时间戳

首页 > 解决方案 > 为预生产环境 Spring Boot 禁用 WebSecurity

java - 为预生产环境 Spring Boot 禁用 WebSecurity

问题描述

我正在尝试将身份验证用于我们在生产中的招摇。这很好,当我尝试访问 swagger 时,它需要密码和用户名。我只希望这个功能用于生产环境。不确定如何为不同的配置文件/环境禁用它。我尝试使用基于 .yml 属性的 if-else ,但这会导致其他问题。POST 和 UPDATE 方法开始返回 403 Forbidden。这是示例代码:

   @Configuration
@EnableWebSecurity
@Profile("!test")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Value("${server.environment}")
    private String environment;

    @Value("${swagger.user}")
    private String swaggerUser;

    @Value("${swagger.password}")
    private String swaggerPass;




    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if("stage".equals(environment) || "prod".equals(environment)){
            LOGGER.info("Environment: " + environment + " swagger authentication is on");
            http.csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/v2/api-docs").authenticated()
                    .and()
                    .httpBasic();
        } else {
            http.csrf().disable();
            LOGGER.info("Environment: " + environment + " swagger authentication is off");
        }

    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
    }

我试图禁用整个 WebSecurityConfig bean,但这没有奏效,因为存在依赖项,现在每次它都要求登录。

试过这个,没用:

@Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/**").permitAll();
        }

标签: javaspringspring-bootrestspring-security

解决方案

推荐的方法是为生产和预发布环境创建另一个类,而不是使用 if-else。您可能需要允许其他端点使用permitAll()或需要添加基于权限的方法,例如hasRole(). 还要确保您在控制器上没有任何安全注释,例如@PreAuthorized, @Secured等。

推荐方法:

prod 或 staging 环境的安全配置

@Configuration
@EnableWebSecurity
@Profile("prod")
public class WebSecurityProductionConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityProductionConfig.class);

    @Value("${server.environment}")
    private String environment;

    @Value("${swagger.user}")
    private String swaggerUser;

    @Value("${swagger.password}")
    private String swaggerPass;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        LOGGER.info("Environment: " + environment + " swagger authentication is on");

        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/v2/api-docs").authenticated()
            .antMatchers("**/**").permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
    }
}

dev 和其他环境的安全配置

@Configuration
@EnableWebSecurity
@Profile("!prod")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    LOGGER.info("Security configuration for the non prod env is loaded");
        http
            .csrf().disable()
            .authorizeRequests().antMatchers("**/**").permitAll();
    }

}

If-Else 方法

@Configuration
@EnableWebSecurity
@Profile("!test")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Value("${server.environment}")
    private String environment;

    @Value("${swagger.user}")
    private String swaggerUser;

    @Value("${swagger.password}")
    private String swaggerPass;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        
        if ("stage".equals(environment) || "prod".equals(environment)) {
            LOGGER.info("Environment: " + environment + " swagger authentication is on");
            http
                .authorizeRequests()
                .antMatchers("/v2/api-docs").authenticated();
        } else {
            http.authorizeRequests().antMatchers("**/**").permitAll();
            LOGGER.info("Environment: " + environment + " swagger authentication is off");
        }
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser(swaggerUser).password("{noop}" + swaggerPass).roles("USER");
    }
}

推荐阅读