapter的方式的配置组件是不行的。

同时也会遇到很多问题，例如：

在向SpringSecurity过滤器链中添加过滤器时（例如：Jwt支持，第三方验证），我们需要注入AuthenticationManager对象等问题。

故在此记录一下SpringSecurity的一些基础配置项：

1 网络安全配置，忽略部分路径（如静态文件路径）

@Beanpublic WebSecurityCustomizer webSecurityCustomizer() {     return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");}

2 设置中文配置

@Beanpublic ReloadableResourceBundleMessageSource messageSource() {    ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();    // 设置中文配置    messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");    return messageSource;}

3 设置密码编码器

@Bean@ConditionalOnMissingBeanpublic PassWordEncoder passwordEncoder() {    return new BCryptPasswordEncoder();}

4 取消ROLE_ prefix

@Bean@ConditionalOnMissingBeanpublic GrantedAuthorityDefaults grantedAuthorityDefaults() {    // Remove the ROLE_ prefix    return new GrantedAuthorityDefaults("");}

5 暴露本地认证管理器（AuthenticationManager）

@Bean(name = BeanIds.AUTHENTICATION_MANAGER)public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {    return authenticationConfiguration.getAuthenticationManager();}

6 其他配置

import com.example.websocket.chat.security.filer.CustomUsernamePasswordAuthenticationFilter;import com.example.webSocket.chat.security.filer.JwtAuthenticationFilter;import com.example.websocket.chat.security.handler.*;import com.example.websocket.chat.security.service.JwtStoreService;import com.example.websocket.chat.security.service.impl.UserDetailsServiceImpl;import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.context.annotation.Lazy;import org.springframework.context.support.ReloadableResourceBundleMessageSource;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.authentication.dao.DaoAuthenticationProvider;import org.springframework.security.config.BeanIds;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;import org.springframework.security.config.annotation.web.builders.httpsecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;import org.springframework.security.config.core.GrantedAuthorityDefaults;import org.springframework.security.config.Http.SessionCreationPolicy;import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;import org.springframework.security.crypto.password.PasswordEncoder;import org.springframework.security.web.SecurityFilterChain;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import org.springframework.security.web.authentication.loGout.LogoutFilter;import javax.annotation.Resource;@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled = true)public class SpringSecurityConfig {    @Resource    private CustomAuthenticationSuccesshandler customAuthenticationSuccessHandler;    @Resource    private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;    @Resource    private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;    @Resource    private CustomLogoutHandler customLogoutHandler;    @Resource    private CustomLogoutSuccessHandler customLogoutSuccessHandler;    @Resource    private CustoMaccessDeniedHandler customAccessDeniedHandler;    @Resource    private SecurityProperties securityProperties;    @Resource    private JwtStoreService jwtStoreService;    @Resource    private UserDetailsServiceImpl userDetailsService;    @Resource    private AuthenticationConfiguration authenticationConfiguration;        @Bean    public WebSecurityCustomizer webSecurityCustomizer() {        return (web) -> web.ignoring().antMatchers(securityProperties.getStaticPaths());    }        @Bean    public GrantedAuthorityDefaults grantedAuthorityDefaults() {        // Remove the ROLE_ prefix        return new GrantedAuthorityDefaults("");    }        @Bean    public PasswordEncoder passwordEncoder() {        return new BCryptPasswordEncoder();    }        @Bean    public ReloadableResourceBundleMessageSource messageSource() {        ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();        messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");        return messageSource;    }        @Bean    public AuthenticationManager authenticationManager() throws Exception {        return authenticationConfiguration.getAuthenticationManager();    }        @Bean    public DaoAuthenticationProvider daoAuthenticationProvider() {        final DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();        authenticationProvider.setUserDetailsService(userDetailsService);        authenticationProvider.setPasswordEncoder(passwordEncoder());        return authenticationProvider;    }        @Bean    public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationConfiguration authenticationConfiguration) throws Exception {        // 表单        http.fORMLogin()                // 登录成功处理器                .successHandler(customAuthenticationSuccessHandler)                // 登录错误处理器                .failureHandler(customAuthenticationFailureHandler)                .and()                //添加登录逻辑拦截器，不使用默认的UsernamePasswordAuthenticationFilter                .addFilterBefore(                        new CustomUsernamePasswordAuthenticationFilter(    authenticationManager(),    customAuthenticationSuccessHandler,    customAuthenticationFailureHandler                        )                        , UsernamePasswordAuthenticationFilter.class)                //添加token验证过滤器                .addFilterBefore(new JwtAuthenticationFilter(jwtStoreService), LogoutFilter.class);        //退出        http                .logout()                // URL                .logoutUrl("/user/logout")                // 登出处理                .addLogoutHandler(customLogoutHandler)                // 登出成功处理                .logoutSuccessHandler(customLogoutSuccessHandler);        //拦截设置        http                .authorizeRequests()                //公开以下urls                .antMatchers(securityProperties.getPublicPaths()).permitAll()                //其他路径必须验证                .anyRequest().authenticated();        //异常处理        http                .exceptionHandling()                // 未登录处理                .authenticationEntryPoint(customAuthenticationEntryPoint)                // 无权限处理                .accessDeniedHandler(customAccessDeniedHandler);        //关闭session        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);        // 关闭cors        http.cors().disable();        // 关闭csrf        http.csrf().disable();        // 关闭headers        http.headers().frameOptions().disable();        return http.build();    }}