inleft
2022-03-02 34223b096cf6ad9d92c3702bb9529e764f523b11
commit | author | age
9bcb19 1 /*
I 2 Copyright [2020] [https://www.xiaonuo.vip]
3
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
7
8   http://www.apache.org/licenses/LICENSE-2.0
9
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
15
16 Snowy采用APACHE LICENSE 2.0开源协议,您在使用过程中,需要注意以下几点:
17
18 1.请不要删除和修改根目录下的LICENSE文件。
19 2.请不要删除和修改Snowy源码头部的版权声明。
20 3.请保留源码和相关描述文件的项目出处,作者声明等。
21 4.分发源码时候,请注明软件出处 https://gitee.com/xiaonuobase/snowy
22 5.在修改包名,模块名称,项目代码等时,请注明软件出处 https://gitee.com/xiaonuobase/snowy
23 6.若您的项目无法满足以上几点,可申请商业授权,获取Snowy商业授权许可,请在官网购买授权,地址为 https://www.xiaonuo.vip
24  */
25 package vip.xiaonuo.sys.config;
26
27 import org.springframework.context.annotation.Bean;
28 import org.springframework.context.annotation.Configuration;
29 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
30 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
31 import org.springframework.security.config.http.SessionCreationPolicy;
32 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
33 import org.springframework.web.cors.CorsConfiguration;
34 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
35 import org.springframework.web.filter.CorsFilter;
36 import vip.xiaonuo.core.consts.SpringSecurityConstant;
37 import vip.xiaonuo.sys.core.filter.security.JwtAuthenticationTokenFilter;
38 import vip.xiaonuo.sys.core.filter.security.entrypoint.JwtAuthenticationEntryPoint;
39 import vip.xiaonuo.sys.modular.auth.service.impl.AuthServiceImpl;
40
41 import javax.annotation.Resource;
42
43 /**
44  * SpringSecurity配置
45  *
46  * @author xuyuxiang
47  * @date 2020/3/18 10:54
48  */
49 @Configuration
50 public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
51
52     @Resource
53     private AuthServiceImpl authService;
54
55     @Resource
56     private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
57
58     @Resource
59     private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
60
61     /**
62      * 开启跨域访问拦截器
63      *
64      * @author yubaoshan
65      * @date 2020/4/29 9:50
66      */
67     @Bean
68     public CorsFilter corsFilter() {
69         CorsConfiguration corsConfiguration = new CorsConfiguration();
70         corsConfiguration.addAllowedOrigin("*");
71         corsConfiguration.addAllowedHeader("*");
72         corsConfiguration.addAllowedMethod("*");
73
74         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
75         source.registerCorsConfiguration("/**", corsConfiguration);
76         return new CorsFilter(source);
77     }
78
79     @Override
80     protected void configure(HttpSecurity httpSecurity) throws Exception {
81
82         //开启模拟请求,比如API POST测试工具的测试,不开启时,API POST为报403错误
83         httpSecurity.csrf().disable();
84
85         //开启跨域访问
86         httpSecurity.cors();
87
88         //不使用默认退出,自定义退出
89         httpSecurity.logout().disable();
90
91         //未授权时访问须授权的资源端点
92         httpSecurity.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint);
93
94         //放开一些接口的权限校验
95         for (String notAuthResource : SpringSecurityConstant.NONE_SECURITY_URL_PATTERNS) {
96             httpSecurity.authorizeRequests().antMatchers(notAuthResource).permitAll();
97         }
98
99         //其余的都需授权访问
100         httpSecurity.authorizeRequests().anyRequest().authenticated();
101
102         //前置token过滤器
103         httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
104
105         //用户详情service
106         httpSecurity.userDetailsService(authService);
107
108         //全局不创建session
109         httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
110
111         //禁用页面缓存,返回的都是json
112         httpSecurity.headers()
113                 .frameOptions().disable()
114                 .cacheControl();
115     }
116
117 }