[英]How to replace deprecated WebSecurityConfigurerAdapter with multiple filters by SecurityFilterChain?
[英]How to migrate deprecated WebSecurityConfigurerAdapter to SecurityFilterChain?
正如他們在這里描述的那樣, WebSecurityConfigurerAdapter
將在一段時間內被棄用。
由於我想實現 JWT 模式,我嘗試使用SecurityFilterChain
重構WebSecurityConfigurerAdapter
的實現。 我面臨的主要考慮是配置返回無效。
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(authenticationManagerBean(), accessTokenExpiredInDays, refreshTokenExpiredInDays, jwtSecret);
customAuthenticationFilter.setFilterProcessesUrl("/api/login");
http
.csrf().disable();
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.authorizeRequests()
.antMatchers("/error").permitAll();
http
.authorizeRequests()
.antMatchers("/api/login/**", "/api/token/refresh/**").permitAll();
http
.authorizeRequests()
.anyRequest().authenticated();
http
.addFilter(customAuthenticationFilter);
http
.addFilterBefore(new CustomAuthorizationFilter(jwtSecret), UsernamePasswordAuthenticationFilter.class);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
請注意,Spring Security 內置了對 JWT 身份驗證的支持,無需創建自定義過濾器。 您可以在此處找到 Spring Security 團隊提供的示例。
但是,如果您確實選擇創建自定義過濾器,推薦的配置方法是創建自定義 DSL 。
這與 Spring Security 在內部執行的方式相同。
我在下面使用自定義 DSL 重寫了您的配置。
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().disable();
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.authorizeRequests()
.antMatchers("/error").permitAll();
http
.authorizeRequests()
.antMatchers("/api/login/**", "/api/token/refresh/**").permitAll();
http
.authorizeRequests()
.anyRequest().authenticated();
// apply the custom DSL which adds the custom filter
http
.apply(customDsl());
http
.addFilterBefore(new CustomAuthorizationFilter(jwtSecret), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager =
http.getSharedObject(AuthenticationManager.class);
CustomAuthenticationFilter filter =
new CustomAuthenticationFilter(authenticationManager, accessTokenExpiredInDays, refreshTokenExpiredInDays, jwtSecret);
filter.setFilterProcessesUrl("/api/login");
http.addFilter(filter);
}
public static MyCustomDsl customDsl() {
return new MyCustomDsl();
}
}
此配置以及其他示例在有關從WebSecurityConfigurerAdapter
遷移的 Spring 博客文章中進行了描述。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.