java Spring boot,如何禁用springSecurityFitlerChain的自动配置
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/41358938/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring boot, how to disable autoconfiguration of springSecurityFitlerChain
提问by Tuomas Toivonen
I'm studying the Spring Security framework with Spring Boot, and one thing I dislike about boot is it's obscurity. There's so much magic happening, troubleshooting and customization is trial and error, guessing what is configured automatically and where. This is high risk in the security field, as misconfigured system may be compromised.
我正在使用 Spring Boot 研究 Spring Security 框架,我不喜欢引导的一件事是它的晦涩。发生了很多神奇的事情,故障排除和定制是反复试验,猜测自动配置的内容和位置。这是安全领域的高风险,因为错误配置的系统可能会受到损害。
I would like to replace springSecurityFilterChainwith my own implementation. In vanilla Spring I would register DelegatingFilterProxywith a different name in web.xml, and implement corresponding bean. However, Spring boot apparently registers springSecurityFilterChainautomatically if jars are present, and now I'm not sure if the auto configuration will back of just by declaring the springSecurityFilterChainin a traditional way, or will this lead to misconfigured system?
我想springSecurityFilterChain用我自己的实现替换。在 vanilla Spring 中,我会在 中注册DelegatingFilterProxy一个不同的名称web.xml,并实现相应的 bean。但是,springSecurityFilterChain如果 jars 存在,Spring boot 显然会自动注册,现在我不确定自动配置是否会通过springSecurityFilterChain以传统方式声明来恢复,或者这会导致系统配置错误吗?
Generally, I would like to understand Spring boot better, and not just guessing what is happening, where and how to take control of that area.
一般来说,我想更好地理解 Spring boot,而不仅仅是猜测发生了什么,在哪里以及如何控制该区域。
回答by Kevin Peters
There are a lot of preconfigured things, but you can override every single step. The magic of @EnableAutoConfigurationis just convenience. The --debugswitch should tell you more what is happening in the background.
有很多预配置的东西,但您可以覆盖每一步。的魔力@EnableAutoConfiguration只是方便。该--debug开关应该告诉你更多的东西在后台发生。
http://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html
http://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html
回答by sura2k
If you use Spring Boot 1.4.x (I'm not sure about previous releases), one of the following would work.
如果您使用 Spring Boot 1.4.x(我不确定以前的版本),以下方法之一会起作用。
@EnableAutoConfiguration(exclude = {org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration.class})
OR
或者
@SpringBootApplication(exclude = { org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration.class})
OR
或者
In your application.properties file,
在您的 application.properties 文件中,
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration
Sometimes you may need to exclude the org.springframework.boot.autoconfigure.security.SecurityAutoConfigurationclass as well.
有时您可能还需要排除org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration该类。
回答by Kevin Peters
Do you really want to disable the whole security chain? I don't see the use case, but if, then you do not need @EnableWebSecurityat all. If you only want to adjust the chain, create a Class annotated with @Configurationand @EnableWebSecuritywhich is extending WebSecurityConfigurerAdapter. There you can tell who is allowed to do what by overriding configure(HttpSecurity).
您真的要禁用整个安全链吗?我没有看到用例,但是如果,那么您根本不需要@EnableWebSecurity。如果您只想调整链,请创建一个用@Configuration和注释的类,@EnableWebSecurity它扩展了 WebSecurityConfigurerAdapter。在那里,您可以通过覆盖configure(HttpSecurity).
