如何用安全性封装的多个过滤器替换弃用的WebsecurityConfigurerAdapter?
我正在使用Spring Boot 2.7.0,并想删除折衷的WebsecurityConfigurerAdapter。我有多个使用一个或多个(不同)过滤器的配置。我想更新配置,以便他们不再使用defcectecurityConfigurerAdapter,就像在官方春季文档中完成的那样: https://spring.io/blog/2022/202/02/21/spring-security-without-without-without-the-webes-websecurityconfigurerateconfigurerAdapter 。
更改配置(如文档中完成)后,过滤器不再被调用了。
这是我的配置:
@EnableWebSecurity
@Configuration
public class TestConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/path/**")
.regexMatchers(API_BASE_REGEX + "/ping").permitAll()
.regexMatchers(API_BASE_REGEX + "/registrations").hasAnyAuthority(TestFilter.ROLE_USER, TestFilter.ROLE_USER_INACTIVE)
.addFilterAfter(new TestFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasAuthority(TestFilter.ROLE_USER)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
过滤器示例:
public class TestFilter extends OncePerRequestFilter {
public static final String ROLE_USER = "TESTUSER";
public static final String ROLE_USER_INACTIVE = "TESTUSER_INACTIVE";
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
... (Internal Logic)
filterChain.doFilter(request, response);
}
}
遵循文档之后的配置方式:
@EnableWebSecurity
@Configuration
public class TestConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.antMatcher("/api/path/**")
.regexMatchers(API_BASE_REGEX + "/ping").permitAll()
.regexMatchers(API_BASE_REGEX + "/registrations").hasAnyAuthority(TestFilter.ROLE_USER, TestFilter.ROLE_USER_INACTIVE)
.addFilterAfter(new TestFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasAuthority(TestFilter.ROLE_USER)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
}
I'm using spring boot 2.7.0 and want to remove the deprecated WebSecurityConfigurerAdapter. I have multiple configs which use one or more (different) filters. I want to update the configs so they don't use the deprecated WebSecurityConfigurerAdapter anymore like it is done in the official spring docs: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter.
After changing the config (like done in the docs) the filters don't get called anymore.
This is my config now:
@EnableWebSecurity
@Configuration
public class TestConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/path/**")
.regexMatchers(API_BASE_REGEX + "/ping").permitAll()
.regexMatchers(API_BASE_REGEX + "/registrations").hasAnyAuthority(TestFilter.ROLE_USER, TestFilter.ROLE_USER_INACTIVE)
.addFilterAfter(new TestFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasAuthority(TestFilter.ROLE_USER)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
Filter example:
public class TestFilter extends OncePerRequestFilter {
public static final String ROLE_USER = "TESTUSER";
public static final String ROLE_USER_INACTIVE = "TESTUSER_INACTIVE";
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
... (Internal Logic)
filterChain.doFilter(request, response);
}
}
How the config turns out after following the docs:
@EnableWebSecurity
@Configuration
public class TestConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.antMatcher("/api/path/**")
.regexMatchers(API_BASE_REGEX + "/ping").permitAll()
.regexMatchers(API_BASE_REGEX + "/registrations").hasAnyAuthority(TestFilter.ROLE_USER, TestFilter.ROLE_USER_INACTIVE)
.addFilterAfter(new TestFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasAuthority(TestFilter.ROLE_USER)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
根据: https:/spring.io.io /blog/2022/02/21/spring-security-without-the-websecurityconfigurerAdapter
您需要使用这样的过滤器bean:
您可以使用“ .antmatcher”,“ .regexmatcher”等。 “ authz”呼叫。
之后,您可以像往常一样配置登录和注销等。
还是我误会了什么?毕竟,您发布了相同的文档 -
PS:IM对此格式的新手,因此代码示例可能存在一些问题。
According to documentation at: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
You need to use the filterChain bean like this:
You can add the ".antMatcher", ".regexMatcher", etc. with the 'authz' call.
Afterwards you can configure login and logout etc. as usual.
Or am I misunderstanding something? After all you posted the same documentation--
Ps: Im new to this formatting, so the code sample might have some problems.