英文:
Spring Security deprecated issue
问题
尝试配置JWT配置。似乎JWT已被弃用。我现在如何使用OAuth2ResourceServerConfigurer::jwt
?
我的代码:
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
//http.formLogin(withDefaults());
http.httpBasic(Customizer.withDefaults());
http.csrf(csrf -> csrf.disable());
http.headers(headers -> headers.frameOptions(frameOptionsConfig -> frameOptionsConfig.sameOrigin()));
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
此外,在Spring Security 6.0中,antMatchers()
以及用于保护请求的其他配置方法(即mvcMatchers()
和regexMatchers()
)已从API中移除。
英文:
Trying to configure JWT configuration. Seems like JWT is deprecated. How can I use OAuth2ResourceServerConfigurer::jwt
now?
My code:
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
//http.formLogin(withDefaults());
http.httpBasic(Customizer.withDefaults());
http.csrf(csrf -> csrf.disable());
http.headers(headers -> headers.frameOptions(frameOptionsConfig -> frameOptionsConfig.sameOrigin()));
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
Also, in Spring Security 6.0, antMatchers()
as well as other configuration methods for securing requests (namely mvcMatchers()
and regexMatchers()
) have been removed from the API.
答案1
得分: 19
除了 @schrom 的回答之外,更与 OAuth2ResourceServerConfigurer#jwt
的弃用相关的是,Spring Security 弃用了返回自己的配置器的方法,而是采用返回 HttpSecurity
的方法,并弃用了 HttpSecurity
中的 .and()
方法。
例如,httpBasic()
已被弃用,推荐使用 httpBasic(Customizer)
。这些弃用是为了只有一种配置安全 DSL 的方式,即使用 lambda 表达式。请查看文档。
因此,对于JWT配置,您需要执行以下操作:
oauth2ResourceServer((oauth2) -> oauth2
.jwt(Customizer.withDefaults())
)
英文:
In addition to @schrom answer and more related to the deprecation of OAuth2ResourceServerConfigurer#jwt
, Spring Security deprecated the methods that return its own configurer in favor of the ones that return HttpSecurity
, and deprecated the .and()
method from the HttpSecurity
.
For example, httpBasic()
is deprecated in favor of httpBasic(Customizer)
. Those deprecations were done to have only one way to configure the security DSL, which is using lambdas. Take a look at the documentation.
So, for JWT configuration, you'd have to do:
oauth2ResourceServer((oauth2) -> oauth2
.jwt(Customizer.withDefaults())
)
答案2
得分: 5
Spring的一般建议是首先迁移到Spring 5.8,然后再迁移到6.0,以更顺利地过渡到新功能。
在Spring Security 5.8中,antMatchers、mvcMatchers和regexMatchers方法已被弃用,建议使用新的requestMatchers方法。
据我所知,http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
仍然有效,甚至在关于JWT的Spring Security 6.0文档中提到:
通常情况下,Spring类对于已弃用的方法有很好的文档,例如JavaDoc经常会提供使用哪个类或方法的提示。
英文:
Spring's general advice is to migrate to Spring 5.8 first, and to 6.0 later, to have a smoother transition to the new features.
As stated in Spring Security 5.8 documentation:
> In Spring Security 5.8, the antMatchers, mvcMatchers, and regexMatchers methods were deprecated in favor of new requestMatchers methods
As far as I know http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
should still work, it is even mentioned in the Spring Security 6.0 documentation about JWT:
Usually Spring classes have a great documentation about deprecated methods, i.e. the JavaDoc often is giving hints which class or method to use instead.
答案3
得分: 0
尝试这样做:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// 其他内容
.oauth2ResourceServer((rs) ->
rs.jwt((jwt) -> jwt.decoder(jwtDecoder()))
);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder() {
// 返回您的JWT解码器
}
英文:
Try this like:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// Other stuff
.oauth2ResourceServer((rs) ->
rs.jwt((jwt) ->jwt.decoder(jwtDecoder()))
);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder() {
// return your JWTdecoder
}
答案4
得分: 0
I guess you are looking to configure the Customizer for the various HTTPSecurity settings, you can take a cue from below:
@Value("${jwksUri}")
private String jwksUri;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.oauth2ResourceServer(server -> server.jwt(jwtConfigurer -> jwtConfigurer.jwkSetUri(jwksUri)));
http.oauth2ResourceServer(server -> server.jwt(jwtConfigurer -> jwtConfigurer.decoder(myDecoder)));
http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
return http.build();
}
英文:
I guess you are looking to configure the Customizer for the various HTTPSecurity settings, you can take a cue from below:
@Value("${jwksUri}")
private String jwksUri;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.oauth2ResourceServer( server -> server.jwt(jwtConfigurer -> jwtConfigurer.jwkSetUri(jwksUri)));
http.oauth2ResourceServer( server -> server.jwt(jwtConfigurer -> jwtConfigurer.decoder( myDecoder )));
http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
return http.build();
}
答案5
得分: 0
只为查看此处的Kotlin开发人员而言
fun filterChain(http: HttpSecurity): SecurityFilterChain {
http.authorizeHttpRequests { auth ->
auth.requestMatchers("/myendpoint/**").authenticated()
}
.oauth2ResourceServer { oauth2 -> oauth2.jwt(Customizer.withDefaults()) }
return http.build()
}
英文:
Just for the Kotlin devs looking in here
fun filterChain(http: HttpSecurity): SecurityFilterChain {
http.authorizeHttpRequests { auth ->
auth.requestMatchers("/myendpoint/**").authenticated()
}
.oauth2ResourceServer { oauth2 -> oauth2.jwt(Customizer.withDefaults()) }
return http.build()
}
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论