升级spring security后认证管理器为空

Question

我正在用spring boot2.7.4版本编写应用程序，其中包含spring security的新版本。所以我需要将旧代码重写为新代码。 这是我的旧安全配置 WebSecurityConfigurerAdapter

@Configuration
@EnableWebSecurity
class AppWebConfig(
    val customUserDetailsService: CustomUserDetailsService,
    val passwordEncoder: PasswordEncoder,
    val tokensService: TokensService
) : WebSecurityConfigurerAdapter() {

    @Throws(Exception::class)
    override fun configure(auth: AuthenticationManagerBuilder) {
        auth
            .userDetailsService(customUserDetailsService)
            .passwordEncoder(passwordEncoder)
    }

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity) {
        http
            .cors()
            .and()
            .csrf().disable()
            .exceptionHandling()
            //urls permissions...
            .addFilter(AppAuthorizationFilter(authenticationManager(), tokensServicee))
    }

}

这是新代码

@Configuration
@EnableWebSecurity
class AppWebConfig(
    val tokensService: TokensService,
) {

    @Bean
    @Throws(Exception::class)
    fun authenticationManager(authenticationConfiguration: AuthenticationConfiguration): AuthenticationManager? {
        return authenticationConfiguration.authenticationManager
    }

    @Bean
    @Throws(Exception::class)
    protected fun fitlerChain(http: HttpSecurity): SecurityFilterChain {
        val authenticationManager = http.getSharedObject(AuthenticationManager::class.java)

        return http
            .cors()
            .and()
            .csrf().disable()
            //urls permissions...
            .addFilter(AppAuthorizationFilter(authenticationManager, tokensService))
            .build()
    }

这是 AppAuthorizationFilter，它在两个版本中都没有改变，并且使用了 authenticationManager：

class AppAuthorizationFilter(
    authenticationManager: AuthenticationManager,
    tokensService: TokensService,
) : BasicAuthenticationFilter(authenticationManager) {
    private val tokensService: TokensService

    init { this.tokensService = tokensService }

    @Throws(IOException::class, ServletException::class)
    override fun doFilterInternal(
        request: HttpServletRequest,
        response: HttpServletResponse,
        chain: FilterChain,
    ) {
        val header = request.getHeader(Objects.requireNonNull(HttpHeaders.AUTHORIZATION))
        if (header != null) {
            val authorizedUser = tokensService.parseAccessToken(header)
            SecurityContextHolder.getContext().authentication = authorizedUser
        }
        chain.doFilter(request, response)
    }
}

问题出在来自AppWebConfig 的authenticationManager。我得到的错误是它为空。

Caused by: java.lang.NullPointerException: authenticationManager must not be null at com.app.security.config.WebConfig.fitlerChain(WebConfig.kt:68)

我通过从共享对象 http.getSharedObject(AuthenticationManager::class.java) 中获取 authenticationManager 来尝试上面显示的解决方案，但如您所见，它不起作用。

我通过从 WebApplicationContext 获取 authenticationManager 解决了这个问题，但我不确定这是否是最好的方法

val authenticationManager = applicationContext.getBean("authenticationManager") as AuthenticationManager

Answer 1

尝试将此注释 (@Primary) 添加到您的 authenticationManager bean。如果不起作用，请使用您提到的解决方案。

@Bean
@Primary // try to add this
@Throws(Exception::class)
fun authenticationManager(authenticationConfiguration: AuthenticationConfiguration): AuthenticationManager? {
    return authenticationConfiguration.authenticationManager
}

Answer 2

请在构建后或构建后访问身份验证管理器。

       public SecurityFilterChain securityFilterChain(HttpSecurity http, ResourceProtectAware protectAware) throws Exception {
            protectAware.addUrlAuthorization(http);
            http.cors();
            http.httpBasic().authenticationEntryPoint(entryPoint());
           // http.addFilterBefore(spnegoAuthenticationFilter(configuration.getAuthenticationManager()), BasicAuthenticationFilter.class);
            DefaultSecurityFilterChain build = http.build();
//access it after you build. 
            AuthenticationManager sharedObject = http.getSharedObject(AuthenticationManager.class);
            return build;
        }