我正在使用Spring Security编写具有基本身份验证和授权的Spring Boot项目。我有一个扩展WebSecurityConfigurerAdapter的配置类(我想稍后去掉它,因为它已被弃用)。所以,我的配置类看起来像这样:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("spring_user")
.password("password123")
.roles("ADMIN");
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.httpBasic(Customizer.withDefaults());
return http.build();
}
@Bean
public static PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
pom.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.0.1</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.codelib</groupId>
<artifactId>basic-auth-security</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>basic-auth-security</name>
<description>basic-auth-security</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.7.3</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
注意我有spring-boot-starter-web依赖。
项目的其余部分没有什么有趣的。当我尝试运行应用程序时,显示以下消息:
java: cannot access javax.servlet.Filter
class file for javax.servlet.Filter not found
IDEA将我重定向到配置文件。(但没有一行代码用红色下划线)
这可能是什么原因?
所以,解决方案很简单。如果你要迁移到Spring 6,你应该放弃使用WebSecurityConfigurerAdapter类,而不是在没有它的情况下配置你的安全。
我已经写了一个新的配置(它做相同的操作以及在问题中提供的配置),现在它看起来像这样:
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.httpBasic(Customizer.withDefaults())
.formLogin(Customizer.withDefaults());
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails user = User
.withUsername("spring_user")
.password(encoder.encode("password123"))
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
这是Spring Security 6提供基本身份验证、默认密码编码器(建议使用)和内存用户所需的最小配置。