Java Spring Boot 2.0.x 禁用某些配置文件的安全性
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/49258766/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Boot 2.0.x disable security for certain profile
提问by leonz
In Spring Boot 1.5.x, I've had Security configured and in certain profiles (e.g. local), I've added security.basic.enabled=falseline to the .properties file to disable all security for that profile. I'm trying to migrate to the new Spring Boot 2, where that configuration property is removed. How can I achieve the same behaviour (without using this property) in Spring Boot 2.0.x?
在 Spring Boot 1.5.x 中,我已经配置了安全性,并且在某些配置文件(例如本地)中,我security.basic.enabled=false在 .properties 文件中添加了一行以禁用该配置文件的所有安全性。我正在尝试迁移到新的 Spring Boot 2,其中删除了该配置属性。如何在 Spring Boot 2.0.x 中实现相同的行为(不使用此属性)?
I've already read Spring-Boot-Security-2.0and security-changes-in-spring-boot-2-0-m4and there is nothing regarding this property.
我已经阅读了Spring-Boot-Security-2.0和security-changes-in-spring-boot-2-0-m4并且没有关于这个属性的任何内容。
采纳答案by dur
You have to add a custom Spring Security configuration, see Spring Boot Reference Guide:
您必须添加自定义 Spring Security 配置,请参阅Spring Boot 参考指南:
28.1 MVC Security
The default security configuration is implemented in
SecurityAutoConfigurationandUserDetailsServiceAutoConfiguration.SecurityAutoConfigurationimportsSpringBootWebSecurityConfigurationfor web security andUserDetailsServiceAutoConfigurationconfigures authentication, which is also relevant in non-web applications. To switch off the default web application security configuration completely, you can add a bean of typeWebSecurityConfigurerAdapter(doing so does not disable theUserDetailsServiceconfiguration or Actuator's security).
28.1 MVC 安全
默认安全配置在
SecurityAutoConfiguration和 中实现UserDetailsServiceAutoConfiguration。为 Web 安全SecurityAutoConfiguration导入SpringBootWebSecurityConfiguration并UserDetailsServiceAutoConfiguration配置身份验证,这也与非 Web 应用程序相关。要完全关闭默认的 Web 应用程序安全配置,您可以添加一个类型的 beanWebSecurityConfigurerAdapter(这样做不会禁用UserDetailsService配置或执行器的安全性)。
For example:
例如:
@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/**");
}
}
To use the configuration only for a profile add @Profileto the class. If you want to enable it by property, add ConditionalOnPropertyto the class.
要仅将配置用于配置文件,请添加@Profile到类中。如果要通过属性启用它,请添加ConditionalOnProperty到类中。
回答by leonz
Here is how I ended up solving the problem. Here is an example of how my security config looked in Spring Boot 1.5.x. Security was disabled with property security.basic.enabled=false:
这是我最终解决问题的方法。这是我的安全配置在 Spring Boot 1.5.x 中的外观示例。财产安全被禁用security.basic.enabled=false:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/upload/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
}
}
Since security.basic.enabledwas removed in Spring Boot 2 (but still reserved as property name), I ended up using security.enabledas a custom property. Here's an example of how my config looks in Spring Boot 2:
由于security.basic.enabled已在 Spring Boot 2 中删除(但仍保留为属性名称),因此我最终将其security.enabled用作自定义属性。这是我的配置在 Spring Boot 2 中的外观示例:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${security.enabled:true}")
private boolean securityEnabled;
@Override
public void configure(WebSecurity web) throws Exception {
if (securityEnabled)
web.ignoring().antMatchers("/upload/**");
else
web.ignoring().antMatchers("/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
if (securityEnabled)
http.csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
}
}
回答by Türkmen Mustafa Demirci
Actually there are several answers for certain configurations for this question; in my case I have been playing around Spring Boot 2 with Spring Security and JWT. In order to secure my REST endpoints I need to create tokens etc. After I wrote my code and tried to test my endpoints to see if JWT works fine, I end up facing default login page. I tried changing properties file mentioned above and finally I disabled it by adding the @SpringBootApplication(exclude = {SecurityAutoConfiguration.class} )annotation to my application class.
实际上对于这个问题的某些配置有几个答案;就我而言,我一直在使用 Spring Security 和 JWT 玩 Spring Boot 2。为了保护我的 REST 端点,我需要创建令牌等。在我编写代码并尝试测试我的端点以查看 JWT 是否正常工作后,我最终遇到了默认登录页面。我尝试更改上面提到的属性文件,最后通过将@SpringBootApplication(exclude = {SecurityAutoConfiguration.class} )注释添加到我的应用程序类来禁用它。
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class} )
public class JwtWithSpringBootApplication {
public static void main(String[] args) {
SpringApplication.run(JwtWithSpringBootApplication.class, args);
}
}
回答by Abhishek Chatterjee
There is another option to disable security in spring boot 2
在 spring boot 2 中还有另一个选项可以禁用安全性
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
Add this over the main class
在主类上添加这个
回答by Kalpesh Soni
In springboot 2.1.4 I had to do this
在 springboot 2.1.4 我不得不这样做
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class, SecurityFilterAutoConfiguration.class})
回答by Madhu Tomy
Spring Boot 2.1.3
春季启动 2.1.3
For a certain profile "dev"
对于某个配置文件“dev”
Create a new Spring Configuration class
创建一个新的 Spring 配置类
@Configuration
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
@Profile("dev")
public class WebSecurityConfigDisable {
}
This will disable the spring security.
这将禁用弹簧安全性。
