Java 在 Spring Boot 应用程序中禁用 Spring Security
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36280181/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
disabling spring security in spring boot app
提问by jayjaypg22
I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).
我有一个配置了 Spring Security 的 Spring Boot Web 应用程序。我想暂时禁用身份验证(直到需要)。
I add this to the application.properties:
我将此添加到application.properties:
security.basic.enable: false
management.security.enabled: false
Here is some part of my
这是我的一部分
But I still have a basic security included : There is a default security password generated at startup and I am still getting HTTP Authentication prompt box.
但我仍然有一个基本的安全性:启动时生成了一个默认的安全密码,我仍然收到 HTTP 身份验证提示框。
My pom.xml :
我的 pom.xml :
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>fr.test.sample</groupId>
<artifactId>navigo</artifactId>
<version>1.0.0-SNAPSHOT</version>
<!-- Inherit defaults from Spring Boot -->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.1.RELEASE</version>
</parent>
<properties>
<java.version>1.7</java.version>
<jsoup.version>1.8.3</jsoup.version>
<guava.version>18.0</guava.version>
<postgresql.version>9.3-1103-jdbc41</postgresql.version>
</properties>
<!-- Add typical dependencies for a web application -->
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>${jsoup.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
</dependency>
</dependencies>
<!-- Package as an executable jar -->
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
<!-- Add Spring repositories -->
<!-- (you don't need this if you are using a .RELEASE version) -->
<repositories>
<repository>
<id>spring-snapshots</id>
<url>http://repo.spring.io/snapshot</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
<repository>
<id>spring-milestones</id>
<url>http://repo.spring.io/milestone</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>spring-snapshots</id>
<url>http://repo.spring.io/snapshot</url>
</pluginRepository>
<pluginRepository>
<id>spring-milestones</id>
<url>http://repo.spring.io/milestone</url>
</pluginRepository>
</pluginRepositories>
</project>
The security is configured in WebSecurityConfig.java (I have commented the annotation to disable it) :
安全性在 WebSecurityConfig.java 中配置(我已经注释了禁用它的注释):
//@Configuration
//@EnableWebSecurity
//@EnableGlobalMethodSecurity(prePostEnabled = true)
//@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Autowired
UserService userService;
@Autowired
private DataSource datasource;
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.authorizeRequests().antMatchers("/bus/topologie", "/home")
// http.authorizeRequests().anyRequest().authenticated()
// .antMatchers("/admin/**").access("hasRole('ADMIN')").and()
// .formLogin().failureUrl("/login?error")
// .defaultSuccessUrl("/bus/topologie").loginPage("/login")
// .permitAll().and().logout()
// .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
// .logoutSuccessUrl("/login").permitAll().and().rememberMe()
// .rememberMeParameter("remember-me")
// .tokenRepository(persistentTokenRepository())
// .tokenValiditySeconds(86400).and().csrf();
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
tokenRepositoryImpl.setDataSource(datasource);
return tokenRepositoryImpl;
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
PasswordEncoder encoder = new BCryptPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
auth.jdbcAuthentication().dataSource(datasource);
if (!userService.userExists("user")) {
User userAdmin = new User("user", encoder.encode("password"), true);
Set<Authorities> authorities = new HashSet<Authorities>();
authorities.add(new Authorities(userAdmin,"ADMIN"));
authorities.add(new Authorities(userAdmin,"CRIP"));
authorities.add(new Authorities(userAdmin,"USER"));
userAdmin.setAuthorities(authorities);
userService.createUser(userAdmin);
}
}
}
采纳答案by Ali Dehghani
Use security.ignoredproperty:
使用security.ignored属性:
security.ignored=/**
security.basic.enable: falsewill just disable some part of the security auto-configurations but your WebSecurityConfigstill will be registered.
