feat: add config option to allow disabling Basic authentication (#6689)

#### What type of PR is this? /milestone 2.20.x /area core /kind improvement #### What this PR does / why we need it: 允许通过 `halo.security.basic-auth.disabled=true` 配置来禁用 Basic Auth 认证 #### Which issue(s) this PR fixes: Fixes #5408 #### Does this PR introduce a user-facing change? ```release-note 允许通过 `halo.security.basic-auth.disabled=true` 配置来禁用 Basic Auth 认证，在 2.20 版本生产环境下默认禁用了 Basic Auth ```
halo-dev · Sep 30, 2024 · 56804c9 · 56804c9
1 parent 875a804
commit 56804c9
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/application/src/main/java/run/halo/app/infra/config/WebServerSecurityConfig.java b/application/src/main/java/run/halo/app/infra/config/WebServerSecurityConfig.java
@@ -1,6 +1,5 @@
 package run.halo.app.infra.config;
 
-import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.web.server.authentication.ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.builder;
 import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
 
@@ -109,7 +108,11 @@ SecurityWebFilterChain filterChain(ServerHttpSecurity http,
                 spec.principal(AnonymousUserConst.PRINCIPAL);
             })
             .securityContextRepository(securityContextRepository)
-            .httpBasic(withDefaults())
+            .httpBasic(basic -> {
+                if (haloProperties.getSecurity().getBasicAuth().isDisabled()) {
+                    basic.disable();
+                }
+            })
             .oauth2ResourceServer(oauth2 -> {
                 var authManagerResolver = builder().add(
                         new PatServerWebExchangeMatcher(),

diff --git a/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java b/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
@@ -18,6 +18,16 @@ public class SecurityProperties {
 
     private final TwoFactorAuthOptions twoFactorAuth = new TwoFactorAuthOptions();
 
+    private final BasicAuthOptions basicAuth = new BasicAuthOptions();
+
+    @Data
+    public static class BasicAuthOptions {
+        /**
+         * Whether basic authentication is disabled.
+         */
+        private boolean disabled = true;
+    }
+
     @Data
     public static class TwoFactorAuthOptions {
 

diff --git a/application/src/main/resources/application-dev.yaml b/application/src/main/resources/application-dev.yaml
@@ -15,6 +15,9 @@ spring:
         use-last-modified: false
 
 halo:
+  security:
+    basic-auth:
+      disabled: false
   console:
     proxy:
       endpoint: http://localhost:3000/