我正在尝试将经典 Spring Boot 应用程序迁移到响应式 Spring Boot 应用程序,但我在执行此任务时遇到问题。
如何迁移下面的代码
package com.example;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api").anonymous()
.antMatchers("/api/**").authenticated().and()
.httpBasic();
http
.authorizeRequests()
.antMatchers("/login").anonymous()
.antMatchers("/", "/error", "/**/favicon.ico", "/css/**", "/fonts/**", "/js/**", "/images/avatar.png", "/images/logo.png", "/profile", "/profile/find", "/profile/view/**", "/api/register").permitAll()
.anyRequest().authenticated().and()
.formLogin().loginPage("/login").loginProcessingUrl("/profile/login").failureUrl("/login?error").usernameParameter("usr").passwordParameter("pass").and()
.logout().logoutUrl("/logout").invalidateHttpSession(true).deleteCookies("jsessionid","nebp").logoutSuccessUrl("/login?logout").and()
.rememberMe().key("nebpps").tokenValiditySeconds(2419200).rememberMeParameter("remember_me").rememberMeCookieName("nebp").useSecureCookie(true).and()
.csrf().ignoringAntMatchers("/api/**").and()
.exceptionHandling().accessDeniedPage("/403");//.and()
//.requiresChannel().anyRequest().requiresSecure();
}
@Bean(name = "passwordEncoder")
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
将代码设置为如下所示
@Configuration
@EnableWebFluxSecurity
public class SecurityConfiguration {
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
return http
.csrf().disable()
.authorizeExchange()
.pathMatchers("/login", "/logout").permitAll()
.pathMatchers("/i18n/**",
"/css/**",
"/fonts/**",
"/icons-reference/**",
"/img/**",
"/js/**",
"/vendor/**").permitAll()
.anyExchange()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.and()
.logout()
.logoutUrl("/logout")
.and()
.build();
}
//in case you want to encrypt password
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
我接受某些元素不能像以前那样定义,例如 usernameParameter。
首先,如何设置给定路径(/logout)仅用于匿名用户。
其次,如何启用 CSRF,但排除以 /api 开头的地址
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
//create a security filterchain bean here
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorizeRequests -> authorizeRequests.requestMatchers(new AntPathRequestMatcher("/health"))
.sessionManagement(//session management here)
.headers(//headers);
http.build();
除了上述之外,您还可以包含扩展
OncePerRequestFilter