java - Spring security 5/spring boot 2.2: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
问题描述
我们正在将我们的应用程序从 spring boot 1.5.x 升级到 2.2.x,将 spring security 4.x 升级到 5.3.2。我们为我们的网络安全定义了以下内容:
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Profile("uno")
public class UnoSecurityConfig extends AbstractSecurityConfig {
@Autowired
private ServletContext servletContext;
@Override
protected void configure(HttpSecurity http) throws Exception {
BasicAuthFilter basicAuthFilter = new BasicAuthFilter();
basicAuthFilter.init(new BasicAuthSSOFilterConfig(servletContext));
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/ping").permitAll()
.antMatchers(HttpMethod.POST, "/ping").permitAll()
.antMatchers("/**").hasAuthority(OurPrivileges.ALL_MEASURE)
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls
.and()
.addFilter(securityContextPersistenceFilter())
.addFilterAfter(new RequestContextFilter(), SecurityContextPersistenceFilter.class)
.addFilterAfter(new CrossFramePreventionFilter(), RequestContextFilter.class)
.addFilterAfter(basicAuthFilter, CrossFramePreventionFilter.class)
.addFilterAfter(preAuthenticationFilter(), BasicAuthFilter.class)
.addFilterAfter(exceptionTranslationFilter(), PreAuthenticatedUserDetailsFilter.class);
http.headers().contentSecurityPolicy(SecurityUtility.getContentSecurityPolicy());
}
当我尝试访问 /ping 端点时,它应该让我进入,但我却弹出了身份验证框,然后被拒绝了。我在日志中看到了这一点:
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-
2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/health/**']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-
2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/health/**'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/info/**']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/info/**'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -No matches found
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Request '/ping' matched by universal pattern '/**'
其他需要身份验证的端点不允许我进入并给出 401/403 错误,抛出异常是帖子的标题。很明显,spring 没有使用我们的自定义逻辑。我们的代码都没有改变,只是依赖关系。我该如何超越这一点?
解决方案
配置覆盖创建一个新的过滤器链,它优先于默认的 springSecurityFilterChain ,因此接受所有请求并拒绝一切。我将@Order(1) 添加到解决了问题的安全配置类中。
推荐阅读
- c# - 调用 get 操作时未设置 ViewBag 属性
- php - 如何仅从我的 public/-Nginx 的特定文件夹中索引文件?
- datatables - 使用编辑器数据表保存之前更改字段值
- c++ - 无法通过单词/或 12 个字符打印字符串
- javascript - 您可以在网格列内的下拉列表中将字符转换为大写吗?
- python - 在 FreeBSD 上使用旧 python 版本 (2.7.3) 的 SSL
- python - 发布我的博客ni的内容后,它们以html格式显示,而不是纯文本
- php - 用静态消息替换面包屑
- loops - 如何找出每个进程(或数据)使用数组遍历的次数
- mysql - MYSQL Workbench - 触发器不检查我的插入