security.basic.enable: false只会禁用部分安全自动配置,但您WebSecurityConfig仍然会被注册。
There is a default security password generated at startup
有启动时生成的默认安全密码
Try to Autowiredthe AuthenticationManagerBuilder:
尝试Autowired的AuthenticationManagerBuilder:
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }
回答by nukie
I think you must also remove security auto config from your @SpringBootApplicationannotated class:
我认为您还必须从带@SpringBootApplication注释的类中删除安全自动配置:
@EnableAutoConfiguration(exclude = {
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementSecurityAutoConfiguration.class})
回答by bmarkham
Try this. Make a new class
尝试这个。新建一个班级
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/").permitAll();
}
}
Basically this tells Spring to allow access to every url. @Configurationtells spring it's a configuration class
基本上这告诉 Spring 允许访问每个 url。@Configuration告诉 spring 它是一个配置类
回答by Breton F.
Use @profile("whatever-name-profile-to-activate-if-needed")on your security configuration class that extends WebSecurityConfigurerAdapter
@profile("whatever-name-profile-to-activate-if-needed")在扩展的安全配置类上使用WebSecurityConfigurerAdapter
security.ignored=/**
security.basic.enable: false
NB. I need to debug to know why why exclude auto configuration did not work for me. But the profile is sot so bad as you can still re-activate it via configuration properties if needed
注意。我需要调试才能知道为什么排除自动配置对我不起作用。但是配置文件太糟糕了,如果需要,您仍然可以通过配置属性重新激活它
回答by Maoz Zadok
This was the only thing that worked for me, I added the following annotation to my Application class and exclude SecurityAutoConfiguration
这是唯一对我有用的方法,我在 Application 类中添加了以下注释并排除了 SecurityAutoConfiguration
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
@EnableAutoConfiguration(exclude = {
SecurityAutoConfiguration.class
})
回答by user2979124
Just add the following line to disable spring auto configuration in application.properties file
只需添加以下行即可在 application.properties 文件中禁用 spring 自动配置
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
it works on spring 2.0.5 :)
它适用于 spring 2.0.5 :)
回答by Enrico Giurin
With this solution you can fully enable/disable the security by activating a specific profile by command line. I defined the profile in a file application-nosecurity.yaml
使用此解决方案,您可以通过命令行激活特定配置文件来完全启用/禁用安全性。我在文件中定义了配置文件application-nosecurity.yaml
spring:
autoconfigure:
exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
Then I modified my custom WebSecurityConfigurerAdapterby adding the @Profile("!nosecurity")as follows:
然后我WebSecurityConfigurerAdapter通过添加@Profile("!nosecurity")以下内容来修改我的自定义:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Profile("!nosecurity")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {...}
To fully disable the security it's enough to start the application up by specifying the nosecurityprofile, i.e.:
要完全禁用安全性,只需指定nosecurity配置文件即可启动应用程序,即:
java -jar target/myApp.jar --spring.profiles.active=nosecurity
回答by Mehdi Bouzidi
You could just comment the maven dependency for a while:
您可以暂时评论 maven 依赖项:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb</artifactId>
</dependency>
<!-- <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>-->
</dependencies>
It worked fine for me
它对我来说很好用
Disabling it from
application.propertiesis deprecated for Spring Boot 2.0
application.propertiesSpring Boot 2.0 不推荐禁用它
回答by Joker
security.ignored is deprecatedsince Spring Boot 2.
security.ignored从 Spring Boot 2 开始被弃用。
For me simply extend the Annotation of your Application class did the Trick:
对我来说,只需扩展您的 Application 类的 Annotation 就可以了:
@SpringBootApplication(exclude = SecurityAutoConfiguration.class)
回答by Cmyker
Since security.disable option is banned from usage there is still a way to achieve it from pure config without touching any class flies (for me it creates convenience with environments manipulation and possibility to activate it with ENV variable) if you use Boot
由于禁止使用 security.disable 选项,因此仍然有一种方法可以从纯配置中实现它,而无需触及任何类苍蝇(对我来说,它为环境操作创造了便利,并且可以使用 ENV 变量激活它),如果您使用 Boot
spring.autoconfigure.exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
