Spring Security Kotlin的Spring:从5.3升级到6.0安全配置

v09wglhw  于 2023-01-09  发布在  Spring
关注(0)|答案(1)|浏览(161)

我在做Spring安全配置时遇到了很多问题,我曾经在v5.3中应用过这些配置。
这是我的文件

@Configuration
@EnableWebSecurity
class WebSecurityConfiguration : WebSecurityConfigurerAdapter() {

    @Autowired
    lateinit var service: UserService

    /**
     * Will be resolved into: WebSecurityEntryPoint injected instance.
     */
    @Autowired
    lateinit var unauthorizedHandler: AuthenticationEntryPoint

    @Autowired
    lateinit var successHandler: WebSecurityAuthSuccessHandler

    @Autowired
    override fun configure(auth: AuthenticationManagerBuilder) {
        auth.authenticationProvider(authenticationProvider())
    }

    override fun configure(http: HttpSecurity?) {
        http
                ?.csrf()?.disable()
                ?.exceptionHandling()
                ?.authenticationEntryPoint(unauthorizedHandler)
                ?.and()
                ?.authorizeRequests()
                /**
                 * Access to Notes and Todos API calls is given to any authenticated system user.
                 */
                ?.antMatchers("/notes")?.authenticated()
                ?.antMatchers("/notes/**")?.authenticated()
                ?.antMatchers("/todos")?.authenticated()
                ?.antMatchers("/todos/**")?.authenticated()
                /**
                 * Access to User API calls is given only to Admin user.
                 */
                ?.antMatchers("/users")?.hasAnyAuthority("ADMIN")
                ?.antMatchers("/users/**")?.hasAnyAuthority("ADMIN")
                ?.and()
                ?.formLogin()
                ?.successHandler(successHandler)
                ?.failureHandler(SimpleUrlAuthenticationFailureHandler())
                ?.and()
                ?.logout()
    }

    @Bean
    fun authenticationProvider(): DaoAuthenticationProvider {
        val authProvider = DaoAuthenticationProvider()
        authProvider.setUserDetailsService(service)
        authProvider.setPasswordEncoder(encoder())
        return authProvider
    }

    @Bean
    fun encoder(): PasswordEncoder = BCryptPasswordEncoder(11)

    @Bean
    fun accessDecisionManager(): AccessDecisionManager {
        val decisionVoters = Arrays.asList(
                WebExpressionVoter(),
                RoleVoter(),
                AuthenticatedVoter()
        )
        return UnanimousBased(decisionVoters)
    }

}

I used the documentation in Spring.io
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
从那以后我就一直碰壁。他们的文档没有帮助,新的依赖项也不起作用。现在怎么能做到呢?
P. S:我经常得到这个错误:
原因:java. lang.类未找到异常:org. spring框架.安全性.核心.上下文.延迟安全上下文
我到处都找不到

jucafojl

jucafojl1#

好的......我设法用这种方法解决了这个问题,首先我必须添加v6 implementation("org.springframework.security:spring-security-core:6.0.1")的安全依赖项
我这样做了安全配置

@Configuration
@EnableWebSecurity
class SecurityConfiguration(
    private val userService: UserService,
    private val unauthorizedHandler: AuthenticationEntryPoint,
    private val successHandler: WebSecurityAuthSuccessHandler
) {

    /**
     * Will be resolved into: WebSecurityEntryPoint injected instance.
     */
    @Bean
    fun myPasswordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder(11)
    }

    @Primary
    fun configureAuthentication(auth: AuthenticationManagerBuilder): AuthenticationManagerBuilder {
        return auth.authenticationProvider(authenticationProvider())
    }

    @Bean
    fun authenticationProvider(): DaoAuthenticationProvider {
        val authProvider = DaoAuthenticationProvider()
        authProvider.setUserDetailsService(userService)
        authProvider.setPasswordEncoder(myPasswordEncoder())
        return authProvider
    }

    @Bean
    fun accessDecisionManager(): AccessDecisionManager {
        val decisionVoter = listOf(
            WebExpressionVoter(),
            RoleVoter(),
            AuthenticatedVoter()
        )
        return UnanimousBased(decisionVoter)
    }

    @Bean
    fun configureHttpSecurity(httpSecurity: HttpSecurity): SecurityFilterChain {
         httpSecurity
             .csrf().disable()
             .exceptionHandling()
             .authenticationEntryPoint(unauthorizedHandler)
             .and()
             .authorizeHttpRequests()
             /**
              * Access to Notes and Todos API calls is given to any authenticated system user.
              */
             .requestMatchers("/notes").authenticated()
             .requestMatchers("/notes/**").authenticated()
             .requestMatchers("/todos").authenticated()
             .requestMatchers("/todos/**").authenticated()
             /**
              * Access to User API calls is given only to Admin user.
              */
             .requestMatchers("/users").hasAnyAuthority("ADMIN")
             .requestMatchers("/users/**").hasAnyAuthority("ADMIN")
             .and()
             .formLogin()
             .successHandler(successHandler)
             .failureHandler(SimpleUrlAuthenticationFailureHandler())
             .and()
             .logout()
        return httpSecurity.build()
    }

}

相关问题