春季安全非常简单的基本身份验证
我尝试使用Spring Boot实现非常简单的基本身份验证,而没有弃用的WebSecurityConfigurerAdapter。
@Configuration
public class SecurityConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/a", "/b", "/c", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html");
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.httpBasic();
return http.build();
}
@Bean
public InMemoryUserDetailsManager userDetailsService() {
UserDetails user = User.builder()
.username("user")
.password("{bcrypt}$2y$10$rUzpfbTx9lcIs6N4Elcg2e2DGM4wMwkx0ixom7qLW5kYnztRgT.a2")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
忽略的端点工作(带有警告:您要求弹簧安全忽略Ant [pattern ='/swagger-ui.html']。不建议这样做 - 请通过httpsecurity#perureizizehttprequests使用许可证。代码>)。另一方面,我得到了HTTP 403。
我做错了什么?
I've tried to implement a very simple BASIC authentication with Spring Boot, without the deprecated WebSecurityConfigurerAdapter.
@Configuration
public class SecurityConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/a", "/b", "/c", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html");
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.httpBasic();
return http.build();
}
@Bean
public InMemoryUserDetailsManager userDetailsService() {
UserDetails user = User.builder()
.username("user")
.password("{bcrypt}$2y$10$rUzpfbTx9lcIs6N4Elcg2e2DGM4wMwkx0ixom7qLW5kYnztRgT.a2")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
The ignored endpoints work (with a warning: You are asking Spring Security to ignore Ant [pattern='/swagger-ui.html']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.). For the other, I get an HTTP 403.
What have I done wrong?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您执行发布请求,则可以是CSRF保护。添加
logging.level.org.springframework.security = trace在您的application.properties文件中,并在提出请求后查看正在发生的事情后查看控制台输出。如果是CSRF保护,我建议您将其启用,除非您有要求告诉您禁用它。您可以拥有有关跨站点请求伪造的更多详细信息 >。
另外,如果要在密码中使用
{bcrypt}前缀,请使用password> passwordEncoderFactories.CreatedEledelegatingPasswordEncoder。如果您只想使用bcryptpasswordencoder,则必须删除{bcrypt}prefixIf you are doing POST request, it can be the CSRF protection. Add
logging.level.org.springframework.security=TRACEin yourapplication.propertiesfile and see the console output after the request is made to see what is happening.If it is CSRF protection, I recommend you leave it enabled unless you have a requirement that tells you to disable it. You can have more details about Cross Site Request Forgery here.
Also, if you want to use the
{bcrypt}prefix in your password, use thePasswordEncoderFactories.createDelegatingPasswordEncoder. If you want to use only theBCryptPasswordEncoderthen you have to remove the{bcrypt}prefix