标签:验证 技术 nbsp with missing 安全设置 The mis throws
Spring Boot 2.x极大简化了默认的安全配置,并不是说有很多安全相关的配置,现在你只需要提供一个WebSecurityConfigurerAdapter继承类这样一个简单的操作,Spring Boot就可以规避很多安全问题。
Actuator 不再有各自单独的安全配置(management.security.*配置已被取消),每个endpoint的sensitive 标志也会被取消,这样使得安全配置更加明确了。
比如说:你有如下配置
endpoints:
info:
sensitive: false
mappings:
sensitive: true
management:
security:
roles: MY_ADMIN
now,you can do it like this:
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * name: TestWebSecurityConfigureAdapter * * @author aboruo * @Description an example on adding our custom WebSecurityConfigurerAdapter * @Date create in 2019/9/9 20:50. */ @EnableWebSecurity public class TestWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests() .antMatchers("/actuator/health","/actuator/info") .permitAll() .antMatchers("/actuator/**") .hasRole("MY_ADMIN") .and().httpBasic(); } }
请注意,在2.x中,默认情况下 health 和info 是可以被访问的,(默认情况下 health 的详细信息不能被访问显示)。 为了与这些新的默认值保持一致,health 已被添加到首要的mather中。
Spring boot 2.x 不引入Spring Security时,endpoint实现(未完待续)
1. 先在spring-boot-autoconfigure的spring.factories文件找到autoconfiguration类
查看此类
/** * {@link EnableAutoConfiguration Auto-configuration} for Spring Security. * * @author Dave Syer * @author Andy Wilkinson * @author Madhura Bhave * @since 1.0.0 */ @Configuration @ConditionalOnClass(DefaultAuthenticationEventPublisher.class) @EnableConfigurationProperties(SecurityProperties.class) @Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class }) public class SecurityAutoConfiguration { @Bean @ConditionalOnMissingBean(AuthenticationEventPublisher.class) public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) { return new DefaultAuthenticationEventPublisher(publisher); } }
DefaultAuthenticationEventPublisher: 默认使用的权限授权事件publisher
SecurityProperties: 安全设置相关属性配置文件,以:spring.security开头
通过 SecurityAutoConfiguration 又引入了几个关键的配置类
① SpringBootWebSecurityConfiguration
/** * The default configuration for web security. It relies on Spring Security‘s * content-negotiation strategy to determine what sort of authentication to use. If the * user specifies their own {@link WebSecurityConfigurerAdapter}, this will back-off * completely and the users should specify all the bits that they want to configure as * part of the custom security configuration. * * @author Madhura Bhave * @since 2.0.0 */ @Configuration @ConditionalOnClass(WebSecurityConfigurerAdapter.class) @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class) @ConditionalOnWebApplication(type = Type.SERVLET) public class SpringBootWebSecurityConfiguration { @Configuration @Order(SecurityProperties.BASIC_AUTH_ORDER) static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter { } }
这是spring boot 默认的安全配置类,它依赖于Spring安全的*内容协商策略来确定使用哪种身份验证。通过代码,我们可以看到:
② WebSecurityEnablerConfiguration
这是一个确认配置类,顾名思义:当applicationContext中存在WebSecurityConfigureAdapter类型的bean时,它才会生效,它的职责是这类bean加@EnableWebSecurity注解。
/** * If there is a bean of type WebSecurityConfigurerAdapter, this adds the * {@link EnableWebSecurity} annotation. This will make sure that the annotation is * present with default security auto-configuration and also if the user adds custom * security and forgets to add the annotation. If {@link EnableWebSecurity} has already * been added or if a bean with name {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has * been configured by the user, this will back-off. * * @author Madhura Bhave * @since 2.0.0 */ @Configuration @ConditionalOnBean(WebSecurityConfigurerAdapter.class) @ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN) @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) @EnableWebSecurity public class WebSecurityEnablerConfiguration { }
③ SecurityDataConfiguration
当应用环境中存在SecurityEvaluationContextExtension类时,自动添加带有Spring Data 的 spring security 集成。
/** * Automatically adds Spring Security‘s integration with Spring Data. * * @author Rob Winch * @since 1.3.0 */ @Configuration @ConditionalOnClass(SecurityEvaluationContextExtension.class) public class SecurityDataConfiguration { @Bean @ConditionalOnMissingBean public SecurityEvaluationContextExtension securityEvaluationContextExtension() { return new SecurityEvaluationContextExtension(); } }
后续我们会对
SecurityRequestMatcherProviderAutoConfiguration
UserDetailsServiceAutoConfiguration
SecurityFilterAutoConfiguration
OAuth2ClientAutoConfiguration
OAuth2ResourceServerAutoConfiguration
这几个类逐一进行介绍,从而来了解它的工作原理。漫谈Spring Security 在Spring Boot 2.x endpoints中的应用(一)
标签:验证 技术 nbsp with missing 安全设置 The mis throws
原文地址:https://www.cnblogs.com/aboruo/p/11494505.html
