Spring Security已弃用问题。

huangapple go评论127阅读模式
英文:

Spring Security deprecated issue

问题

尝试配置JWT配置。似乎JWT已被弃用。我现在如何使用OAuth2ResourceServerConfigurer::jwt

我的代码:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
    http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    //http.formLogin(withDefaults());
    http.httpBasic(Customizer.withDefaults());
    http.csrf(csrf -> csrf.disable());
    http.headers(headers -> headers.frameOptions(frameOptionsConfig -> frameOptionsConfig.sameOrigin()));
    http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
    return http.build();
}

此外,在Spring Security 6.0中,antMatchers()以及用于保护请求的其他配置方法(即mvcMatchers()regexMatchers())已从API中移除。

英文:

Trying to configure JWT configuration. Seems like JWT is deprecated. How can I use OAuth2ResourceServerConfigurer::jwt now?

My code:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
    http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    //http.formLogin(withDefaults());
    http.httpBasic(Customizer.withDefaults());
    http.csrf(csrf -> csrf.disable());
    http.headers(headers -> headers.frameOptions(frameOptionsConfig -> frameOptionsConfig.sameOrigin()));
    http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
    return http.build();
}

Also, in Spring Security 6.0, antMatchers() as well as other configuration methods for securing requests (namely mvcMatchers() and regexMatchers()) have been removed from the API.

答案1

得分: 19

除了 @schrom 的回答之外,更与 OAuth2ResourceServerConfigurer#jwt 的弃用相关的是,Spring Security 弃用了返回自己的配置器的方法,而是采用返回 HttpSecurity 的方法,并弃用了 HttpSecurity 中的 .and() 方法。

例如,httpBasic() 已被弃用,推荐使用 httpBasic(Customizer)。这些弃用是为了只有一种配置安全 DSL 的方式,即使用 lambda 表达式。请查看文档

因此,对于JWT配置,您需要执行以下操作:

oauth2ResourceServer((oauth2) -> oauth2
    .jwt(Customizer.withDefaults())
)
英文:

In addition to @schrom answer and more related to the deprecation of OAuth2ResourceServerConfigurer#jwt, Spring Security deprecated the methods that return its own configurer in favor of the ones that return HttpSecurity, and deprecated the .and() method from the HttpSecurity.

For example, httpBasic() is deprecated in favor of httpBasic(Customizer). Those deprecations were done to have only one way to configure the security DSL, which is using lambdas. Take a look at the documentation.

So, for JWT configuration, you'd have to do:

oauth2ResourceServer((oauth2) -> oauth2
    .jwt(Customizer.withDefaults())
)

答案2

得分: 5

Spring的一般建议是首先迁移到Spring 5.8,然后再迁移到6.0,以更顺利地过渡到新功能。

Spring Security 5.8文档所述:

在Spring Security 5.8中,antMatchers、mvcMatchers和regexMatchers方法已被弃用,建议使用新的requestMatchers方法。

据我所知,http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)仍然有效,甚至在关于JWT的Spring Security 6.0文档中提到:

通常情况下,Spring类对于已弃用的方法有很好的文档,例如JavaDoc经常会提供使用哪个类或方法的提示。

英文:

Spring's general advice is to migrate to Spring 5.8 first, and to 6.0 later, to have a smoother transition to the new features.

As stated in Spring Security 5.8 documentation:

> In Spring Security 5.8, the antMatchers, mvcMatchers, and regexMatchers methods were deprecated in favor of new requestMatchers methods

As far as I know http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) should still work, it is even mentioned in the Spring Security 6.0 documentation about JWT:

Usually Spring classes have a great documentation about deprecated methods, i.e. the JavaDoc often is giving hints which class or method to use instead.

答案3

得分: 0

尝试这样做:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        // 其他内容
        .oauth2ResourceServer((rs) ->
            rs.jwt((jwt) -> jwt.decoder(jwtDecoder()))
        );
    return http.build();
}

@Bean
public JwtDecoder jwtDecoder() {
    // 返回您的JWT解码器
}
英文:

Try this like:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
            http
                    // Other stuff
                    .oauth2ResourceServer((rs) ->
                            rs.jwt((jwt) ->jwt.decoder(jwtDecoder()))
                    );
            return http.build();
    }

    @Bean
    public JwtDecoder jwtDecoder() {
            // return your JWTdecoder
    }

答案4

得分: 0

I guess you are looking to configure the Customizer for the various HTTPSecurity settings, you can take a cue from below:

    @Value("${jwksUri}")
    private String jwksUri;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.oauth2ResourceServer(server -> server.jwt(jwtConfigurer -> jwtConfigurer.jwkSetUri(jwksUri)));

        http.oauth2ResourceServer(server -> server.jwt(jwtConfigurer -> jwtConfigurer.decoder(myDecoder)));

        http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());

        return http.build();

    }
英文:

I guess you are looking to configure the Customizer for the various HTTPSecurity settings, you can take a cue from below:

    @Value("${jwksUri}")
    private String jwksUri;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.oauth2ResourceServer( server -> server.jwt(jwtConfigurer -> jwtConfigurer.jwkSetUri(jwksUri)));

        http.oauth2ResourceServer( server -> server.jwt(jwtConfigurer -> jwtConfigurer.decoder( myDecoder )));

        http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());

        return http.build();

    }

答案5

得分: 0

只为查看此处的Kotlin开发人员而言

fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.authorizeHttpRequests { auth ->
            auth.requestMatchers("/myendpoint/**").authenticated()
        }
        .oauth2ResourceServer { oauth2 -> oauth2.jwt(Customizer.withDefaults()) }

        return http.build()
    }
英文:

Just for the Kotlin devs looking in here

fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.authorizeHttpRequests { auth ->
            auth.requestMatchers("/myendpoint/**").authenticated()
        }
        .oauth2ResourceServer { oauth2 -> oauth2.jwt(Customizer.withDefaults()) }

        return http.build()
    }

</details>



huangapple
  • 本文由 发表于 2023年5月26日 17:07:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76339307.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定