0. 概述

以前我們配置 SpringSecurity 的方式是繼承 WebSecurityConfigurerAdapter ，然后重寫其中的幾個方法：

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    //配置 Spring Security 中的過濾器鏈
    @Override
    void configure(HttpSecurity http) {}

    //配置路徑放行規則
    @Override
    void configure(WebSecurity web) {}

    //配置本地認證管理器
    @Override
    void configure(AuthenticationManagerBuilder auth) {}

    //配置全局認證管理器
    @Override
    AuthenticationManager authenticationManagerBean() {}
}

目前這個類已經過期，雖然可以繼續使用，但是總覺得別扭。那么它的替代方案是什么？下面我來為大家一一介紹。

1. HttpSecurity

原寫法：

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .antMatcher("/**")
        .authorizeRequests(authorize - > authorize
                .anyRequest().authenticated()
        );
}

新寫法：

@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
            .antMatcher("/**")
            .authorizeRequests(authorize - > authorize
                    .anyRequest().authenticated()
            )
            .build();
}

2. WebSecurity

原寫法：

@Override
public void configure(WebSecurity web) {
    web.ignoring().antMatchers("/ignore1", "/ignore2");
}

新寫法：

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) - > web.ignoring().antMatchers("/ignore1", "/ignore2");
}

WebSecurity配置不常使用，如果需要忽略Url，推薦通過 HttpSecurity.authorizeHttpRequests 的 permitAll 來實現。

3. AuthenticationManager

原寫法：

@Autowired
private UserDetailsService userDetailsService;

@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
    return new BCryptPasswordEncoder();
}

//Local
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}

//Global
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

新寫法：

@Autowired
private UserDetailsService userDetailsService;

@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
    return new BCryptPasswordEncoder();
}

//Local
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests((authz) - > authz
            .anyRequest().authenticated()
        )
        .httpBasic(withDefaults())
        .authenticationManager(new CustomAuthenticationManager());
}

//Global
@Bean
public AuthenticationManager authenticationManager(HttpSecurity httpSecurity) throws Exception {
    return httpSecurity.getSharedObject(AuthenticationManagerBuilder.class)
            .userDetailsService(userDetailsService)
            .passwordEncoder(bCryptPasswordEncoder())
            .and()
            .build();
}

4. 心得

技術是不斷迭代的，我們作為技術人員，不能墨守成規，要學會擁抱變化。