防止Spring Boot注册Spring Security过滤器之一 [英] Prevent Spring Boot from registering one of Spring Security filter
问题描述
我想在安全链中禁用其中一个Spring Security过滤器。
I would like to disable one of the Spring Security filters in security chain.
我已经看到防止Spring Boot注册servlet过滤器问题 - 并且接受应该有效,但遗憾的是不行。
I have already saw Prevent Spring Boot from registering a servlet filter question - and accepted should work but, unfortunately is not.
使用代码:
@Bean
public FilterRegistrationBean registration(AnonymousAuthenticationFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
Spring Boot会立即宣布没有合格的bean,这很难过:
Spring Boot will promptly announce there is no qualifying bean, which is sad:
引起:org.springframework.beans.factory.NoSuchBeanDefinitionException:没有类型为[org.springframework.security.web.authentication的限定bean]。找到依赖项的AnonymousAuthenticationFilter:预期至少有1个bean可以作为此依赖项的autowire候选者。依赖注释:{}
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
创建另一个bean之后:
After creating another bean:
@SuppressWarnings("deprecation") // Oh, there be dragons
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
return new AnonymousAuthenticationFilter();
}
我受到攻击
引起:java.lang.IllegalArgumentException:[断言失败] - 此String参数必须具有长度;它不能为空或空
Caused by: java.lang.IllegalArgumentException: [Assertion failed] - this String argument must have length; it must not be null or empty
这完全是不明智的; 在方法 https://github.com/spring-projects/spring -security / blob / master / web / src / main / java / org / springframework / security / web / authentication / AnonymousAuthenticationFilter.java 阻止我使用默认构造函数。使用另一种方法:中断言在afterPropertiesSet()
Which is entirely understable; Asserts in afterPropertiesSet() method https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AnonymousAuthenticationFilter.java are preventing me from using default constructor. Using another approach:
@Bean
public AnonymousAuthenticationFilter anonymousAuthenticationFilter() {
// it will be disabled anyway so...
return new AnonymousAuthenticationFilter("_", new Object(), new ArrayList<GrantedAuthority>());
}
一切都更好:
INFO 4916 --- [ost-startStop-1] osbcembedded.FilterRegistrationBean:过滤器anonymousAuthenticationFilter未注册(禁用)
INFO 4916 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Filter anonymousAuthenticationFilter was not registered (disabled)
DEBUG 4916 --- [ost-startStop-1] ossecurity.web.FilterChainProxy:初始化过滤器'springSecurityFilterChain'
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Initializing filter 'springSecurityFilterChain'
DEBUG 4916 --- [ost-startStop- 1] ossecurity.web.FilterChainProxy:过滤'springSecurityFilterChain'配置成功
DEBUG 4916 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Filter 'springSecurityFilterChain' configured successfully
但是在访问了一些资源后我得到了:
But after accessing some resource I got:
DEBUG 4916 --- [nio-8080-exec-3] ossecurity.web.FilterChainProxy:/用户位于第10位的13位额外的过滤链;触发过滤器:'AnonymousAuthenticationFilter'
DEBUG 4916 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 4916 --- [nio-8080-exec-3] osswaAnonymousAuthenticationFilter:填充带有匿名标记的SecurityContextHolder:'org.springframework.security .authentication.AnonymousAuthenticationToken @ 90572420:Principal:anonymousUser;证书:[受保护];认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@255f8:RemoteIpAddress:127.0.0.1; SessionId:6B9D974A4634548750FE78C18F62A6B0;授权机构:ROLE_ANONYMOUS'
DEBUG 4916 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 6B9D974A4634548750FE78C18F62A6B0; Granted Authorities: ROLE_ANONYMOUS'
由于某种原因AnonymousAuthenticationFilter仍然有效。
问题:是否有办法在Spring Boot应用程序中禁用此类过滤器?
For some reason AnonymousAuthenticationFilter is still working. The question: Is there a way to disable such filters in Spring Boot application?
推荐答案
Spring Security捆绑所有 HttpSecurity 配置中的过滤器。要禁用匿名身份验证,请使用以下命令:
Spring Security bundles all of the Filters within the HttpSecurity configuration. To disable anonymous authentication use the following:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
...
}
...
}
如果要禁用Spring Security中的所有默认值,可以将true传递给父类构造函数以禁用默认值。例如:
If you want to disable all of the defaults within Spring Security you can pass true into the parent class constructor to disable defaults. For example:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public SecurityConfig() {
super(true);
}
...
}
这篇关于防止Spring Boot注册Spring Security过滤器之一的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
