/*
|
Copyright [2020] [https://www.xiaonuo.vip]
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
you may not use this file except in compliance with the License.
|
You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing, software
|
distributed under the License is distributed on an "AS IS" BASIS,
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
See the License for the specific language governing permissions and
|
limitations under the License.
|
|
Snowy采用APACHE LICENSE 2.0开源协议,您在使用过程中,需要注意以下几点:
|
|
1.请不要删除和修改根目录下的LICENSE文件。
|
2.请不要删除和修改Snowy源码头部的版权声明。
|
3.请保留源码和相关描述文件的项目出处,作者声明等。
|
4.分发源码时候,请注明软件出处 https://gitee.com/xiaonuobase/snowy
|
5.在修改包名,模块名称,项目代码等时,请注明软件出处 https://gitee.com/xiaonuobase/snowy
|
6.若您的项目无法满足以上几点,可申请商业授权,获取Snowy商业授权许可,请在官网购买授权,地址为 https://www.xiaonuo.vip
|
*/
|
package vip.xiaonuo.sys.config;
|
|
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Configuration;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
import org.springframework.web.cors.CorsConfiguration;
|
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
import org.springframework.web.filter.CorsFilter;
|
import vip.xiaonuo.core.consts.SpringSecurityConstant;
|
import vip.xiaonuo.sys.core.filter.security.JwtAuthenticationTokenFilter;
|
import vip.xiaonuo.sys.core.filter.security.entrypoint.JwtAuthenticationEntryPoint;
|
import vip.xiaonuo.sys.modular.auth.service.impl.AuthServiceImpl;
|
|
import javax.annotation.Resource;
|
|
/**
|
* SpringSecurity配置
|
*
|
* @author xuyuxiang
|
* @date 2020/3/18 10:54
|
*/
|
@Configuration
|
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
@Resource
|
private AuthServiceImpl authService;
|
|
@Resource
|
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
|
|
@Resource
|
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
|
|
/**
|
* 开启跨域访问拦截器
|
*
|
* @author yubaoshan
|
* @date 2020/4/29 9:50
|
*/
|
@Bean
|
public CorsFilter corsFilter() {
|
CorsConfiguration corsConfiguration = new CorsConfiguration();
|
corsConfiguration.addAllowedOrigin("*");
|
corsConfiguration.addAllowedHeader("*");
|
corsConfiguration.addAllowedMethod("*");
|
|
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
source.registerCorsConfiguration("/**", corsConfiguration);
|
return new CorsFilter(source);
|
}
|
|
@Override
|
protected void configure(HttpSecurity httpSecurity) throws Exception {
|
|
//开启模拟请求,比如API POST测试工具的测试,不开启时,API POST为报403错误
|
httpSecurity.csrf().disable();
|
|
//开启跨域访问
|
httpSecurity.cors();
|
|
//不使用默认退出,自定义退出
|
httpSecurity.logout().disable();
|
|
//未授权时访问须授权的资源端点
|
httpSecurity.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint);
|
|
//放开一些接口的权限校验
|
for (String notAuthResource : SpringSecurityConstant.NONE_SECURITY_URL_PATTERNS) {
|
httpSecurity.authorizeRequests().antMatchers(notAuthResource).permitAll();
|
}
|
|
//其余的都需授权访问
|
httpSecurity.authorizeRequests().anyRequest().authenticated();
|
|
//前置token过滤器
|
httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
|
|
//用户详情service
|
httpSecurity.userDetailsService(authService);
|
|
//全局不创建session
|
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
|
|
//禁用页面缓存,返回的都是json
|
httpSecurity.headers()
|
.frameOptions().disable()
|
.cacheControl();
|
}
|
|
}
|
