Spring Boot，Spring Security - 基于 XML 的配置

Question

Spring Boot 2.3.4，Spring Security，保护 REST 控制器（端点）。

我有一个使用 Java 配置类的解决方案，但现在我的任务是使用 XML 来完成。

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    public static final String USER = "USER";
    public static final String ADMIN = "ADMIN";

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user")
                .password("{noop}" + "user123")
                .roles(USER)
            .and()
                .withUser("admin")
                .password("{noop}" + "admin456")
                .roles(ADMIN, USER);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .httpBasic()
            .and()
            .authorizeRequests()
                .antMatchers("/", "/login").permitAll()
                .antMatchers("/path1/**").hasRole(ADMIN)
                .antMatchers("/path2/**").hasRole(USER)
                .antMatchers(HttpMethod.DELETE, "/path3/{name}").hasRole(ADMIN)
                .antMatchers(HttpMethod.GET, "/path3/{name}").hasRole(USER)
                // more antMatchers...
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .csrf().disable()
            .formLogin().disable();
    }    
}

以前从未做过基于 XML 的配置，这一定是过去经常做的事情。不管怎样，得到了用 XML 完成的任务。

不知道怎么做。 需要哪些部分，只是 XML 文件，还是仍然是 Java 配置文件（如 WebSecurityConfig.java）？

Answer 1

我尝试了以下

WebSecurityConfig.java

@Configuration
@ImportResource({ "classpath:webSecurityConfig.xml" })
public class WebSecurityConfig {
    public WebSecurityConfig() {
        super();
    }    
}

webSecurityConfig.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security" 
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xmlns:beans="http://www.springframework.org/schema/beans"
             xsi:schemaLocation="
                http://www.springframework.org/schema/security 
                http://www.springframework.org/schema/security/spring-security.xsd 
                http://www.springframework.org/schema/beans 
                http://www.springframework.org/schema/beans/spring-beans.xsd">

    <http create-session="stateless" use-expressions="true">        
        <intercept-url pattern="/" access="permitAll()"/>
        <intercept-url pattern="/login" access="permitAll()"/>
        <intercept-url pattern="/path1/**" access="hasAuthority('ROLE_ADMIN')"/>
        <intercept-url pattern="/path2/**" access="hasAuthority('ROLE_USER')"/>
        <intercept-url method="DELETE" pattern="/path3/{name}" access="hasAuthority('ROLE_ADMIN')"/>
        <intercept-url method="GET" pattern="/path3/{name}" access="hasAuthority('ROLE_USER')"/>

        <http-basic/>         
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="{noop}user123" authorities="ROLE_USER"/>
                <user name="admin" password="{noop}admin456" authorities="ROLE_USER,ROLE_ADMIN"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

但在启动时显示以下错误

***************************
APPLICATION FAILED TO START
***************************

Description:

Parameter 0 of method setObjectPostProcessor in org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter required a bean of type 'org.springframework.security.config.annotation.ObjectPostProcessor' that could not be found.

Action:

Consider defining a bean of type 'org.springframework.security.config.annotation.ObjectPostProcessor' in your configuration.

不确定有什么问题或遗漏。到目前为止，Google 的帮助不是很大。