当前位置: 首页 > news >正文

Spring-Security-5.7.11升级6.5.2

news 2025/8/12 9:31:34

1.Session Management

1.1.必须明确调用SecurityContextRepository保存SecurityContext

在Spring Security 5中,默认行为是SecurityContext使用SecurityContextPersistenceFilter自动保存到SecurityContextRepository

//版本5.7.11
//SecurityContextPersistenceFilter中核心代码
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);SecurityContext contextBeforeChainExecution = this.repo.loadContext(holder);try {SecurityContextHolder.setContext(contextBeforeChainExecution);//...}finally {SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();SecurityContextHolder.clearContext();// 保存this.repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse());}

SecurityContextPersistenceFilter已被作废

在Spring Security 6中,默认行为是SecurityContextHolderFilter只会从SecurityContextRepository读取SecurityContext并将其填充到SecurityContextHolder中。如果用户希望SecurityContext在请求之间保持不变,他们现在必须使用SecurityContextRepository显式保存SecurityContext

//版本6.5.2
private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)throws ServletException, IOException {Supplier<SecurityContext> deferredContext = this.securityContextRepository.loadDeferredContext(request);try {this.securityContextHolderStrategy.setDeferredContext(deferredContext);chain.doFilter(request, response);}finally {// 没有保存this.securityContextHolderStrategy.clearContext();request.removeAttribute(FILTER_APPLIED);}}

1.2.登录成功的通用保存逻辑

如果是登录成功,根据不同的登录方式设置,以下是必须要设置的

// 版本6.5.2
SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
context.setAuthentication(authenticationResult);
this.securityContextHolderStrategy.setContext(context);
this.securityContextRepository.saveContext(context, request, response);

用户名密码登录可参见AbstractAuthenticationProcessingFilter

//版本5.7.11
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,Authentication authResult) throws IOException, ServletException {SecurityContext context = SecurityContextHolder.createEmptyContext();context.setAuthentication(authResult);SecurityContextHolder.setContext(context);this.securityContextRepository.saveContext(context, request, response);if (this.logger.isDebugEnabled()) {this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));}this.rememberMeServices.loginSuccess(request, response, authResult);if (this.eventPublisher != null) {this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}this.successHandler.onAuthenticationSuccess(request, response, authResult);}
​
// 版本6.5.2
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
​
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,Authentication authResult) throws IOException, ServletException {//创建SecurityContext的对象不同SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();context.setAuthentication(authResult);this.securityContextHolderStrategy.setContext(context);// 显示保存this.securityContextRepository.saveContext(context, request, response);if (this.logger.isDebugEnabled()) {this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));}this.rememberMeServices.loginSuccess(request, response, authResult);if (this.eventPublisher != null) {this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}this.successHandler.onAuthenticationSuccess(request, response, authResult);}

1.3.SecurityContextRepository默认的初始化

//版本6.5.2
HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
DelegatingSecurityContextRepository defaultRepository = new DelegatingSecurityContextRepository(httpSecurityRepository, new RequestAttributeSecurityContextRepository());
return defaultRepository;
​
//版本5.7.11
HttpSessionSecurityContextRepository httpSecurityRepository; = new HttpSessionSecurityContextRepository();
return httpSecurityRepository;

1.4.SecurityContextRepository的接口

public interface SecurityContextRepository {
​//5.7.11中使用的接口@DeprecatedSecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
​//最新6.5.2中使用接口,目前兼容,作废的loadContext后续会被删除default DeferredSecurityContext loadDeferredContext(HttpServletRequest request) {Supplier<SecurityContext> supplier = () -> loadContext(new HttpRequestResponseHolder(request, null));return new SupplierDeferredSecurityContext(SingletonSupplier.of(supplier),SecurityContextHolder.getContextHolderStrategy());}
​void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
​
​boolean containsContext(HttpServletRequest request);
}

2.csrf的token

 private CsrfTokenRepository tokenRepository;
​
//5.7.11通过一下方法获取
CsrfToken token = tokenRepository.loadToken(request);
if (token != null) {userDetails.getUserDTO().setToken(token.getToken());
}
​
//6.5.2使用以下方式
DeferredCsrfToken token = tokenRepository.loadDeferredToken(request, response);
if (token != null) {userDetails.getUserDTO().setToken(token.get().getToken());
}

