java - Spring安全5/Spring Boot 2.2 : No AuthenticationProvider found for org. springframework.security.authentication.UsernamePasswordAuthenticationToken

Question

我们正在将应用程序从 Spring Boot 1.5.x 升级到 2.2.x，将 Spring Security 4.x 升级到 5.3.2。我们为网络安全定义了以下内容:

 @EnableWebSecurity
 @Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @Profile("uno")
 public class UnoSecurityConfig extends AbstractSecurityConfig {

 @Autowired
 private ServletContext servletContext;

 @Override
 protected void configure(HttpSecurity http) throws Exception {
    BasicAuthFilter basicAuthFilter = new BasicAuthFilter();
    basicAuthFilter.init(new BasicAuthSSOFilterConfig(servletContext));
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/ping").permitAll()
            .antMatchers(HttpMethod.POST, "/ping").permitAll()
            .antMatchers("/**").hasAuthority(OurPrivileges.ALL_MEASURE)
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls
            .and()
            .addFilter(securityContextPersistenceFilter())
            .addFilterAfter(new RequestContextFilter(), SecurityContextPersistenceFilter.class)
            .addFilterAfter(new CrossFramePreventionFilter(), RequestContextFilter.class)
            .addFilterAfter(basicAuthFilter, CrossFramePreventionFilter.class)
            .addFilterAfter(preAuthenticationFilter(), BasicAuthFilter.class)
            .addFilterAfter(exceptionTranslationFilter(), PreAuthenticatedUserDetailsFilter.class);
    http.headers().contentSecurityPolicy(SecurityUtility.getContentSecurityPolicy());
}

当我尝试访问/ping 端点时，它应该让我进入，但我却弹出身份验证框，然后被拒绝。我在日志中看到这一点:

2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec- 
2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/health/**']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec- 
2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/health/**'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/info/**']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/info/**'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -Trying to match using Ant [pattern='/actuator/']
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Checking match of request : '/ping'; against '/actuator/'
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:OrRequestMatcher:[]] -No matches found
2020-05-26 09:56:39.881-0500 DEBUG APP=829 COMP=782 [https-jsse-nio-30062-exec-2:AntPathRequestMatcher:[]] -Request '/ping' matched by universal pattern '/**'

需要身份验证的其他端点不允许我进入并给出 401/403 错误，并抛出异常作为帖子的标题。很明显，spring 没有使用我们的自定义逻辑。我们的代码没有改变，只是依赖关系。我怎样才能超越这个？

Answer 1

配置覆盖创建一个新的过滤器链，它优先于默认的 springSecurityFilterChain ，因此接受所有请求并拒绝所有请求。我将 @Order(1) 添加到我的安全配置类中，这解决了问题。