Spring Boot 2.x greatly simplifies the default security configuration, not to say that there are many security-related configuration, now you only need to provide a derived class WebSecurityConfigurerAdapter such a simple operation, Spring Boot can circumvent many security issues.
Actuator no longer have their own separate security configuration (management.security. * Configuration has been canceled), each endpoint of sensitive markers will be canceled, so that the security configuration has become clearer.
For example: You have the following configuration
endpoints:
info:
sensitive: false
mappings:
sensitive: true
management:
security:
roles: MY_ADMIN
now,you can do it like this:
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * name: TestWebSecurityConfigureAdapter * * @author aboruo * @Description an example on adding our custom WebSecurityConfigurerAdapter * @Date create in 2019/9/9 20:50. */ @EnableWebSecurity public class TestWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests() .antMatchers("/actuator/health","/actuator/info") .permitAll() .antMatchers("/actuator/**") .hasRole("MY_ADMIN") .and().httpBasic(); } }
Please note that in 2.x, by default health and info can be accessed (default detailed health information in the case can not be accessed display). In keeping with these new defaults, health has been added to the primary mather.
When Spring boot 2.x does not introduce Spring Security, endpoint implementation (to be continued)
1. First find autoconfiguration class in spring-boot-autoconfigure of spring.factories file
Review this
/** * {@link EnableAutoConfiguration Auto-configuration} for Spring Security. * * @author Dave Syer * @author Andy Wilkinson * @author Madhura Bhave * @since 1.0.0 */ @Configuration @ConditionalOnClass(DefaultAuthenticationEventPublisher.class) @EnableConfigurationProperties(SecurityProperties.class) @Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class }) public class SecurityAutoConfiguration { @Bean @ConditionalOnMissingBean(AuthenticationEventPublisher.class) public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) { return new DefaultAuthenticationEventPublisher(publisher); } }
DefaultAuthenticationEventPublisher: default permissions authorization events publisher
SecurityProperties: Security Set the properties profile to: beginning spring.security
by SecurityAutoConfiguration and the introduction of several key configuration class
① SpringBootWebSecurityConfiguration
/** * The default configuration for web security. It relies on Spring Security's * content-negotiation strategy to determine what sort of authentication to use. If the * user specifies their own {@link WebSecurityConfigurerAdapter}, this will back-off * completely and the users should specify all the bits that they want to configure as * part of the custom security configuration. * * @author Madhura Bhave * @since 2.0.0 */ @Configuration @ConditionalOnClass(WebSecurityConfigurerAdapter.class) @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class) @ConditionalOnWebApplication(type = Type.SERVLET) public class SpringBootWebSecurityConfiguration { @Configuration @Order(SecurityProperties.BASIC_AUTH_ORDER) static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter { } }
This is the spring boot default security configuration class, it depends on content negotiation * Spring safety policies to determine which authentication to use. By code, we can see:
- When the user defines its own when WebSecurityConfigurerAdapter class, SpringBootWebSecurityConfiguration will not take effect;
- When the application is to take effect when the web application and the type is the type of SERVLET
② WebSecurityEnablerConfiguration
This is a confirmation class configuration, as the name implies: When WebSecurityConfigureAdapter type of bean applicationContext exist, which take effect, it is the responsibility of these bean plus @EnableWebSecurity comment.
/** * If there is a bean of type WebSecurityConfigurerAdapter, this adds the * {@link EnableWebSecurity} annotation. This will make sure that the annotation is * present with default security auto-configuration and also if the user adds custom * security and forgets to add the annotation. If {@link EnableWebSecurity} has already * been added or if a bean with name {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has * been configured by the user, this will back-off. * * @author Madhura Bhave * @since 2.0.0 */ @Configuration @ConditionalOnBean(WebSecurityConfigurerAdapter.class) @ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN) @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) @EnableWebSecurity public class WebSecurityEnablerConfiguration { }
③ SecurityDataConfiguration
when there SecurityEvaluationContextExtension based application environments, the added spring security with Spring Data integration.
/** * Automatically adds Spring Security's integration with Spring Data. * * @author Rob Winch * @since 1.3.0 */ @Configuration @ConditionalOnClass(SecurityEvaluationContextExtension.class) public class SecurityDataConfiguration { @Bean @ConditionalOnMissingBean public SecurityEvaluationContextExtension securityEvaluationContextExtension() { return new SecurityEvaluationContextExtension(); } }
We will follow-up
SecurityRequestMatcherProviderAutoConfiguration
UserDetailsServiceAutoConfiguration
SecurityFilterAutoConfiguration
OAuth2ClientAutoConfiguration
OAuth2ResourceServerAutoConfiguration
These classes are introduced one by one, in order to understand how it works.