一尘不染

使用Spring Security Java配置时禁用基本身份验证

spring

我正在尝试使用Spring Security Java配置保护Web应用程序的安全。

这是配置的样子:

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private String googleClientSecret;

    @Autowired
    private CustomUserService customUserService;

    /*
     * (non-Javadoc)
     * 
     * @see org.springframework.security.config.annotation.web.configuration.
     * WebSecurityConfigurerAdapter
     * #configure(org.springframework.security.config
     * .annotation.web.builders.HttpSecurity)
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
        http
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .and()
                .httpBasic().disable()
            .requiresChannel().anyRequest().requiresSecure();
        // @formatter:on
        super.configure(http);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        // @formatter:off
        auth
            .eraseCredentials(true)
            .userDetailsService(customUserService);
        // @formatter:on
        super.configure(auth);
    }
}

请注意,我已使用以下命令明确禁用了HTTP基本身份验证:

.httpBasic().disable()

访问安全的URL时,我仍然收到HTTP Authenticaton提示框。为什么?

请帮我解决这个问题。我只想呈现捆绑的默认登录表单。

Spring Boot Starter版本:1.1.5 Spring安全版本:3.2.5


阅读 1349

收藏
2020-04-17

共1个答案

一尘不染

首先,调用super.configure(http);将覆盖你之前拥有的整个配置。

尝试以下方法:

http
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .and()
    .httpBasic().disable();
2020-04-17