Spring security 5 迁移指南
Posted
技术标签:
【中文标题】Spring security 5 迁移指南【英文标题】:Migration guide for Spring security 5 【发布时间】:2020-11-10 16:00:52 【问题描述】:我有多模块 maven 项目 Spring boot 2.3.1.RELEASE,我在 OAuth 2.0 上使用 spring security。我的模块之一包含安全配置:
授权服务器配置
@Configuration
@EnableAuthorizationServer //deprecated
public class AuthorizationServerOAuth2Config extends AuthorizationServerConfigurerAdapter //deprecated
private static final String SINGING_KEY = "";
private static final String CLIENT_ID = "";
private static final String CLIENT_SECRET = "";
private static final String[] AUTHORIZED_GRANT_TYPES = "password", "refresh_token";
private static final String[] SCOPES = "read", "write";
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) //deprecated
security
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception //deprecated
clients.inMemory()
.withClient(CLIENT_ID)
.secret(passwordEncoder.encode(CLIENT_SECRET))
.authorizedGrantTypes(AUTHORIZED_GRANT_TYPES)
.scopes(SCOPES)
.accessTokenValiditySeconds(1800)
.refreshTokenValiditySeconds(9600);
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) //deprecated
endpoints
.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.accessTokenConverter(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter() //deprecated
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(SINGING_KEY);
return converter;
@Bean
public TokenStore tokenStore() //deprecated
return new JwtTokenStore(accessTokenConverter());
@Bean
@Primary
public DefaultTokenServices tokenServices() //deprecated
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
资源服务器配置
@Configuration
@EnableResourceServer //deprecated
public class ResourceServerOAuth2Config extends ResourceServerConfigurerAdapter //deprecated
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<groupId>com.skill.improvement</groupId>
<artifactId>app</artifactId>
<version>1.0.1-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>security</artifactId>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<!-- 2.3.1.RELEASE -->
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<!-- 2.3.1.RELEASE -->
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.3.1.RELEASE</version>
</dependency>
</dependencies>
</project>
主要安全配置
@Order(1)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter
private static final String ADMIN_PASSWORD = "";
private static final String USER_PASSWORD = "";
@Override
public void configure(HttpSecurity http) throws Exception
http
.httpBasic().disable()
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/v1/**").authenticated()
.and().exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint())
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()) //deprecated
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
@Override
public void configure(WebSecurity web)
web.ignoring()
.antMatchers(
"/v2/api-docs",
"/configuration/ui",
"/swagger-resources/**",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**")
.antMatchers(HttpMethod.GET, "/v1/**")
.antMatchers(HttpMethod.PATCH, "/v1/**");
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception
auth.userDetailsService(inMemoryUserDetailsManager());
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
@Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager()
return new InMemoryUserDetailsManager(getDefaultUsers());
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
public OncePerRequestFilter jwtAuthenticationFilter()
return new JwtAuthenticationFilter();
private List<UserDetails> getDefaultUsers()
List<UserDetails> userDetailsList = new ArrayList<>();
userDetailsList.add(User.withUsername("admin").password(passwordEncoder().encode(ADMIN_PASSWORD))
.roles("ADMIN").build());
userDetailsList.add(User.withUsername("user").password(passwordEncoder().encode(USER_PASSWORD))
.roles("USER").build());
return userDetailsList;
一切正常,但自 Spring Security 5.2.x 以来几乎所有内容都已弃用。我读了this guide
但我不确定如何成功完成迁移。是否有任何可以理解的指南来说明如何操作?
【问题讨论】:
【参考方案1】:在 spring security 的当前版本中,他们没有提供对授权服务器的支持。他们正在研究授权服务器支持,但该项目处于实验模式。除了 Spring Security 团队已经将 Spring Security 5 中的资源服务器和 Oauth2 客户端支持集成为单个 Spring Security 项目。直到,他们没有发布对最新 Spring 授权服务器的支持,您可以使用旧的授权服务器,但您将无法保留您的资源服务器身份验证服务器,因为最新的资源服务器和客户端配置具有不同的依赖关系,并且配置将与旧的 oauth2 支持冲突。
我建议您在发布 Spring 最新的身份验证服务器的同时使用任何其他授权服务器。我建议您使用我个人使用的 keyclock 身份验证服务器。
见this
【讨论】:
非常感谢您,先生。感谢您抽出宝贵时间在这里写下事实。我在 spring 文档中读到了这个当前状态,但我忘了用一些解释来结束这个问题。 :) 作为 spring-authorization-server 仍处于试验阶段且当前版本为 0.1.0,我将继续使用以前的“已弃用”版本,直到它变得更加稳定,而不是现在切换到 KeyClock 稍后再切换回来将来。以上是关于Spring security 5 迁移指南的主要内容,如果未能解决你的问题,请参考以下文章
thymeleaf中security的sec:authorize标签不起作用的原因
thymeleaf中security的sec:authorize标签不起作用的原因
在 Grails 3.x 中应该使用 Spring Sec OAuth 的哪个插件/模块?
Spring Security Role Hierarchy 不适用于 Thymeleaf sec:authorize