我试图将spring安全性更新到5.7.3,因为WebSecurityConfigurerAdapter已被弃用,所以我已经根据它更改了代码,但它仍然不起作用。请注意,我使用的是active directory身份验证(ActiveDirectoryLdapAuthenticationProvider(。
@Slf4j
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ComponentScan
public class WebSecurityConfigAD implements WebMvcConfigurer
{
@Autowired
private ApplicationContext applicationContext;
@Autowired
private UserRepository repo;
@Value( "${ad.domain}" )
private String AD_DOMAIN;
@Value( "${ad.url}" )
private String AD_URL;
@Value( "${ad.searchfilter}")
private String SEARCH_FILTER;
@Autowired
private ConfigPDF configPdf;
@Autowired(required=true)
private MyUserDetailService userDetailsService;
@Bean
public SecurityFilterChain filterChain( HttpSecurity http ) throws Exception
{
AuthenticationManagerBuilder authManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
http.authorizeRequests().antMatchers( "/resources/**" ).permitAll().antMatchers( "/css/**" ).permitAll().antMatchers( "/img/**" ).permitAll().antMatchers( "/images/**" ).permitAll().anyRequest().authenticated().and().formLogin().loginPage( "/login.html" ).loginProcessingUrl( "/login" )
.permitAll().successHandler( formLoginSuccessHandler() );//.failureHandler( ( request, response, exception ) -> response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "UNAUTHORIZED" ) );
http.logout().logoutRequestMatcher( new AntPathRequestMatcher( "/logout", "GET" ) ).logoutSuccessUrl( "/" ).deleteCookies( "JSESSIONID", "user", "login" ).invalidateHttpSession( true ).clearAuthentication( true );
http.headers().frameOptions().sameOrigin();
http.rememberMe().key( "uniqueAndSecret" );
http.sessionManagement().invalidSessionUrl( "/login.html" );
http.csrf().disable();
http.authenticationManager( authenticationManager(authManagerBuilder));
return http.build();
}
这是AuthenticationManager和AuthenticationProvider
@Bean
public AuthenticationManager authenticationManager( AuthenticationManagerBuilder authManagerBuilder ) throws Exception
{
log.info( "DO some Authentication Manger things" );
return (AuthenticationManager)authManagerBuilder.authenticationProvider(activeDirectoryLdapAuthenticationProvider()).userDetailsService( userDetailsService).and.build();
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider()
{
log.info( "Authenticate: "+AD_DOMAIN+", "+AD_URL );
//log.info( "Search_Filter: "+SEARCH_FILTER );
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider( AD_DOMAIN, AD_URL );
provider.setConvertSubErrorCodesToExceptions( true );
provider.setUseAuthenticationRequestCredentials( true );
provider.setSearchFilter( SEARCH_FILTER );
return provider;
}
我得到以下错误:
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.core.userdetails.UserDetailsService' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}
at app//org.springframework.beans.factory.support.DefaultListableBeanFactory.raiseNoMatchingBeanFound(DefaultListableBeanFactory.java:1799)
at app//org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1355)
at app//org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1309)
at app//org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.resolveFieldValue(AutowiredAnnotationBeanPostProcessor.java:656)
... 104 more
自定义MyUserDetailService类
@Service
@Transactional
public class MyUserDetailService implements UserDetailsService
{
@Override
public UserDetails loadUserByUsername( String username ) throws UsernameNotFoundException
{
return null;
}
}
有关如何从WebSecurityConfigurerAdapter迁移的信息,请参阅博客文章Spring Security without the WebSecurityConfigurerAdapter。你似乎没有遵循那里的建议,所以这将是一个很好的起点。
具体看一下关于配置LDAP的部分,该部分详细介绍了如何发布AuthenticationManager@Bean,而不是像您的示例中那样使用http.getSharedObject(AuthenticationManagerBuilder.class)。按照示例说明的方式构建身份验证管理器并不是预期用途,因此很可能是您面临问题的原因。
如果这篇博客文章不能帮助你澄清收到的错误,请随时用你的最新配置更新这个问题,并对这个答案发表评论,我可以再看一次。
更新
另请参见#11926。