Spring Boot 2.x极大简化了默认的安全配置，并不是说有很多安全相关的配置，现在你只需要提供一个WebSecurityConfigurerAdapter继承类这样一个简单的操作，Spring Boot就可以规避很多安全问题。

Actuator 不再有各自单独的安全配置（management.security.*配置已被取消），每个endpoint的sensitive 标志也会被取消，这样使得安全配置更加明确了。

比如说：你有如下配置

endpoints:    info:        sensitive: false    mappings:        sensitive: truemanagement:    security:        roles: MY_ADMIN

now,you can do it like this:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;/** * name: TestWebSecurityConfigureAdapter * * @author aboruo * @Description an example on adding our custom WebSecurityConfigurerAdapter * @Date create in 2019/9/9 20:50. */@EnableWebSecuritypublic class TestWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter {    @Override    protected void configure(HttpSecurity http) throws Exception {        http.csrf().disable().authorizeRequests()                .antMatchers("/actuator/health","/actuator/info")                .permitAll()                .antMatchers("/actuator/**")                .hasRole("MY_ADMIN")                .and().httpBasic();    }}

 

请注意，在2.x中，默认情况下 health 和info 是可以被访问的，（默认情况下 health 的详细信息不能被访问显示）。 为了与这些新的默认值保持一致，health 已被添加到首要的mather中。

Spring boot 2.x 不引入Spring Security时，endpoint实现(未完待续)

1. 先在spring-boot-autoconfigure的spring.factories文件找到autoconfiguration类

 

 查看此类

/** * {
    @link EnableAutoConfiguration Auto-configuration} for Spring Security. * * @author Dave Syer * @author Andy Wilkinson * @author Madhura Bhave * @since 1.0.0 */@Configuration@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)@EnableConfigurationProperties(SecurityProperties.class)@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,        SecurityDataConfiguration.class })public class SecurityAutoConfiguration {    @Bean    @ConditionalOnMissingBean(AuthenticationEventPublisher.class)    public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {        return new DefaultAuthenticationEventPublisher(publisher);    }}

DefaultAuthenticationEventPublisher： 默认使用的权限授权事件publisher

SecurityProperties: 安全设置相关属性配置文件，以：spring.security开头 通过 SecurityAutoConfiguration 又引入了几个关键的配置类

① SpringBootWebSecurityConfiguration

/** * The default configuration for web security. It relies on Spring Security's * content-negotiation strategy to determine what sort of authentication to use. If the * user specifies their own {
    @link WebSecurityConfigurerAdapter}, this will back-off * completely and the users should specify all the bits that they want to configure as * part of the custom security configuration. * * @author Madhura Bhave * @since 2.0.0 */@Configuration@ConditionalOnClass(WebSecurityConfigurerAdapter.class)@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)@ConditionalOnWebApplication(type = Type.SERVLET)public class SpringBootWebSecurityConfiguration {    @Configuration    @Order(SecurityProperties.BASIC_AUTH_ORDER)    static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {    }}

 

这是spring boot 默认的安全配置类，它依赖于Spring安全的*内容协商策略来确定使用哪种身份验证。通过代码，我们可以看到：

• 当用户定义了自己的WebSecurityConfigurerAdapter类时，SpringBootWebSecurityConfiguration将不会生效；
• 当应用是web应用且类型是SERVLET类型时才会生效

② WebSecurityEnablerConfiguration 这是一个确认配置类，顾名思义：当applicationContext中存在WebSecurityConfigureAdapter类型的bean时，它才会生效，它的职责是这类bean加@EnableWebSecurity注解。

/** * If there is a bean of type WebSecurityConfigurerAdapter, this adds the * {
    @link EnableWebSecurity} annotation. This will make sure that the annotation is * present with default security auto-configuration and also if the user adds custom * security and forgets to add the annotation. If {
    @link EnableWebSecurity} has already * been added or if a bean with name {
    @value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has * been configured by the user, this will back-off. * * @author Madhura Bhave * @since 2.0.0 */@Configuration@ConditionalOnBean(WebSecurityConfigurerAdapter.class)@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)@EnableWebSecuritypublic class WebSecurityEnablerConfiguration {}

 

③ SecurityDataConfiguration 当应用环境中存在SecurityEvaluationContextExtension类时，自动添加带有Spring Data 的 spring security 集成。

/** * Automatically adds Spring Security's integration with Spring Data. * * @author Rob Winch * @since 1.3.0 */@Configuration@ConditionalOnClass(SecurityEvaluationContextExtension.class)public class SecurityDataConfiguration {    @Bean    @ConditionalOnMissingBean    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {        return new SecurityEvaluationContextExtension();    }}

 

后续我们会对

SecurityRequestMatcherProviderAutoConfiguration

UserDetailsServiceAutoConfiguration

SecurityFilterAutoConfiguration

OAuth2ClientAutoConfiguration

OAuth2ResourceServerAutoConfiguration

这几个类逐一进行介绍，从而来了解它的工作原理。