我有一个配置了Spring Security的Spring Boot Web应用程序。我想暂时禁用身份验证(直到需要)。
我将此添加到application.properties:
application.properties:
security.basic.enable: false management.security.enabled: false
这是我的一部分
但是我仍然包括一个基本的安全性:启动时会生成一个默认的安全密码,并且我仍会收到HTTP身份验证提示框。
我的pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>fr.test.sample</groupId> <artifactId>navigo</artifactId> <version>1.0.0-SNAPSHOT</version> <!-- Inherit defaults from Spring Boot --> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.3.1.RELEASE</version> </parent> <properties> <java.version>1.7</java.version> <jsoup.version>1.8.3</jsoup.version> <guava.version>18.0</guava.version> <postgresql.version>9.3-1103-jdbc41</postgresql.version> </properties> <!-- Add typical dependencies for a web application --> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-mail</artifactId> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> </dependency> <dependency> <groupId>org.apache.velocity</groupId> <artifactId>velocity</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.jsoup</groupId> <artifactId>jsoup</artifactId> <version>${jsoup.version}</version> </dependency> <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> </dependency> </dependencies> <!-- Package as an executable jar --> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> <!-- Add Spring repositories --> <!-- (you don't need this if you are using a .RELEASE version) --> <repositories> <repository> <id>spring-snapshots</id> <url>http://repo.spring.io/snapshot</url> <snapshots> <enabled>true</enabled> </snapshots> </repository> <repository> <id>spring-milestones</id> <url>http://repo.spring.io/milestone</url> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>spring-snapshots</id> <url>http://repo.spring.io/snapshot</url> </pluginRepository> <pluginRepository> <id>spring-milestones</id> <url>http://repo.spring.io/milestone</url> </pluginRepository> </pluginRepositories> </project>
在WebSecurityConfig.java中配置了安全性(我已注释了注释以将其禁用):
//@Configuration //@EnableWebSecurity //@EnableGlobalMethodSecurity(prePostEnabled = true) //@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserDetailsService userDetailsService; @Autowired UserService userService; @Autowired private DataSource datasource; @Override protected void configure(HttpSecurity http) throws Exception { // http.authorizeRequests().antMatchers("/bus/topologie", "/home") // http.authorizeRequests().anyRequest().authenticated() // .antMatchers("/admin/**").access("hasRole('ADMIN')").and() // .formLogin().failureUrl("/login?error") // .defaultSuccessUrl("/bus/topologie").loginPage("/login") // .permitAll().and().logout() // .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) // .logoutSuccessUrl("/login").permitAll().and().rememberMe() // .rememberMeParameter("remember-me") // .tokenRepository(persistentTokenRepository()) // .tokenValiditySeconds(86400).and().csrf(); } @Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl(); tokenRepositoryImpl.setDataSource(datasource); return tokenRepositoryImpl; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { PasswordEncoder encoder = new BCryptPasswordEncoder(); auth.userDetailsService(userDetailsService).passwordEncoder(encoder); auth.jdbcAuthentication().dataSource(datasource); if (!userService.userExists("user")) { User userAdmin = new User("user", encoder.encode("password"), true); Set<Authorities> authorities = new HashSet<Authorities>(); authorities.add(new Authorities(userAdmin,"ADMIN")); authorities.add(new Authorities(userAdmin,"CRIP")); authorities.add(new Authorities(userAdmin,"USER")); userAdmin.setAuthorities(authorities); userService.createUser(userAdmin); } } }
使用security.ignored属性:
security.ignored
security.ignored=/**
security.basic.enable: false只会禁用部分安全性自动配置,但你WebSecurityConfig仍将被注册。
security.basic.enable: false
WebSecurityConfig
启动时会生成一个默认的安全密码
尝试Autowired的AuthenticationManagerBuilder:
Autowired
AuthenticationManagerBuilder
@Override @Autowired protected void configure(AuthenticationManagerBuilder auth) throws Exception { ... }