Spring security 5/spring boot 2.2: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

Question

我們正在將我們的應用程序從 spring 啟動 1.5.x 升級到 2.2.x 和 spring 安全 4.x 到 5.3.2。 我們為 web 安全性定義了以下內容：

 @EnableWebSecurity
 @Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @Profile("uno")
 public class UnoSecurityConfig extends AbstractSecurityConfig {

 @Autowired
 private ServletContext servletContext;

 @Override
 protected void configure(HttpSecurity http) throws Exception {
    BasicAuthFilter basicAuthFilter = new BasicAuthFilter();
    basicAuthFilter.init(new BasicAuthSSOFilterConfig(servletContext));
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/ping").permitAll()
            .antMatchers(HttpMethod.POST, "/ping").permitAll()
            .antMatchers("/**").hasAuthority(OurPrivileges.ALL_MEASURE)
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls
            .and()
            .addFilter(securityContextPersistenceFilter())
            .addFilterAfter(new RequestContextFilter(), SecurityContextPersistenceFilter.class)
            .addFilterAfter(new CrossFramePreventionFilter(), RequestContextFilter.class)
            .addFilterAfter(basicAuthFilter, CrossFramePreventionFilter.class)
            .addFilterAfter(preAuthenticationFilter(), BasicAuthFilter.class)
            .addFilterAfter(exceptionTranslationFilter(), PreAuthenticatedUserDetailsFilter.class);
    http.headers().contentSecurityPolicy(SecurityUtility.getContentSecurityPolicy());
}

當我嘗試點擊 /ping 端點時，它應該讓我進入，但我卻彈出身份驗證框，然后被拒絕。 我在日志中看到了這一點：

2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec- 
2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/health/**']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec- 
2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/health/**'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/info/**']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/info/**'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -No matches found
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Request '/ping' matched by universal pattern '/**'

其他需要身份驗證的端點不允許我進入並給出 401/403 錯誤，拋出異常是帖子的標題。 顯然 spring 沒有使用我們的自定義邏輯。 我們的代碼都沒有改變，只是依賴關系。 我該如何超越這一點？

Answer 1

配置覆蓋創建一個新的過濾器鏈，它優先於默認的 springSecurityFilterChain ，因此接受所有請求並拒絕一切。 我將@Order(1) 添加到我的安全配置 class 中，從而解決了問題。