问题描述
总结 将 Spring boot 项目从 2.1.5 RELEASE 更新为 2.4.5 版本。它自动更新了所有 Spring Security 依赖项,从 Spring-Security.. 5.1.5 RELEASE 到 Spring -Security.. 5.4.6 破坏了安全配置
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instanceiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' throw exception;嵌套异常是 java.lang.IllegalStateException: Can't configure anyRequest after its own 在 org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.3.6.jar:5.3.6] 在 org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.6.jar:5.3.6] ... 28 更多 引起:java.lang.IllegalStateException:无法在自身之后配置anyRequest 在 org.springframework.util.Assert.state(Assert.java:76) ~[spring-core-5.3.6.jar:5.3.6] 在 org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.anyRequest(AbstractRequestMatcherRegistry.java:72) ~[spring-security-config-5.4.6.jar:5.4.6] 在 com.verizon.wfm.nt.config.SecurityConfig.configure(SecurityConfig.java:14) ~[default/:?] 在 org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:217) ~[spring-security-config-5.4.6.jar:5.4.6]
安全配置 工作代码
version: '3.8'
services:
web:
image: image:13.0
container_name: main
restart: always
depends_on:
- database
ports:
- 4000:4000
volumes:
- ./pip.conf:/etc/pip.conf
- utilities:/mnt/utilities
- extra-addons:/mnt/extra-addons
- enterprise-addons:/mnt/enterprise-addons
environment:
- HOST=db
- USER=kaniel
- PASSWORD=outis
database:
image: postgres:13
container_name: db
restart: always
volumes:
- pgdata:/var/lib/postgresql/data
ports:
- 5432:5432
environment:
- POSTGRES_USER=kaniel
- POSTGRES_PASSWORD=outis
- POSTGRES_DB=postgres
volumes:
pgdata:
utils:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '${PWD}/utils'
custom:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '${PWD}/custom'
enterprise:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '${PWD}/enterprise'
解决方法
调用 super.configure(httpSecurity) 时,它会执行以下操作:
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.formLogin();
http.httpBasic();
之后,您将再次使用 anyRequest 配置请求。最近版本的 Spring Security 不允许这样做。
我建议您不要调用 super.configure(httpSecurity),而是禁用默认值并对其进行配置,如下所示:
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.formLogin().disable();
httpSecurity.httpBasic().disable();
httpSecurity.authorizeRequests((requests) ->
requests.anyRequest().permitAll()
);
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
}
}