在这篇简短的文章中,我想分享如何摆脱在带有Spring Security的基于Spring的应用程序中的“WebSecurityConfigurerAdapter类型已被弃用”的警告。也许你习惯于有一个Spring配置类来扩展WebSecurityConfigurerAdapter抽象类,如下所示:这对于Spring Security版本5.6.5或更早版本,或者Spring Boot版本2.6.8或更早版本很好。但是,如果您的项目使用 Spring Security 5.7.1 或更高版本,或者 Spring Boot 2.7.0 或更高版本,您将在 IDE 中收到以下警告:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// configure HTTP security...
}
@Override
public void configure(WebSecurity web) throws Exception {
// configure Web security...
}
}
|
WebSecurityConfigurerAdapter 类型已弃用
那么,为什么Spring Security不推荐使用WebSecurityConfigurerAdapter呢?,还有什么替代方案呢?这是因为Spring框架的开发人员鼓励用户转向基于组件的安全配置。因此,与其像旧方式那样扩展WebSecurityConfigurerAdapter并覆盖用于配置 HttpSecurity 和 WebSecurity 的方法 - 现在您声明两个类型为SecurityFilterChain和WebSecurityCustomizer的 bean,如下所示:供您参考,下面是将安全配置迁移到基于组件的方法的代码示例。首先,让我们看一下使用 WebSecurityConfigurerAdapter 的典型安全配置类,如下所示:下面是一个替代方案,没有WebSecurityConfigurerAdapter:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
@Configuration
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
}
}
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService userDetailsService() {
return new ShopmeUserDetailsService();
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/login").permitAll()
.antMatchers("/users/**", "/settings/**").hasAuthority("Admin")
.hasAnyAuthority("Admin", "Editor", "Salesperson")
.hasAnyAuthority("Admin", "Editor", "Salesperson", "Shipper")
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login")
.usernameParameter("email")
.permitAll()
.and()
.rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789")
.and()
.logout().permitAll();
http.headers().frameOptions().sameOrigin();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**");
}
}
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
package net.codejava;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfiguration {
@Bean
public UserDetailsService userDetailsService() {
return new ShopmeUserDetailsService();
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/login").permitAll()
.antMatchers("/users/**", "/settings/**").hasAuthority("Admin")
.hasAnyAuthority("Admin", "Editor", "Salesperson")
.hasAnyAuthority("Admin", "Editor", "Salesperson", "Shipper")
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login")
.usernameParameter("email")
.permitAll()
.and()
.rememberMe().key("AbcdEfghIjklmNopQrsTuvXyz_0123456789")
.and()
.logout().permitAll();
http.headers().frameOptions().sameOrigin();
return http.build();
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/images/**", "/js/**", "/webjars/**");
}
}
|
如果您需要公开AuthenticationManager 类型的 Bean,您可以输入以下代码:
|
1
2
3
4
5
|
@Bean
public AuthenticationManager authenticationManager(
AuthenticationConfiguration authConfig) throws Exception {
return authConfig.getAuthenticationManager();
}
|
如果您需要公开 AuthenticationProvider 类型的 Bean,例如DaoAuthenticationProvider,请使用以下代码:并在SecurityFilterChain的代码中为 HttpSecurity 指定此身份验证提供程序,如下所示:这就是在具有 Spring 安全性的基于 Spring 的应用程序中删除警告“WebSecurityConfigurerAdapter 已弃用”的警告的方法。您需要声明SecurityFilterChain和 WebSecurityCustomizer bean,而不是覆盖WebSecurityConfigurerAdapter类的方法。注意:如果您不想更改当前代码,则应保持 Spring 引导版本低于 2.7.0 或 Spring Security 版本低于 5.7.1。我希望这篇文章对您有所帮助。感谢您的阅读。参考:没有 WebSecurityConfigurerAdapter 的 Spring 安全性
|
1
2
3
4
5
6
7
8
9
|
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService());
authProvider.setPasswordEncoder(passwordEncoder());
return authProvider;
}
|
|
1
|
http.authenticationProvider(authenticationProvider());
|