Java OpenResty Spring Spring Boot MySQL Redis MongoDB PostgreSQL Linux Android Nginx 面试 小程序 Arthas JVM AQS juc Kubernetes Docker DevOps

Spring Boot2 关闭 Spring Security 权限验证

Spring Boot Spring Security 大约 2332 字

背景介绍

因整合了Spring Security权限验证,在开发阶段调试变得困难,Postman保持session难度较大。所以决定开发阶段暂时关闭权限验证。

Spring Boot1.x

可使用如下配置即可解决:

security:
  basic:
    enabled: false
management:
  security:
    enabled: false

Spring Boot2.x

方法一

@EnableWebSecurity是默认开启的,在SpringBootApplication注解类中排除SecurityAutoConfiguration

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class})

特别提醒:对于自定义拦截器来实现更灵活的角色权限控制的,此方法可能不起作用。

方法二

禁用csrf,放行所有请求:

@Configuration
@EnableWebSecurity(debug = true)//已经自动配置了,此处只是为了打印debug信息
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

}

如有以下信息:

{
    "timestamp": 1582163333230,
    "status": 403,
    "error": "Forbidden",
    "message": "Access Denied",
    "path": "/sm/user/list"
}

可能是自定义了AbstractSecurityInterceptorFilter对象:

@Service
public class CustomFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
    // ...
}

解决办法:把@Service注释,并且找到引用这个CustomFilterSecurityInterceptor,都注释掉。如:

@Configuration
@EnableWebSecurity(debug = true)//已经自动配置了,此处只是为了打印debug信息
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /*http.csrf().disable();
        http.formLogin().permitAll();
        http.logout().logoutSuccessHandler(new CustomLogoutSuccessHandler()).permitAll();
        http.authorizeRequests().anyRequest().authenticated();
        http.exceptionHandling().accessDeniedHandler(new CustomAccessDeniedHandler()).authenticationEntryPoint(new CustomAuthenticationEntryPoint());

        http.addFilterBefore(customFilterSecurityInterceptor, FilterSecurityInterceptor.class);
        customUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
        customUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
        http.addFilterAt(customUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        */
        http.csrf().disable().authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

}
阅读 12332 · 发布于 2020-02-20

————        END        ————

Give me a Star, Thanks:)

https://github.com/fendoudebb

扫描下方二维码关注公众号和小程序↓↓↓

扫描二维码关注我
昵称:
随便看看 换一批