WebSecurityConfig

朴灿烈づ我的快乐病毒、 2021-11-26 10:58 191阅读 0赞

package me.zhengjie.core.config;
    
    import me.zhengjie.core.security.JwtAuthenticationEntryPoint;
    import me.zhengjie.core.security.JwtAuthorizationTokenFilter;
    import me.zhengjie.core.service.JwtUserDetailsService;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.beans.factory.annotation.Value;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.http.HttpMethod;
    import org.springframework.security.authentication.AuthenticationManager;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.builders.WebSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.config.http.SessionCreationPolicy;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.security.crypto.password.PasswordEncoder;
    import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
    
    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Autowired
        private JwtAuthenticationEntryPoint unauthorizedHandler;
    
        @Autowired
        private JwtUserDetailsService jwtUserDetailsService;
    
        /**
         * 自定义基于JWT的安全过滤器
         */
        @Autowired
        JwtAuthorizationTokenFilter authenticationTokenFilter;
    
        @Value("${jwt.header}")
        private String tokenHeader;
    
        @Value("${jwt.auth.path}")
        private String authenticationPath;
    
        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .userDetailsService(jwtUserDetailsService)
                    .passwordEncoder(passwordEncoderBean());
        }
    
        @Bean
        public PasswordEncoder passwordEncoderBean() {
            return new BCryptPasswordEncoder();
        }
    
        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
    
        @Override
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity
    
                    // 禁用 CSRF
                    .csrf().disable()
    
                    // 授权异常
                    .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
    
                    // 不创建会话
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                    .authorizeRequests()
    
                    .antMatchers("/auth/**").permitAll()
                    .antMatchers("/websocket/**").permitAll()
                    .antMatchers("/druid/**").anonymous()
    
                    // 支付宝回调
                    .antMatchers("/api/aliPay/return").anonymous()
                    .antMatchers("/api/aliPay/notify").anonymous()
    
                    // swagger start
                    .antMatchers("/swagger-ui.html").anonymous()
                    .antMatchers("/swagger-resources/**").anonymous()
                    .antMatchers("/webjars/**").anonymous()
                    .antMatchers("/*/api-docs").anonymous()
                    // swagger end
    
                    .antMatchers("/test/**").anonymous()
                    .antMatchers(HttpMethod.OPTIONS, "/**").anonymous()
                    // 所有请求都需要认证
                    .anyRequest().authenticated();
    
            httpSecurity
                    .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
        }
    
        @Override
        public void configure(WebSecurity web) throws Exception {
            // AuthenticationTokenFilter will ignore the below paths
            web.ignoring()
                .antMatchers(
                        HttpMethod.POST,
                        authenticationPath
                )
    
                // allow anonymous resource requests
                .and()
                .ignoring()
                .antMatchers(
                        HttpMethod.GET,
                        "/*.html",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js"
                );
        }
    }

转载于:https://www.cnblogs.com/tonggc1668/p/11216255.html