如何在开发时禁用 Spring 安全性? [复制]
Posted
技术标签:
【中文标题】如何在开发时禁用 Spring 安全性? [复制]【英文标题】:How do i disable Spring security while developing? [duplicate] 【发布时间】:2020-12-06 23:15:26 【问题描述】:我正在使用 Spring Boot 开发服务器。我有所有的弹簧安全设置,但为了测试,我想停用它,以便更容易测试。 我只是继续在课堂上评论了@Configuration 注释,最终所有 3 个我都使用我为 Spring 安全性构建的注释。
//@Configuration
//@EnableWebSecurity
//@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
private UserService service;
@Autowired
private LogRepository logs;
@Override
protected void configure(HttpSecurity http) throws Exception
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/rest/user/register").permitAll()
.antMatchers(HttpMethod.PUT, "/rest/user/login").permitAll()
.antMatchers(HttpMethod.DELETE, "/rest/user/logout").permitAll()
.antMatchers("/rest/").authenticated()
.anyRequest().permitAll().and()
.addFilterBefore(new LoginFilter("/rest/user/login", super.authenticationManagerBean(), service, logs), BasicAuthenticationFilter.class)
.addFilterBefore(new RegisterFilter("/rest/user/register", super.authenticationManagerBean(), service), BasicAuthenticationFilter.class)
.addFilterBefore(new LogoutFilter("/rest/user/logout", logs), BasicAuthenticationFilter.class)
.addFilterBefore(new ValidationFilter(service), BasicAuthenticationFilter.class);
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
auth.userDetailsService(service).passwordEncoder(new SHA512PasswordEncoder());
class SHA512PasswordEncoder implements PasswordEncoder
@Override
public String encode(CharSequence rawPassword)
return DigestUtils.sha512Hex(rawPassword.toString());
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword)
return DigestUtils.sha512Hex(rawPassword.toString()).equals(encodedPassword);
然而,由于某种原因,当我这样做时,它会显示在 spring 控制台中:
==========================
CONDITION EVALUATION DELTA
==========================
Positive matches:
-----------------
ManagementWebSecurityAutoConfiguration matched:
- @ConditionalOnClass found required class 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter' (OnClassCondition)
- found 'session' scope (OnWebApplicationCondition)
- @ConditionalOnMissingBean (types: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; SearchStrategy: all) did not find any beans (OnBeanCondition)
有没有一种方法可以让我“关闭”spring security 进行测试,然后为实时版本重新激活它?
【问题讨论】:
【参考方案1】:有很多方法可以做到这一点,以下是少数:
在你的测试类中使用注解@AutoConfigureMockMvc(addFilters = false)。示例:
@EnableWebMvc
@AutoConfigureMockMvc(addFilters = false)
public class DummyControllerTest
//your tests
在您的配置中使用配置文件,即:
i) 将注解@Profile(value = "development", "production") 添加到WebSecurityConfigurerAdapter 的实现中,然后在test/resources 中,创建application-test.yml 以定义测试配置文件的属性并添加此
security:basic:enabled: false
ii) 将此添加到您的测试文件@ActiveProfiles(value = "test")
【讨论】:
以上是关于如何在开发时禁用 Spring 安全性? [复制]的主要内容,如果未能解决你的问题,请参考以下文章
尽管存在弹簧安全依赖性,如何禁用弹簧安全登录页面? [复制]
如何在 Spring Web App 中临时禁用 Spring Security
如何在Spring启动应用程序中进行REST调用而不在Spring安全性中禁用CSRF保护?
我应该在 Spring 后端禁用 CORS 吗?未经授权的请求被阻止