Java – enabling websecurityconfigurer via @ profile does not work

Java

I think I have a very simple and basic setup for running spring boot webapp with some authentication locally

I hope that when I run this application through spring boot and I specify a local profile, my custom security settings will override the default behavior

mvn -Dspring. profiles. active =“local”spring-boot:run

Maybe I'm specifying profiles Active error, but when the application is running, it still spits out the generated password for use, and does not seem to allow access to the / login path without the authentication

I also don't see the activity profile under / Env, which may be a little strange

I have a websecurityconfigurer overwritten as follows:

@Configuration
@EnableWebSecurity
@Profile("local")
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin().permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN","USER")
        .and().withUser("user").password("user").roles("USER");

    }
}

My main @ configuration class is your standard spring Java style basic configuration:

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class,args);
    }
}

Solution

The second attempt provides better security settings and control What are the advanced options for controlling automatic security configuration:

>Turn off security completely and permanently:

>Remove spring Security > from the classpath or exclude security autoconfiguration – @ enableautoconfiguration (exclude = securityautoconfiguration. Class)

>By setting security basic. Enabled = false to turn off the default basic authentication security

If you have complete control over the use of safety settings, automatic safety configuration and spring configuration files, you can easily control different safety settings

@Configuration
@ComponentScan
public class Application {
    public static void main(String[] args) throws Throwable {
        SpringApplication.run(Application.class,args);
    }
}

@Configuration
public class WebSecurityConfig {

    @Configuration
    @EnableAutoConfiguration(exclude = SecurityAutoConfiguration.class)
    @ConditionalOnExpression("!${my.security.enabled:false}")
    protected static class DefaultWebSecurityConfig {
    }

    @Configuration
    @EnableAutoConfiguration
    @EnableWebMvcSecurity
    @Profile("local")
    @ConditionalOnExpression("${my.security.enabled:false}")
    protected static class LocalWebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/","/home").permitAll()
                    .anyRequest().authenticated();
            http
                .formLogin().loginPage("/login").permitAll().and()
                .logout().permitAll();
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");
        }
    }

}

In the above class, I basically removed @ enableautoconfiguration from the application class order to use it conditionally Two configuration classes, defaultwebsecurityconfig and localwebsecurityconfig, are created by my security. The enabled flag is selected using boot @ conditionalonexpression

If my security is not enabled, the first configuration will only exclude securityautoconfiguration The second enables security and uses a local profile By using different profiles to create another profile, you can control what happens to different profiles You can then choose whether to enable security and which profile to use:

#java -jar build/libs/gs-securing-web-0.1.0.jar
#java -jar build/libs/gs-securing-web-0.1.0.jar --spring.profiles.active=local --my.security.enabled=true

If you can choose to use application YML, each profile can automatically apply different settings, but still define default values This is a good thing if you only want to disable the default basic authentication enabled by the default security autoconfiguration

security:
    basic:
        enabled: false
---
spring:
    profiles: local
security:
    basic:
        enabled: true
---

There may be a million different ways to perform these operations, and always best suited to the current use case

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>