Spring Boot2 关闭 Security 权限验证

背景介绍

因整合了Spring Security权限验证，在开发阶段调试变得困难，Postman保持session难度较大。所以决定开发阶段暂时关闭权限验证。

Spring Boot1.x

可使用如下配置即可解决：

security:
  basic:
    enabled: false
management:
  security:
    enabled: false

Spring Boot2.x

方法一

@EnableWebSecurity是默认开启的，在SpringBootApplication注解类中排除SecurityAutoConfiguration：

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class})

特别提醒：对于自定义拦截器来实现更灵活的角色权限控制的，此方法可能不起作用。

方法二

禁用csrf，放行所有请求：

@Configuration
@EnableWebSecurity(debug = true)//已经自动配置了，此处只是为了打印debug信息
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

}

如有以下信息：

{
    "timestamp": 1582163333230,
    "status": 403,
    "error": "Forbidden",
    "message": "Access Denied",
    "path": "/sm/user/list"
}

可能是自定义了AbstractSecurityInterceptor和Filter对象：

@Service
public class CustomFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
    ...
}

解决办法：把@Service注释，并且找到引用这个CustomFilterSecurityInterceptor，都注释掉。如：

@Configuration
@EnableWebSecurity(debug = true)//已经自动配置了，此处只是为了打印debug信息
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /*http.csrf().disable();
        http.formLogin().permitAll();
        http.logout().logoutSuccessHandler(new CustomLogoutSuccessHandler()).permitAll();
        http.authorizeRequests().anyRequest().authenticated();
        http.exceptionHandling().accessDeniedHandler(new CustomAccessDeniedHandler()).authenticationEntryPoint(new CustomAuthenticationEntryPoint());

        http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class);
        customUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
        customUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
        http.addFilterAt(customUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        */
        http.csrf().disable().authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

}