java - Spring boot，如何重新配置​​http-security

Question

在带有 spring-boot-starter-security 的 Spring Boot 中，HTTP 安全性是自动配置的。我想在 Spring Boot 自动配置 HttpSecurity 对象之后配置它，即对默认配置进行一些调整，而无需重新配置整个对象。如何在 Spring Boot 中做到这一点？

Answer 1

调整 spring-boot 安全配置的一种方法是通过 properties ，默认情况下是:

# ----------------------------------------
# SECURITY PROPERTIES
# ----------------------------------------
# SECURITY (SecurityProperties)
spring.security.filter.order=-100 # Security filter chain order.
spring.security.filter.dispatcher-types=async,error,request # Security filter chain dispatcher types.
spring.security.user.name=user # Default user name.
spring.security.user.password= # Password for the default user name.
spring.security.user.roles= # Granted roles for the default user name.

# SECURITY OAUTH2 CLIENT (OAuth2ClientProperties)
spring.security.oauth2.client.provider.*= # OAuth provider details.
spring.security.oauth2.client.registration.*= # OAuth client registrations.

如果属性不能提供足够的灵 active ，您可以扩展 WebSecurityConfigurerAdapter并覆盖配置方法，如图 here 。示例来自official doc :

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/css/**", "/index").permitAll()       
                .antMatchers("/user/**").hasRole("USER")            
                .and()
            .formLogin()
                .loginPage("/login").failureUrl("/login-error");    
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

这将超越自动配置的 spring-boot 安全性，有效地使用提供的任何配置覆盖它。