遂昌综合执法平台服务端
blame | 历史 | 原始文档
zhanghua
2023-04-14 e8a0f05f99f33fa05085536541da6bc27e66a644 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

package com.ycl.config;


 


import com.ycl.component.*;


import org.springframework.beans.factory.annotation.Autowired;


import org.springframework.context.annotation.Bean;


import org.springframework.context.annotation.Configuration;


import org.springframework.http.HttpMethod;


import org.springframework.security.config.annotation.web.builders.HttpSecurity;


import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;


import org.springframework.security.config.http.SessionCreationPolicy;


import org.springframework.security.web.SecurityFilterChain;


import org.springframework.security.web.access.channel.ChannelProcessingFilter;


import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;


import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;


 


 


/**


 * SpringSecurity 5.4.x以上新用法配置


 * 为避免循环依赖,仅用于配置HttpSecurity


 * Created by macro on 2019/11/5.


 */


@Configuration


public class SecurityConfig {


 


    @Autowired


    private IgnoreUrlsConfig ignoreUrlsConfig;


    @Autowired


    private RestfulAccessDeniedHandler restfulAccessDeniedHandler;


    @Autowired


    private RestAuthenticationEntryPoint restAuthenticationEntryPoint;


    @Autowired


    private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;


    @Autowired


    private DynamicSecurityService dynamicSecurityService;


    @Autowired


    private DynamicSecurityFilter dynamicSecurityFilter;


 


    @Bean


    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {


        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = httpSecurity


                .authorizeRequests();


        //不需要保护的资源路径允许访问


        for (String url : ignoreUrlsConfig.getUrls()) {


            registry.antMatchers(url).permitAll();


        }


        //允许跨域请求的OPTIONS请求


        registry.antMatchers(HttpMethod.OPTIONS)


                .permitAll();


        // 任何请求需要身份认证


        registry.and()


                .authorizeRequests()


                .anyRequest()


                .authenticated()


                // 关闭跨站请求防护及不使用session


                .and()


                .csrf()


                .disable()


                .sessionManagement()


                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)


                // 自定义权限拒绝处理类


                .and()


                .exceptionHandling()


                .accessDeniedHandler(restfulAccessDeniedHandler)


                .authenticationEntryPoint(restAuthenticationEntryPoint)


                // 自定义权限拦截器JWT过滤器


                .and()


                .addFilterBefore(webSecurityCorsFilter(), ChannelProcessingFilter.class)


                .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);


        //有动态权限配置时添加动态权限校验过滤器


        if (dynamicSecurityService != null) {


            registry.and().addFilterBefore(dynamicSecurityFilter, FilterSecurityInterceptor.class);


        }


        return httpSecurity.build();


    }


 


    @Bean


    public WebSecurityCorsFilter webSecurityCorsFilter() {


        return new WebSecurityCorsFilter();


    }


}