package cn.ibizlab.api.config; import cn.ibizlab.util.security.AuthenticationEntryPoint; import cn.ibizlab.util.security.AuthorizationTokenFilter; import cn.ibizlab.util.service.AuthenticationUserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.core.GrantedAuthorityDefaults; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.context.annotation.Profile; import org.springframework.beans.factory.annotation.Qualifier; @Profile("api-prod") @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class apiSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationEntryPoint unauthorizedHandler; @Autowired private AuthenticationUserService userDetailsService; /** * 自定义基于JWT的安全过滤器 */ @Autowired AuthorizationTokenFilter authenticationTokenFilter; @Value("${ibiz.auth.path:v7/login}") private String loginPath; @Value("${ibiz.auth.logoutpath:v7/logout}") private String logoutPath; @Value("${ibiz.file.uploadpath:ibizutil/upload}") private String uploadpath; @Value("${ibiz.file.downloadpath:ibizutil/download}") private String downloadpath; @Value("${ibiz.file.previewpath:ibizutil/preview}") private String previewpath; @Value("${ibiz.auth.excludesPattern:}") private String[] excludesPattern; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(userDetailsService) .passwordEncoder(passwordEncoderBean()); } @Bean GrantedAuthorityDefaults grantedAuthorityDefaults() { // Remove the ROLE_ prefix return new GrantedAuthorityDefaults(""); } @Bean public PasswordEncoder passwordEncoderBean() { return new BCryptPasswordEncoder(); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // 禁用 CSRF .csrf().disable() // 授权异常 .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // 不创建会话 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() // 过滤请求 .authorizeRequests() .antMatchers( HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/**/*.ico", "/**/assets/**", "/**/css/**", "/**/fonts/**", "/**/js/**", "/**/img/**", "/", "webjars/**", "/swagger-resources/**", "/v2/**" ).permitAll() //放行登录请求 .antMatchers( HttpMethod.POST, "/"+loginPath).permitAll() //放行注销请求 .antMatchers( HttpMethod.GET, "/"+logoutPath).permitAll() // 文件操作 .antMatchers("/"+downloadpath+"/**").permitAll() .antMatchers("/"+uploadpath).permitAll() .antMatchers("/"+previewpath+"/**").permitAll() .antMatchers("/dst/**").permitAll(); for (String excludePattern : excludesPattern) { authenticationTokenFilter.addExcludePattern(excludePattern); httpSecurity.authorizeRequests().antMatchers(excludePattern).permitAll(); } // 所有请求都需要认证 httpSecurity.authorizeRequests().anyRequest().authenticated() // 防止iframe 造成跨域 .and().headers().frameOptions().disable(); httpSecurity .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); } }