直接使用security.basic.path無效|——springboot2.0以上的security的配置

問題

springcloud 版本 爲 Finchley.RELEASE
springboot 版本爲 2.0.3.RELEASE

如今有需求，/swagger-ui.html 頁面須要添加登陸認證，可是原本的接口不須要登陸認證

升級springboot以前的作法是直接在application.yml 文件中添加如下配置：

security: basic: enabled: true # 啓用SpringSecurity的安全配置項 path: /swagger-ui.html user: name: aijianzi # 認證用戶名 password: course # 認證密碼 role: # 受權角色 - USER

升級後這種配置就出錯了，連編譯都出錯，以下圖：

 

解決過程

查找源代碼，找到以下：
來自：https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide

Security
Spring Boot 2 greatly simplifies the default security configuration and makes adding custom security easy. Rather than having several security-related auto-configurations, Spring Boot now has a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter.

You are affected if you were using any of the following properties:

security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessions

 　　翻譯：Spring Boot 2極大地簡化了默認的安全配置，並使添加定製安全性變得更加容易。Spring Boot並無使用幾個與安全相關的自動配置，而是在添加本身的WebSecurityConfigurerAdapter時就有了一個單獨的行爲。若是您使用如下屬性，您將受到影響

 

再找到：https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Security-2.0

Security Auto-configuration
Spring Boot 2.0 does not provide separate auto-configuration for user-defined endpoints and actuator endpoints. When Spring Security is on the classpath, the auto-configuration secures all endpoints by default. It adds the @EnableWebSecurity annotation and relies on Spring Security’s content-negotiation strategy to determine whether to use httpBasic or formLogin. A user with a a default username and generated password is added, which can be used to login.

    翻譯：Spring Boot 2.0沒有爲用戶定義的端點和執行器端點提供單獨的自動配置。當Spring Security在類路徑上時，自動配置默認爲全部端點。它添加了@EnableWebSecurity 註釋，並依賴於Spring Security的內容協商策略來決定是否使用httpBasic或formLogin。添加了一個默認用戶名和生成密碼的用戶，這能夠用來登陸。

 

解決

    對於不一樣的URL，安全性是不一樣的，關鍵在於重載WebSecurityConfigurerAdapter 類的configure(HttpSecurity) 方法。具體能夠參考以上的兩個連接

    個人完整實現以下：

一、pom.xml 中添加依賴：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

 

二、application.yml 文件中配置登陸用戶名和密碼（若是隻到這裏，那麼全部的請求都會被攔截）

spring: security: user: name: admin password: admin

 

三、添加自定義的配置類，註解@Configuration @EnableWebSecurity

import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * @author jiashubing * @since 2018/7/16 */ @Configuration @EnableWebSecurity public class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //普通的接口不須要校驗
                .antMatchers("/courseApi/**").permitAll() // swagger頁面須要添加登陸校驗
                .antMatchers("/swagger-ui.html").authenticated() .and() .formLogin(); } }

 

固然也能夠配置成須要某個角色的用戶才能查看某些URL，百度關鍵詞【SpringSecurity攔截請求】

原創文章，歡迎轉載，轉載請註明出處！