我在 OAuth2 中使用 Spring Boot Security。我不想禁用健康端点的安全性。
我可以完全禁用安全性或编写自己的
WebSecurityConfigurerAdapter但是如何修改
WebSecurityConfigurerAdapterOAuth2SsoDefaultConfiguration我试图在不禁用自动配置的情况下创建自己的配置,但由于
Order这里是错误信息:
Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique.
Order of 100 was already used on SecurityConfiguration$$EnhancerBySpringCGLIB$$9505fc58@13f182b9,
so it cannot be used on
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration$$EnhancerBySpringCGLIB$$dc290e2b@5ee0cf64 too.
此外,我试图为我自己的安全配置明确设置更高的顺序,但看起来自动配置的会覆盖我的。
那么如何在不重新实现整个配置的情况下覆盖特定的安全规则?
您需要在您的
中实现以下方法@SpringBootApplication @SpringBootApplication
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
public class BusinessLogicServiceApplication extends ResourceServerConfigurerAdapter {
public static void main(String[] args) throws IOException {
ConfigurableApplicationContext context =
SpringApplication.run(BusinessLogicServiceApplication.class, args);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/health").permitAll().anyRequest().authenticated();
}
}
@Configuration
@EnableOAuth2Sso
class MyConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/actuator/health")
.permitAll()
.anyRequest()
.authenticated();
}
}
确保您在
@EnableOAuth2SsoWebSecurityConfigurerAdapterOAuth2SsoCustomConfigurationOAuth2SsoDefaultConfiguration#configure您可能还想显示完整的健康信息:
management:
endpoint:
health:
show-details: always
以下是可能的检查。
解决方案 1: 确保您正在使用
org.springframework.core.annotation.Order
代替
org.apache.logging.log4j.core.config.Order
由于 Spring 没有解析正确的注解,它假设两种配置的默认值为 100。
解决方案 2:
也许您已经使用@EnableWebSecurity 注释对另一个类进行了注释。请注意,只有一个类可以实现此注释。
解决方案 3:参考这个https://stackoverflow.com/a/44076087/6572971
解决方案 4:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class DemoConfigurer extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception{
http.authorizeRequests().antMatchers("/health").permitAll();
super.configure(http);
}
}
我认为您可以拥有自己的实现来扩展您使用的实现(
OAuth2SsoDefaultConfiguration@Override
public void configure(final HttpSecurity http) throws Exception {
http.regexMatchers("/health",)
.permitAll()
}
顺便说一句
Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine.
@Ordermanagement.security.enabled: false在spring boot 2中不再有效,需要采取ConfigurerAdapter的方式。下面是我使用 OAuth2 资源服务器时的代码。
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
/**
* to disable security for acutator endpoints.
*
*/
@Configuration
public class ActuatorSecurityConfigurer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll();
}
}
management.security.enabled: false不适用于 spring boot 2.x 版本
对于
Kotlin@Configuration
class SecurityConfiguration : WebSecurityConfigurerAdapter() {
override fun configure(httpSecurity: HttpSecurity) {
httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll()
}
}
您还可以使用
management.security.enabled: false