Java 弹簧防尘套1.3.1.释放“;使用默认安全密码";
在Spring Boot 1.3.1.RELEASE应用程序启动期间,我注意到日志中有以下一行:Java 弹簧防尘套1.3.1.释放“;使用默认安全密码";,java,spring-security,spring-boot,spring-security-oauth2,Java,Spring Security,Spring Boot,Spring Security Oauth2,在Spring Boot 1.3.1.RELEASE应用程序启动期间,我注意到日志中有以下一行: Using default security password: d60d96ca-1285-41c9-aed7-d5688af74688 这意味着什么?如何修复 我怀疑我的应用程序配置中存在一些问题: 应用程序: @SpringBootApplication @EnableOAuth2Client public class Application { public static voi
Using default security password: d60d96ca-1285-41c9-aed7-d5688af74688
这意味着什么?如何修复
我怀疑我的应用程序配置中存在一些问题:
应用程序:
@SpringBootApplication
@EnableOAuth2Client
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
Web安全配置:
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private OAuth2ClientContext oauth2ClientContext;
@Value("${ok.client.publicKey}")
private String okClientPublicKey;
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.headers().frameOptions().disable()
.and().logout()
.and().antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/index.html", "/home.html").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/"))
.and().logout().logoutSuccessUrl("/").permitAll()
.and().csrf().csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
// @formatter:on
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Bean
public FilterRegistrationBean oauth2ClientFilterRegistration(OAuth2ClientContextFilter filter) {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(filter);
registration.setOrder(-100);
return registration;
}
@Bean
@ConfigurationProperties("ok")
ClientResources ok() {
return new ClientResources();
}
private Filter ssoFilter() {
CompositeFilter filter = new CompositeFilter();
List<Filter> filters = new ArrayList<>();
filters.add(ssoFilter(ok(), "/login/ok"));
filter.setFilters(filters);
return filter;
}
private Filter ssoFilter(ClientResources client, String path) {
OAuth2ClientAuthenticationProcessingFilter clientFilter = new OAuth2ClientAuthenticationProcessingFilter(path);
OAuth2RestTemplate clientTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext);
clientFilter.setRestTemplate(clientTemplate);
OkUsersClient okUsersClient = new OkUsersClient(client.getResource().getUserInfoUri(), okClientPublicKey,
client.getClient().getClientSecret(), clientTemplate);
clientFilter.setTokenServices(new OkUserInfoTokenServices(okUsersClient, client.getClient().getClientId()));
clientFilter.setAuthenticationSuccessHandler(new UrlParameterAuthenticationHandler());
return clientFilter;
}
class UrlParameterAuthenticationHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
String targetUrl = determineTargetUrl(request, response);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
String queryString = HttpUtils.removeParams(request.getQueryString(), "state", "code");
targetUrl = !StringUtils.isEmpty(queryString) ? targetUrl + "?" + queryString : targetUrl;
getRedirectStrategy().sendRedirect(request, response, targetUrl);
}
}
class ClientResources {
private OAuth2ProtectedResourceDetails client = new AuthorizationCodeResourceDetails();
private ResourceServerProperties resource = new ResourceServerProperties();
public OAuth2ProtectedResourceDetails getClient() {
return client;
}
public ResourceServerProperties getResource() {
return resource;
}
}
}
如果您的项目中有Spring安全性(由于EnableOAuth2Client,您有),并且没有指定用户和密码,Spring Boot至少会为您创建一个安全的密码(您可能希望在 ) 如果Spring安全性在类路径上,那么web应用程序将 默认情况下,在所有HTTP端点上使用“基本”身份验证进行安全保护。 要向web应用程序添加方法级安全性,还可以添加 @使用所需设置启用GlobalMethodSecurity。附加的 可以在Spring安全性参考中找到相关信息 默认AuthenticationManager只有一个用户(“用户”用户名) 和随机密码,在应用程序启动时在信息级别打印 (向上) 使用默认安全密码:78fa095d-3f4c-48b1-ad50-e24c31d5cf35 您应该在中设置这些值以避免:
security.user.name=...
security.user.password=...
security.user.role=...
转换为application.yml时,它将如下所示:
security:
user:
name: ...
password: ...
role: ...
谢谢你的回答。现在我正试图理解,如果我已经用外部OAuth2提供商保护了我的应用程序,为什么我需要定义这样的用户?为什么?防止“开门”。有许多端点需要保护,因为此Spring安全设置了此默认用户。例如,执行器端点也需要保护。@Marged为什么需要用户来保护端点?需要用户来获取受保护端点的内容,但不需要用户来保护它。@YannicKlem用用户名替换用户。某些端点与安全相关,因此您需要登录。为此,你需要用户名和密码。当然,这不是他问题的重点。他询问为什么在使用外部OAuth2提供程序时必须有一个默认用户。当然,端点应该是安全的。但是不需要默认用户
security:
user:
name: ...
password: ...
role: ...