| commit | author | age | ||
| 9bcb19 | 1 | /* |
| I | 2 | Copyright [2020] [https://www.xiaonuo.vip] |
| 3 | ||
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | you may not use this file except in compliance with the License. | |
| 6 | You may obtain a copy of the License at | |
| 7 | ||
| 8 | http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | ||
| 10 | Unless required by applicable law or agreed to in writing, software | |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | See the License for the specific language governing permissions and | |
| 14 | limitations under the License. | |
| 15 | ||
| 16 | Snowy采用APACHE LICENSE 2.0开源协议,您在使用过程中,需要注意以下几点: | |
| 17 | ||
| 18 | 1.请不要删除和修改根目录下的LICENSE文件。 | |
| 19 | 2.请不要删除和修改Snowy源码头部的版权声明。 | |
| 20 | 3.请保留源码和相关描述文件的项目出处,作者声明等。 | |
| 21 | 4.分发源码时候,请注明软件出处 https://gitee.com/xiaonuobase/snowy | |
| 22 | 5.在修改包名,模块名称,项目代码等时,请注明软件出处 https://gitee.com/xiaonuobase/snowy | |
| 23 | 6.若您的项目无法满足以上几点,可申请商业授权,获取Snowy商业授权许可,请在官网购买授权,地址为 https://www.xiaonuo.vip | |
| 24 | */ | |
| 25 | package vip.xiaonuo.sys.config; | |
| 26 | ||
| 27 | import org.springframework.context.annotation.Bean; | |
| 28 | import org.springframework.context.annotation.Configuration; | |
| 29 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| 30 | import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
| 31 | import org.springframework.security.config.http.SessionCreationPolicy; | |
| 32 | import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; | |
| 33 | import org.springframework.web.cors.CorsConfiguration; | |
| 34 | import org.springframework.web.cors.UrlBasedCorsConfigurationSource; | |
| 35 | import org.springframework.web.filter.CorsFilter; | |
| 36 | import vip.xiaonuo.core.consts.SpringSecurityConstant; | |
| 37 | import vip.xiaonuo.sys.core.filter.security.JwtAuthenticationTokenFilter; | |
| 38 | import vip.xiaonuo.sys.core.filter.security.entrypoint.JwtAuthenticationEntryPoint; | |
| 39 | import vip.xiaonuo.sys.modular.auth.service.impl.AuthServiceImpl; | |
| 40 | ||
| 41 | import javax.annotation.Resource; | |
| 42 | ||
| 43 | /** | |
| 44 | * SpringSecurity配置 | |
| 45 | * | |
| 46 | * @author xuyuxiang | |
| 47 | * @date 2020/3/18 10:54 | |
| 48 | */ | |
| 49 | @Configuration | |
| 50 | public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { | |
| 51 | ||
| 52 | @Resource | |
| 53 | private AuthServiceImpl authService; | |
| 54 | ||
| 55 | @Resource | |
| 56 | private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter; | |
| 57 | ||
| 58 | @Resource | |
| 59 | private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; | |
| 60 | ||
| 61 | /** | |
| 62 | * 开启跨域访问拦截器 | |
| 63 | * | |
| 64 | * @author yubaoshan | |
| 65 | * @date 2020/4/29 9:50 | |
| 66 | */ | |
| 67 | @Bean | |
| 68 | public CorsFilter corsFilter() { | |
| 69 | CorsConfiguration corsConfiguration = new CorsConfiguration(); | |
| 70 | corsConfiguration.addAllowedOrigin("*"); | |
| 71 | corsConfiguration.addAllowedHeader("*"); | |
| 72 | corsConfiguration.addAllowedMethod("*"); | |
| 73 | ||
| 74 | UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | |
| 75 | source.registerCorsConfiguration("/**", corsConfiguration); | |
| 76 | return new CorsFilter(source); | |
| 77 | } | |
| 78 | ||
| 79 | @Override | |
| 80 | protected void configure(HttpSecurity httpSecurity) throws Exception { | |
| 81 | ||
| 82 | //开启模拟请求,比如API POST测试工具的测试,不开启时,API POST为报403错误 | |
| 83 | httpSecurity.csrf().disable(); | |
| 84 | ||
| 85 | //开启跨域访问 | |
| 86 | httpSecurity.cors(); | |
| 87 | ||
| 88 | //不使用默认退出,自定义退出 | |
| 89 | httpSecurity.logout().disable(); | |
| 90 | ||
| 91 | //未授权时访问须授权的资源端点 | |
| 92 | httpSecurity.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint); | |
| 93 | ||
| 94 | //放开一些接口的权限校验 | |
| 95 | for (String notAuthResource : SpringSecurityConstant.NONE_SECURITY_URL_PATTERNS) { | |
| 96 | httpSecurity.authorizeRequests().antMatchers(notAuthResource).permitAll(); | |
| 97 | } | |
| 98 | ||
| 99 | //其余的都需授权访问 | |
| 100 | httpSecurity.authorizeRequests().anyRequest().authenticated(); | |
| 101 | ||
| 102 | //前置token过滤器 | |
| 103 | httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); | |
| 104 | ||
| 105 | //用户详情service | |
| 106 | httpSecurity.userDetailsService(authService); | |
| 107 | ||
| 108 | //全局不创建session | |
| 109 | httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| 110 | ||
| 111 | //禁用页面缓存,返回的都是json | |
| 112 | httpSecurity.headers() | |
| 113 | .frameOptions().disable() | |
| 114 | .cacheControl(); | |
| 115 | } | |
| 116 | ||
| 117 | } | |
