Disable Basic Authentication while using Spring Se

2020-01-29 07:32发布

站内问答 / SpringBoot
1723 5 5

I am trying to secure a web application using Spring Security java configuration.

This is how the configuration looks:-

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private String googleClientSecret;

    @Autowired
    private CustomUserService customUserService;

    /*
     * (non-Javadoc)
     * 
     * @see org.springframework.security.config.annotation.web.configuration.
     * WebSecurityConfigurerAdapter
     * #configure(org.springframework.security.config
     * .annotation.web.builders.HttpSecurity)
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
        http
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .and()
                .httpBasic().disable()
            .requiresChannel().anyRequest().requiresSecure();
        // @formatter:on
        super.configure(http);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        // @formatter:off
        auth
            .eraseCredentials(true)
            .userDetailsService(customUserService);
        // @formatter:on
        super.configure(auth);
    }
}

Notice that I have explicitly disabled HTTP Basic authentication using:-

.httpBasic().disable()

I am still getting HTTP Authenticaton prompt box while accessing a secured url. Why?

Please help me fix this. I just want to render the default login form that comes bundled.

Spring Boot Starter Version : 1.1.5 Spring Security Version : 3.2.5

Thanks

5条回答
Melony?
2楼-- · 2020-01-29 08:04

The following worked for me:

            http
                .authorizeRequests()
                .anyRequest().permitAll();
查看更多
0人赞 添加讨论(0) 举报
乱世女痞
3楼-- · 2020-01-29 08:15

First of all, calling super.configure(http); will override whole your configuration you have before that.

Try this instead:

http
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .and()
    .httpBasic().disable();
查看更多
0人赞 添加讨论(0) 举报
【Aperson】
4楼-- · 2020-01-29 08:15

You can disable the formLogin through the HttpSecurity instance as follow:

http.authorizeRequests().antMatchers("/public/**").permitAll()
        .antMatchers("/api/**").hasRole("USER")
        .anyRequest().authenticated() 
        .and().formLogin().disable();

This will lead receiving 403 Http error when trying to access any secured resource

查看更多
0人赞 添加讨论(0) 举报
仙女界的扛把子
5楼-- · 2020-01-29 08:22

Anonymous option worked for me. My code like

  http.csrf().disable().headers().frameOptions().sameOrigin().and().
   authorizeRequests().anyRequest().anonymous().and().httpBasic().disable();
查看更多
0人赞 添加讨论(0) 举报
迷人小祖宗
6楼-- · 2020-01-29 08:26

In case you use Spring Boot, the documentation states:

To switch off the Boot default configuration completely in a web application you can add a bean with @EnableWebSecurity

So if you want to fully customize itself that might be an option.

Just to make it clear... You just need to put @EnableWebSecurity annotation on your main application class or application configuration class.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)