3.授权

//5.7.11 使用以下方式 在6中已被标记作废
FilterSecurityInterceptor AccessDecisionManager//6.5.2 已通过
AuthorizationManager控制public void customize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {HttpSecurity http = authorizationManagerRequestMatcherRegistry.and();
​AuthorizationManager<RequestAuthorizationContext> requestAuthorizationManager =  new xxxx
​authorizationManagerRequestMatcherRegistry.requestMatchers(accessRequestMatcherToArray()).access(xxRequestAuthorizationManager);
}  

4.SecurityFilterChain的配置

<1>HttpSecurity中的apply方法将被作废

//升级前   
http.apply(xxxCaptchaVerifier())
//升级后    
http.with(xxxCaptchaVerifier(), withDefaults())

<2>xxExceptionHandlingCustomizerand方法将被作废,主要获取HttpSecurity,然后获取ApplicationContext,获取Bean

// 升级前
public class XxExceptionHandlingCustomizer extends XxAbstractCustomizer<ExceptionHandlingConfigurer<HttpSecurity>> {@Overridepublic void customize(ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer) {//.and()已作废HttpSecurity http = exceptionHandlingConfigurer.and();Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint = getBean(http, Http401UnauthorizedEntryPoint.class);}
}// 升级后
public class XxExceptionHandlingCustomizer extends XxAbstractCustomizer<ExceptionHandlingConfigurer<HttpSecurity>> {public XxExceptionHandlingCustomizer(ApplicationContext context) {super(context);}@Overridepublic void customize(ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer) {Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint = getBean(Http401UnauthorizedEntryPoint.class);exceptionHandlingConfigurer.authenticationEntryPoint(http401UnauthorizedEntryPoint);}}

<3>HttpSecurity中多个配置不在使用and方法,统一使用Customizer<T>接口配置

//升级前
http.cors().and().securityContext(xxxSecurityContextCustomizer())    //升级后     //只开启cors,不自定义配置
http.cors(withDefaults());
//开启cors,自定义配置   
http.cors(corsConfigurer -> {})

http://www.lryc.cn/news/617586.html

相关文章:

  • Unity笔记(五)知识补充——场景切换、退出游戏、鼠标隐藏锁定、随机数、委托
  • 前端面试:promise...then与asnyc ...await
  • 简单了解MongoDB数据存储
  • ‌太钢建材:筑就未来,品质见证
  • 软考倒计时 巧用芝麻倒计时软件 助力高效备考 有效提升备考效率
  • DNS(域名系统)
  • 关于线性DP模板
  • 月报 Vol.02:新增条件编译属性 cfg、#alias属性、defer表达式,增加 tuple struct 支持
  • 基于OpenCV的实时美颜技术:从传统算法到深度学习融合实现
  • 基恩士 CA CNX10U 视觉连接器REPEATER CA CN or CV- C 日本原装进口
  • 【软考中级网络工程师】知识点之 TCP 协议深度剖析
  • 嵌入式第二十五课!!!文件读写操作补充与应用、以及文件流定位相关函数接口
  • idea没有 Active Profiles 的填写位置
  • 企业级 IT 运维服务平台数据备份方案:基于 rsync 的自动化实现
  • 视觉相机偏移补偿
  • 在macOS上扫描192.168.1.0/24子网的所有IP地址
  • 初识影刀:将多个相同格式EXCEL中内容汇总到一个EXCEL文件中去
  • Camera open failed
  • 在Linux中模拟配置高性能web服务器
  • gophis钓鱼
  • 掌握while循环:C语言编程基础
  • [动态规划]最长公共子序列(LCS)
  • golang 基础案例_01
  • Go选手如何快速上手第三方库
  • Springboot-vue 地图展现
  • JDK21虚拟线程和 Golang1.24协程的比较
  • 《姜妮与Veda的最后一次传输》
  • 李宏毅2025《机器学习》-第十讲:AI“思想钢印”:深入解析大模型的知识编辑技术
  • 秒懂边缘云|1分钟了解边缘安全加速 ESA
  • 机器学习——K-means聚类