java 防止 Spring Boot 注册 Spring Security 过滤器之一
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31680816/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Prevent Spring Boot from registering one of Spring Security filter
提问by Trynkiewicz Mariusz
I would like to disable one of the Spring Security filters in security chain.
我想禁用安全链中的 Spring Security 过滤器之一。
I have already saw Prevent Spring Boot from registering a servlet filterquestion - and accepted should work but, unfortunately is not.
我已经看到了防止 Spring Boot 注册 servlet 过滤器问题 - 并且接受应该有效,但不幸的是不是。
With code:
用代码:
@Bean
public FilterRegistrationBean registration(AnonymousAuthenticationFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
Spring Boot will promptly announce there is no qualifying bean, which is sad:
Spring Boot 会及时宣布没有合格的 bean,这令人伤心:
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
由以下原因引起:org.springframework.beans.factory.NoSuchBeanDefinitionException:找不到类型为 [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] 的合格 bean 依赖项:预计至少有 1 个 bean 有资格作为此依赖项的自动装配候选者。依赖注释:{}
After creating another bean:
创建另一个bean后:
@SuppressWarnings("deprecation") // Oh, there be dragons
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
return new AnonymousAuthenticationFilter();
}
I am attacked with
我被攻击了
Caused by: java.lang.IllegalArgumentException: [Assertion failed] - this String argument must have length; it must not be null or empty
引起:java.lang.IllegalArgumentException: [Assertion failed] - 这个字符串参数必须有长度;它不能为 null 或为空
Which is entirely understable; Asserts in afterPropertiesSet()method https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.javaare preventing me from using default constructor. Using another approach:
这是完全不稳定的;方法https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java中的Asserts阻止我使用默认值构造函数。使用另一种方法:afterPropertiesSet()
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
// it will be disabled anyway so...
return new AnonymousAuthenticationFilter("_", new Object(), new ArrayList<GrantedAuthority>());
}
Everything is way nicer:
一切都变得更好了:
INFO 4916 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Filter anonymousAuthenticationFilter was not registered (disabled)
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Initializing filter 'springSecurityFilterChain'
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Filter 'springSecurityFilterChain' configured successfully
信息 4916 --- [ost-startStop-1] osbcembedded.FilterRegistrationBean:过滤器anonymousAuthenticationFilter 未注册(禁用)
调试 4916 --- [ost-startStop-1] ossecurity.web.FilterChainProxy:初始化过滤器“springSecurityFilterChain”
调试 4916 --- [ost-startStop-1] ossecurity.web.FilterChainProxy:过滤器“springSecurityFilterChain”配置成功
But after accessing some resource I got:
但是在访问了一些资源后,我得到了:
DEBUG 4916 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 4916 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 6B9D974A4634548750FE78C18F62A6B0; Granted Authorities: ROLE_ANONYMOUS'
调试 4916 --- [nio-8080-exec-3] ossecurity.web.FilterChainProxy:/user 在附加过滤器链中的第 10 个位置;发射过滤器:'AnonymousAuthenticationFilter'
调试 4916 --- [nio-8080-exec-3] osswaAnonymousAuthenticationFilter :使用匿名令牌填充 SecurityContextHolder:'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420:主体:anonymousUser; 凭据:[受保护];已认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@255f8:RemoteIpAddress:127.0.0.1;会话 ID:6B9D974A4634548750FE78C18F62A6B0;授予权限:ROLE_ANONYMOUS'
For some reason AnonymousAuthenticationFilter is still working. The question: Is there a way to disable such filters in Spring Boot application?
出于某种原因 AnonymousAuthenticationFilter 仍在工作。问题:有没有办法在 Spring Boot 应用程序中禁用此类过滤器?
回答by Rob Winch
Spring Security bundles all of the Filters within the HttpSecurityconfiguration. To disable anonymous authentication use the following:
Spring Security 捆绑了HttpSecurity配置中的所有过滤器。要禁用匿名身份验证,请使用以下命令:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
...
}
...
}
If you want to disable all of the defaults within Spring Security you can pass true into the parent class constructor to disable defaults. For example:
如果要禁用 Spring Security 中的所有默认值,可以将 true 传递给父类构造函数以禁用默认值。例如:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public SecurityConfig() {
super(true);
}
...
}
