使用 Spring Boot 配置 Spring Security
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19530768/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Configuring Spring Security with Spring Boot
提问by CodeChimp
I am new to configuring Spring Securityusing Java Config. I was trying to follow this posting. However, when I run my app, I get a Basic Auth challengeon all URLs, including /. Entering the either of the userid/pass combos below do not seem to work.
我是使用Java Config配置Spring Security 的新手。我试图关注这个帖子。但是,当我运行我的应用程序时,我在所有 URL 上都收到了基本身份验证挑战,包括. 输入以下任一用户 ID/密码组合似乎都不起作用。/
My Controller:
我的控制器:
package com.xxx.web;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/")
/**
* Controller to handle basic "root" URLs
*
* @author xxx
* @version 0.1.0
*/
public class RootController {
/**
* Handles '/'
* @param model
* @return
*/
@RequestMapping
public String index(Model model) {
return "index";
}
/**
* Handles '/signup'
* @param model
* @return
*/
@RequestMapping("/signup")
public String signup(Model model) {
return "signup";
}
/**
* Handles '/about'
* @param model
* @return
*/
@RequestMapping("/about")
public String about(Model model) {
return "about";
}
/**
* Handles '/login'
* @param model
* @return
*/
@RequestMapping("/login")
public String login(Model model) {
return "login";
}
/**
* Handles '/admin'
* @param model
* @return
*/
@RequestMapping("/admin")
public String admin(Model model) {
return "admin";
}
}
Not sure what else to try. Just looking for some guidance as to why this isn't working.
不知道还有什么可以尝试的。只是寻找一些关于为什么这不起作用的指导。
Update
更新
For completeness, here is the config class:
为了完整起见,这里是配置类:
package com.xxx.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
/**
* Configures the security for the application
*
* @author XXX
* @version 0.1.0
*
*/
public class WebSecurityAppConfig extends WebSecurityConfigurerAdapter {
@Override
/**
* @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#registerAuthentication(AuthenticationManagerBuilder)
*/
protected void registerAuthentication(AuthenticationManagerBuilder auth)
throws Exception {
auth
.inMemoryAuthentication()
.withUser("user") // #1
.password("password")
.roles("USER")
.and()
.withUser("admin") // #2
.password("password")
.roles("ADMIN","USER");
}
@Override
/**
* @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(WebSecurity)
*/
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**"); // #3
}
@Override
/**
* @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(HttpSecurity)
*/
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/","/signup","/about").permitAll() // #4
.antMatchers("/admin/**").hasRole("ADMIN") // #6
.anyRequest().authenticated() // 7
.and()
.formLogin() // #8
.loginPage("/login") // #9
.permitAll(); // #5
}
}
And the WebApplicationInitializer:
和 WebApplicationInitializer:
package com.xxx.config;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
/**
*
* @author XXX
* @version 0.1.0
*/
public class SpringWebMvcInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer {
@Override
/**
*
*/
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityAppConfig.class };
}
@Override
/**
*
*/
protected Class<?>[] getServletConfigClasses() {
return null;
}
@Override
/**
*
*/
protected String[] getServletMappings() {
return null;
}
}
I didn't include these before because they are pretty much a copy-paste from the referenced blog posting.
我之前没有包括这些,因为它们几乎是从引用的博客文章中复制粘贴的。
采纳答案by Dave Syer
The original question is probably best answered by just describing the options available. Some applications (services that only need basic HTTP authentication) can use the default settings in the actuator, others will need to specify security.*properties (see SecurityPropertiesfor options) and/or an AuthenticationManager(for user account details). The next level of control comes from adding your own WebSecurityConfigurerAdapter, and you can see how to do that by looking at the "secure" sample in Spring Boot.
最初的问题可能最好通过描述可用选项来回答。一些应用程序(只需要基本 HTTP 身份验证的服务)可以使用执行器中的默认设置,其他应用程序需要指定security.*属性(参见SecurityProperties选项)和/或AuthenticationManager(用户帐户详细信息)。下一级控制来自添加您自己的WebSecurityConfigurerAdapter,您可以通过查看Spring Boot中的“安全”示例来了解如何做到这一点。
