摘要将Spring启动项目从2.1.5版本更新为2.4.5版本。它自动更新了Spring Security版本中的所有Spring Security依赖项。。5.1.5春季发布-安全。。5.4.6破坏安全配置
由:org.springframework.beans.BeanInstanceException引起:未能实例化[javax.servlet.Filter]:工厂方法"springSecurityFilterChain"引发异常;嵌套异常为java.lang.IollegalStateException:不能在自身之后配置anyRequest网址:org.springframework.beans.factory.support.SimpleInstantiationStrategy.instante(SimpleInstantiatonStrategy.java:185(~[spring-beans-5.36.jar:5.3.6]在org.springframework.beans.factory.support.ConstructureResolver.instante(ConstructorResolver.java:653(~[spring-beans-5.36.jar:5.3.6]…还有28个由java.lang.IollegalStateException引起:无法在自身之后配置anyRequest网址:org.springframework.util.Assert.state(Assert.java:76(~[spring-core-5..3.6.jar:5.3.6]网址:org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.anyRequest(AbstractRequest MatcherRegISTry.java:72(~[spring-security-config-54.4.6.jar:5.4.6]网址:com.verizon.wfm.nt.config.SecurityConfig.config(SecurityConfig.java:14(~[默认值/:?]网址:org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:217(~[spring-security-config-54.4.6.jar:5.4.6]
安全配置工作代码
@EnableWebSecurity
@configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@override
protected void configure(HttpSecurity httpSecurity) throws Exception {
super.configure(httpSecurity);
httpSecurity.authorizeRequests().anyRequest().permitAll();
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
}
}
调用super.configure(httpSecurity)时执行以下操作:
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.formLogin();
http.httpBasic();
之后,您将再次使用anyRequest配置请求。在最新版本的Spring Security中,这是不允许的。
我建议您不要调用super.configure(httpSecurity),而是禁用默认值并进行配置,如下所示:
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.formLogin().disable();
httpSecurity.httpBasic().disable();
httpSecurity.authorizeRequests((requests) ->
requests.anyRequest().permitAll()
);
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
}
}