问题描述
问题1:在Spring Security中,究竟是什么功能
Question1: In Spring Security, what exactly is the function
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
Spring 文档说明如下,但我不确定我是否理解清楚
Spring Documentation States the below, but I am not sure I understand it clearly
要覆盖访问规则而不更改任何其他自动配置的功能,请添加类型为 WebSecurityConfigurerAdapter 的 @Bean 和 @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).
根据我的理解,Spring Security 中各种安全特性的排序如下(LowestValue i.e. Highest Precedence to Highest Value i.e. Lowest Precedence)
The ordering of various security features in Spring Security are as below as per my understanding (LowestValue i.e. Highest Precedence to Highest Value i.e. Lowest Precedence)
Ordered.HIGHEST_PRECEDENCE= -2^31-1- WebSecurityConfigurerAdapter = 100(基于文档中提到的@Order(100))
Ordered.HIGHEST_PRECEDENCE= -2^31-1- WebSecurityConfigurerAdapter = 100 (Based on @Order(100) mentioned in Docs)
Access_Override_Order = Basic_Auth_Order -2用于安全属性Access_Override_Order = Basic_Auth_Order -1用于 ManagementServerPropertiesBasic_Auth_Order-2= 2^31-7
Access_Override_Order = Basic_Auth_Order -2for Security PropertiesAccess_Override_Order = Basic_Auth_Order -1for ManagementServerPropertiesBasic_Auth_Order-2= 2^31-7
Basic_Auth_Order = Ordered.Lowest_Precendence -5 = 2^31-5Ordered.LOWEST_PRECEDENCE = 2^31问题 2基于上述各种安全功能的排序,如果我想覆盖管理端点和应用程序其余部分的默认规则,我应该使用
Question2Based on the ordering of various security features above, If I want to override default rules for both Management Endpoints and the Rest of the application, should I use
- SecurityPropertiesACCESS_OVERRIDE_ORDER 或
- ManagementServerProperties ACCESS_OVERRIDE_ORDER ?
我目前正在使用 SecurityProperties ACCESS_OVERRIDE_ORDER 但基于建议 此处 要使 ACTUATOR 工作,我需要启用 ManagementServerProperties ACCESS_OVERRIDE_ORDER.如果我想让两者都工作,我应该覆盖哪一个?
I am currently using SecurityProperties ACCESS_OVERRIDE_ORDER but based on the suggestion here to get ACTUATOR working I need to enable ManagementServerProperties ACCESS_OVERRIDE_ORDER. Which one should I override if I want both working ?
谢谢.
推荐答案
Q1.问题1:在Spring Security中,注解@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)究竟是做什么的?
它的作用在您引用的文档中得到了很好的解释.
Q1. Question1: In Spring Security, what exactly does the annotation @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) do?
What it does is well explained in the documentation you quoted.
要覆盖访问规则而不更改任何其他自动配置的功能,请添加类型为 WebSecurityConfigurerAdapter 的 @Bean 和 @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER).
但是具有 @Order(100) 的 WebSecurityConfigurerAdapter 具有更高的优先级.
But then WebSecurityConfigurerAdapter, which has @Order(100), takes higher priority.
没有
你应该注意这部分autoconfigured features.使用作为 @SpringBootApplication 一部分的 @EnableAutoConfiguration,很多东西都是自动配置的,100 不是自动配置的值,而是WebSecurityConfigurerAdapter 类上的硬编码值.
You should be careful about this part autoconfigured features. Using @EnableAutoConfiguration which is a part of @SpringBootApplication, a lot of things are auto-configured and 100 is not a auto-configured value but a hard-coded value on the WebSecurityConfigurerAdapter class.
您可以在 SecurityProperties 类中找到用于 Spring Security 自动配置的 order 值,您可以发现 ACCESS_OVERRIDE_ORDER 的值是最低的,这意味着它需要最高优先级.
You can find order values used for auto-configuring for Spring Security in SecurityProperties class and you can find out that the value of ACCESS_OVERRIDE_ORDER is the lowest which means it takes the highest priority.
它们在哪里自动配置?
你会发现@Order(SecurityProperties.BASIC_AUTH_ORDER)是在SpringBootWebSecurityConfiguration类中使用的.
You can find that @Order(SecurityProperties.BASIC_AUTH_ORDER) is used in SpringBootWebSecurityConfiguration class.
那WebSecurityConfigurerAdapter的注解@Order(100)什么时候使用?
Then when is the annotation @Order(100) of WebSecurityConfigurerAdapter used?
例如,如果您通过添加 @EnableWebSecurity 禁用自动配置,则将使用该值.由于值 100 的优先级太高,最好在案例中将 @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 注释放在您的自定义类中.
For example, if you disable the auto-configuring by adding @EnableWebSecurity, the value would be used. As the value 100 takes too high priority, it'd be better to put @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) annotation in your custom class in the case.
使用ManagementServerProperties ACCESS_OVERRIDE_ORDER.
它具有更高的优先级,因此如果您想覆盖所有端点的默认规则,则必须使用它.如果您打开 ManagementServerProperties 类,您可以看到这些值是如何设置的.
It takes higher priority so you must use it if you want to override default rules for all end points. You can see how the values are set if you open the ManagementServerProperties class.
在SecurityProperties
int ACCESS_OVERRIDE_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 2; // 39
int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5; // 41
在ManagementServerProperties
int BASIC_AUTH_ORDER = SecurityProperties.BASIC_AUTH_ORDER - 5; // 36
int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.BASIC_AUTH_ORDER - 1; // 35
在注释中,39 表示 21474839,为了便于阅读,我省略了前 6 位数字.
In the comment, 39 means 21474839, I've omitted the first 6 digits for readability.
这篇关于@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 与 Spring Security 中的 ManagementServerProperties.ACCESS_OVERRIDE_ORDER的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!