spring-security 表单身份验证迁移到注释

Question

我有以下 spring-security 配置：

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

<http use-expressions="true">
    <intercept-url pattern="/edit/**" access="hasRole('EDITOR')" />
    <form-login login-page="/login" authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/" delete-cookies="JSESSIONID" />
    <remember-me user-service-ref="userDetailsService"/>
</http>

<b:bean id="encoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>
</b:beans>

我正在尝试将其迁移到基于注释的配置：

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().antMatchers("/edit/**").hasRole("EDITOR").and()
                .logout().logoutSuccessUrl("/").deleteCookies("JSESSIONID").and()
                .formLogin().loginPage("/login").failureUrl("/loginfailed").and()
                .rememberMe().userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
    }

    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }

}

我还有社交网络登录功能，为此我使用了自动连接的 RequestCache。并且此 bean 不会出现在具有基于注释的配置的应用程序上下文中。我错过了什么？

Answer 1

RequestCache 问题解决方法如下：

@Bean
public RequestCache requestCache() {
    return new HttpSessionRequestCache();
}

随着配置的改变：

    http
            .requestCache().requestCache(requestCache()).and()
            .authorizeRequests().antMatchers("/edit/**").hasRole("EDITOR").and()...

同时迁移到基于注释的配置，许多默认值正在改变 - “j_username” 到 “username”，“j_password” 到 “password”， “j_spring_security_check” 到 “login”， “j_spring_security_logout” 到 “logout” 和 csrf 隐藏令牌在表单中成为必需的。