发表新帖
发表新帖

How to override Spring Security default configuration in Spring Boot

前端 未结
关注
3 690
灰色年华
灰色年华 2021-01-13 03:00

I have a little problem with Spring Boot. I really like Spring Boot, it\'s very convinient tool, which allow me to focus on logic implementation instead of beans configurati

相关标签:
3条回答
  • 感动是毒
    2021-01-13 03:22

    It seems that Spring Boot loads my custom Spring Securty config, but it doesn't use it.

    You did not configure your AuthenticationManager correctly. You should use @Autowired:

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}

    You can read more on spring security documentation here. Also, make sure that your configuration is going to be picked up by spring boot. You can read more about standard project structure in spring boot here and its security integration here.

    Update Based on the stacktrace:

    Caused by: java.lang.IllegalArgumentException: ROLE_USER cannot start with ROLE_

    You should drop the ROLE_ prefix in roles("ROLE_USER"), Just use roles("USER").

    0 讨论(0)
  • 忘掉有多难
    2021-01-13 03:26

    Ok I found the solution for security configure settings (not AuthenticationManager).

    First of all, according to Spring Boot dot, we have to add @EnableWebSecurity annotation.

    Second of all, we have to override configure method WITH @Override annotation AND super.configure(http) at the end of the method.

    So the working configuration code looks like this:

     @Configuration
@EnableWebSecurity //Very important!
@EnableGlobalMethodSecurity(securedEnabled = true)
@Profile("dev")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override //Very important!
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers("/app/user/*").hasAnyRole("USER", "ADMIN")
        .antMatchers("/app/posts/*").hasAnyRole("USER", "ADMIN")
        .antMatchers("/app/*").permitAll()
        .and()
        .formLogin()
            .loginPage("/app/")
            .loginProcessingUrl("/login")
            .usernameParameter("username")
            .defaultSuccessUrl("/app/", true)
        .and()
        .logout()
            .logoutUrl("/app/logout")
        .and()
        .csrf()
        .and()
        .exceptionHandling()
            .accessDeniedPage("/app/forbidden");
        super.configure(http); //Very important!
    }
}

    Now my configurations is loading, and works properly.

    0 讨论(0)
  • 一个人的身影
    2021-01-13 03:27

    did you remove this code?

     @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
            auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }
    0 讨论(0)
 看不清?
提交回复
热议问题