问题
I am trying to secure a web application using Spring Security java configuration.
This is how the configuration looks:-
@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private String googleClientSecret;
@Autowired
private CustomUserService customUserService;
/*
* (non-Javadoc)
*
* @see org.springframework.security.config.annotation.web.configuration.
* WebSecurityConfigurerAdapter
* #configure(org.springframework.security.config
* .annotation.web.builders.HttpSecurity)
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic().disable()
.requiresChannel().anyRequest().requiresSecure();
// @formatter:on
super.configure(http);
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
// @formatter:off
auth
.eraseCredentials(true)
.userDetailsService(customUserService);
// @formatter:on
super.configure(auth);
}
}
Notice that I have explicitly disabled HTTP Basic authentication using:-
.httpBasic().disable()
I am still getting HTTP Authenticaton prompt box while accessing a secured url. Why?
Please help me fix this. I just want to render the default login form that comes bundled.
Spring Boot Starter Version : 1.1.5 Spring Security Version : 3.2.5
Thanks
回答1:
First of all, calling super.configure(http); will override whole your configuration you have before that.
Try this instead:
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic().disable();
回答2:
In case you use Spring Boot, the documentation states:
To switch off the Boot default configuration completely in a web application you can add a bean with @EnableWebSecurity
So if you want to fully customize itself that might be an option.
Just to make it clear... You just need to put @EnableWebSecurity annotation on your main application class or application configuration class.
回答3:
You can disable the formLogin through the HttpSecurity instance as follow:
http.authorizeRequests().antMatchers("/public/**").permitAll()
.antMatchers("/api/**").hasRole("USER")
.anyRequest().authenticated()
.and().formLogin().disable();
This will lead receiving 403 Http error when trying to access any secured resource
回答4:
Anonymous option worked for me. My code like
http.csrf().disable().headers().frameOptions().sameOrigin().and().
authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();
回答5:
The following worked for me:
http
.authorizeRequests()
.anyRequest().permitAll();
来源:https://stackoverflow.com/questions/25639188/disable-basic-authentication-while-using-spring-security-java-configuration