Spring Boot2关闭Security权限验证

Spring Boot大约 2328 字

背景介绍

因整合了Spring Security权限验证,在开发阶段调试变得困难,Postman保持session难度较大。所以决定开发阶段暂时关闭权限验证。

Spring Boot1.x

可使用如下配置即可解决:

security:
  basic:
    enabled: false
management:
  security:
    enabled: false

Spring Boot2.x

方法一

@EnableWebSecurity是默认开启的,在SpringBootApplication注解类中排除SecurityAutoConfiguration

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class})

特别提醒:对于自定义拦截器来实现更灵活的角色权限控制的,此方法可能不起作用。

方法二

禁用csrf,放行所有请求:

@Configuration
@EnableWebSecurity(debug = true)//已经自动配置了,此处只是为了打印debug信息
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

}

如有以下信息:

{
    "timestamp": 1582163333230,
    "status": 403,
    "error": "Forbidden",
    "message": "Access Denied",
    "path": "/sm/user/list"
}

可能是自定义了AbstractSecurityInterceptorFilter对象:

@Service
public class CustomFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
    ...
}

解决办法:把@Service注释,并且找到引用这个CustomFilterSecurityInterceptor,都注释掉。如:

@Configuration
@EnableWebSecurity(debug = true)//已经自动配置了,此处只是为了打印debug信息
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /*http.csrf().disable();
        http.formLogin().permitAll();
        http.logout().logoutSuccessHandler(new CustomLogoutSuccessHandler()).permitAll();
        http.authorizeRequests().anyRequest().authenticated();
        http.exceptionHandling().accessDeniedHandler(new CustomAccessDeniedHandler()).authenticationEntryPoint(new CustomAuthenticationEntryPoint());

        http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class);
        customUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
        customUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
        http.addFilterAt(customUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        */
        http.csrf().disable().authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

}
阅读 1730 · 发布于 2020-02-20

————        END        ————

扫描下方二维码关注公众号和小程序↓↓↓

昵称:
随便看看换一批