java - 为预生产环境 Spring Boot 禁用 WebSecurity
问题描述
我正在尝试将身份验证用于我们在生产中的招摇。这很好,当我尝试访问 swagger 时,它需要密码和用户名。我只希望这个功能用于生产环境。不确定如何为不同的配置文件/环境禁用它。我尝试使用基于 .yml 属性的 if-else ,但这会导致其他问题。POST 和 UPDATE 方法开始返回 403 Forbidden。这是示例代码:
@Configuration
@EnableWebSecurity
@Profile("!test")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);
@Value("${server.environment}")
private String environment;
@Value("${swagger.user}")
private String swaggerUser;
@Value("${swagger.password}")
private String swaggerPass;
@Override
protected void configure(HttpSecurity http) throws Exception {
if("stage".equals(environment) || "prod".equals(environment)){
LOGGER.info("Environment: " + environment + " swagger authentication is on");
http.csrf().disable()
.authorizeRequests()
.antMatchers("/v2/api-docs").authenticated()
.and()
.httpBasic();
} else {
http.csrf().disable();
LOGGER.info("Environment: " + environment + " swagger authentication is off");
}
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
}
我试图禁用整个 WebSecurityConfig bean,但这没有奏效,因为存在依赖项,现在每次它都要求登录。
试过这个,没用:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/**").permitAll();
}
解决方案
推荐的方法是为生产和预发布环境创建另一个类,而不是使用 if-else。您可能需要允许其他端点使用permitAll()
或需要添加基于权限的方法,例如hasRole()
. 还要确保您在控制器上没有任何安全注释,例如@PreAuthorized, @Secured
等。
推荐方法:
prod 或 staging 环境的安全配置
@Configuration
@EnableWebSecurity
@Profile("prod")
public class WebSecurityProductionConfig extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityProductionConfig.class);
@Value("${server.environment}")
private String environment;
@Value("${swagger.user}")
private String swaggerUser;
@Value("${swagger.password}")
private String swaggerPass;
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.info("Environment: " + environment + " swagger authentication is on");
http.csrf().disable()
.authorizeRequests()
.antMatchers("/v2/api-docs").authenticated()
.antMatchers("**/**").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
}
}
dev 和其他环境的安全配置
@Configuration
@EnableWebSecurity
@Profile("!prod")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.info("Security configuration for the non prod env is loaded");
http
.csrf().disable()
.authorizeRequests().antMatchers("**/**").permitAll();
}
}
If-Else 方法
@Configuration
@EnableWebSecurity
@Profile("!test")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);
@Value("${server.environment}")
private String environment;
@Value("${swagger.user}")
private String swaggerUser;
@Value("${swagger.password}")
private String swaggerPass;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
if ("stage".equals(environment) || "prod".equals(environment)) {
LOGGER.info("Environment: " + environment + " swagger authentication is on");
http
.authorizeRequests()
.antMatchers("/v2/api-docs").authenticated();
} else {
http.authorizeRequests().antMatchers("**/**").permitAll();
LOGGER.info("Environment: " + environment + " swagger authentication is off");
}
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
}
}
推荐阅读
- javascript - 从 php 中动态创建的文本框获取文本框值
- php - 致命错误:未找到接口“Psr\Container\ContainerInterface”
- c - 为什么在打印字符串时会出现分段错误(核心转储)?
- wordpress - Wordpress meta_query 不返回结果
- json - Instagram 个人资料图片访问被拒绝
- regex - 可以使用 PowerShell -match 运算符来测试版本字符串吗?
- javascript - Ext-react 破坏了 React Router和
成分 - express - 如何将图像从 React Native 上传到 Express 服务器?
- c - 使用 GCC 结构位打包的字节顺序
- python - 如何从 JSON 字典设置 python 变量