Spring Security 将此字段值直接注入过滤器链，这是唯一使用它的方法

3z6pesqy 于 2023-06-06 发布在 Spring

关注(0)|答案(1)|浏览(183)

我正在更改代码，以便不使用已弃用的WebSecurityConfigurerAdapter。创造了一个属于自己的世界。当我运行应用程序时，它似乎工作正常。我必须在这里验证两件事。
1.有没有人认为这里需要更多的改变？
1.另一个问题是，当我做下面的更改时，它给了我两个字段的其他声纳问题- jwtAuthenticationEntryPoint和jwtRequestFilter。该问题指出“将该字段值直接注入过滤器链，这是使用该字段值的唯一方法”。我该怎么解决这个问题？

@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig {

 @Value("${SSL.ENABLE}")
 private boolean sslEnable;

 @Autowired
 private PasswordEncoder encoder;

 @Autowired
 private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

 @Autowired
 private UserDetailsService jwtUserDetailsService;

 @Autowired
 private JwtRequestFilter jwtRequestFilter;

 @Autowired
 public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
     // configure AuthenticationManager so that it knows from where to load
     // user for matching credentials
     auth.userDetailsService(jwtUserDetailsService).passwordEncoder(encoder);
 }

 @Bean
 public AuthenticationManager authenticationManager(
         AuthenticationConfiguration authConfig) throws Exception {
     return authConfig.getAuthenticationManager();
 }

 @Bean
 public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {

     httpSecurity.csrf().disable()
             .authorizeRequests()
             .antMatchers("/authenticate").permitAll()
             .antMatchers("/user/updatePassword").permitAll()
            .anyRequest().authenticated()
             .and()                        .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

     if (sslEnable) {
         httpSecurity.requiresChannel().anyRequest().requiresSecure();
     }

     httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
     return httpSecurity.build();
 }

}
我还在一些教程中读到他们也创建了一个DaoAuthenticationProvider的Bean。是否真的需要下面这样的东西？

@Bean
public DaoAuthenticationProvider authenticationProvider() {
    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
    authProvider.setUserDetailsService(jwtUserDetailsService);
    authProvider.setPasswordEncoder(encoder);
    return authProvider;
}

spring-security

来源：https://stackoverflow.com/questions/73442352/inject-this-field-value-directly-into-filter-chain-the-only-method-that-uses-it

1条答案

按热度按时间

lsmepo6l1#

下面的代码可以通过从Spring的applicationContext加载bean来替换，这不会在SonarQube中抛出这个问题。

@Autowired
 private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

 @Autowired
 private JwtRequestFilter jwtRequestFilter;

您可以注入applicationContext并加载类，并在可以使用jwtRequestFilter和jwtAuthenticationEntryPoint的地方直接使用该方法。

@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig {
 
 
 @Autowired private ApplicationContext applicationContext;
    
    
    private JwtAuthenticationEntryPoint getAuthEntryPoint() {
        return applicationContext.getBean(JwtAuthenticationEntryPoint.class);
    }
    
    
    private JwtRequestFilter getRequestFilter() {
        return applicationContext.getBean(JwtRequestFilter);
    }
 
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
       httpSecurity.csrf().disable()
             .authorizeRequests()
             .antMatchers("/authenticate").permitAll()
             .antMatchers("/user/updatePassword").permitAll()
            .anyRequest().authenticated()
             .and()                        .exceptionHandling().authenticationEntryPoint(getAuthEntryPoint()).and().sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

       if (sslEnable) {
         httpSecurity.requiresChannel().anyRequest().requiresSecure();
       }
 
      httpSecurity.addFilterBefore(getRequestFilter(), UsernamePasswordAuthenticationFilter.class);
      ..
      ..
     }
 }

赞(0）回复(0）举报 2023-06-06

我来回答

Spring Security 将此字段值直接注入过滤器链，这是唯一使用它的方法

1条答案

相关问题

热门标签

最新问答