springboot2终于发布,我尝试从1.5.10升级到2.0.0版本。和预期的一样,出现了各种各样的小问题。
1.一些配置项在2.0版本被删除掉了,比如server.context-path ,security.ignored被移除掉了。
server.context-path 使用新的server.servlet.context-path
security.ignored直接移除。springboot不再提供默认配置。必须在代码中配置:
@Value("${security.ignored:/css/**, /js/**,/images/**, /webjars/**, /**/favicon.ico,/Hplus4.1/**,/assets/**}") String[] antPatterns; //Spring Boot configured this already. @Override public void configure(WebSecurity web) { web.ignoring().antMatchers(antPatterns); // web.ignoring().requestMatchers(PathRequest.toStaticResources().atCommonLocations()); }
2.springboot2的默认的JDK版本为1.8,还在使用1.6的同学就要先升级JDK啦。里面很多代码都使用lambda表达式。使用thymeleaf3.0版本,spring security升级到5.0.3.
3.spring security升级到5.0.3后碰到的一些问题,默认PasswordEncoder不再需要salt,原有的PasswordEncoder被彻底从源码中删除。默认的实现是PasswordEncoderFactories生成的DelegatingPasswordEncoder,如果使用默认的DelegatingPasswordEncoder,密码配置格式为 {加密方式}加密后的密文
/** * Used for creating {@link PasswordEncoder} instances * @author Rob Winch * @since 5.0 */ public class PasswordEncoderFactories { /** * Creates a {@link DelegatingPasswordEncoder} with default mappings. Additional * mappings may be added and the encoding will be updated to conform with best * practices. However, due to the nature of {@link DelegatingPasswordEncoder} the * updates should not impact users. The mappings current are: * * <ul> * <li>bcrypt - {@link BCryptPasswordEncoder} (Also used for encoding)</li> * <li>ldap - {@link LdapShaPasswordEncoder}</li> * <li>MD4 - {@link Md4PasswordEncoder}</li> * <li>MD5 - {@code new MessageDigestPasswordEncoder("MD5")}</li> * <li>noop - {@link NoOpPasswordEncoder}</li> * <li>pbkdf2 - {@link Pbkdf2PasswordEncoder}</li> * <li>scrypt - {@link SCryptPasswordEncoder}</li> * <li>SHA-1 - {@code new MessageDigestPasswordEncoder("SHA-1")}</li> * <li>SHA-256 - {@code new MessageDigestPasswordEncoder("SHA-256")}</li> * <li>sha256 - {@link StandardPasswordEncoder}</li> * </ul> * * @return the {@link PasswordEncoder} to use */ public static PasswordEncoder createDelegatingPasswordEncoder() { String encodingId = "bcrypt"; Map<String, PasswordEncoder> encoders = new HashMap<>(); encoders.put(encodingId, new BCryptPasswordEncoder()); encoders.put("ldap", new LdapShaPasswordEncoder()); encoders.put("MD4", new Md4PasswordEncoder()); encoders.put("MD5", new MessageDigestPasswordEncoder("MD5")); encoders.put("noop", NoOpPasswordEncoder.getInstance()); encoders.put("pbkdf2", new Pbkdf2PasswordEncoder()); encoders.put("scrypt", new SCryptPasswordEncoder()); encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1")); encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256")); encoders.put("sha256", new StandardPasswordEncoder()); return new DelegatingPasswordEncoder(encodingId, encoders); } private PasswordEncoderFactories() {} }
注释掉的部分是升级为2.0后,需要更改的密码样式,如果不想更改密码就指定PasswordEncoder实现类。
@Override public void configure(AuthenticationManagerBuilder auth) throws Exception { /* auth.inMemoryAuthentication() .withUser("user").password("{noop}password").roles("USER") .and() .withUser("admin").password("{noop}password").roles("ADMIN") .and() .withUser("test").password("{noop}password").roles("ADMIN");*/ auth.inMemoryAuthentication().passwordEncoder(NoOpPasswordEncoder.getInstance()) .withUser("user").password("password").roles("USER") .and() .withUser("admin").password("password").roles("ADMIN") .and() .withUser("test").password("password").roles("ADMIN"); auth.authenticationProvider(new UserSignAuthenticationProvider()); }
4需要显式指定spring-security-oauth和spring-session依赖版本。springboot2可能还没有做好对这两个组件的测试
<spring-security-jwt.version>1.0.9.RELEASE</spring-security-jwt.version> <spring-security-oauth.version>2.2.1.RELEASE</spring-security-oauth.version> <spring-session.version>1.3.1.RELEASE</spring-session.version>
springboot2.0分支:https://gitee.com/json20080301/spring-boot-spring-security-thymeleaf/tree/master/
原有的1.5.10在另外一个分支上:https://gitee.com/json20080301/spring-boot-spring-security-thymeleaf/tree/1.5.10/