白名单路径

ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/config/apiSecurityConfig.java

@@ -3,6 +3,7 @@ package cn.ibizlab.api.config;
 import cn.ibizlab.util.security.AuthenticationEntryPoint;
 import cn.ibizlab.util.security.AuthorizationTokenFilter;
 import cn.ibizlab.util.service.AuthenticationUserService;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
@@ -55,6 +56,9 @@ public class apiSecurityConfig extends WebSecurityConfigurerAdapter {
     @Value("${ibiz.file.previewpath:ibizutil/preview}")
     private String previewpath;
 
+    @Value("${ibiz.auth.excludesPattern:}")
+    private String excludesPattern;
+
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth
@@ -137,10 +141,16 @@ public class apiSecurityConfig extends WebSecurityConfigurerAdapter {
 
                .antMatchers("/uaa/getQQAppId").permitAll()
                .antMatchers("/uaa/queryQQUserByCode").permitAll()
-               .antMatchers("/uaa/bindQQtoRegister").permitAll()
+               .antMatchers("/uaa/bindQQtoRegister").permitAll();
+
+        if (StringUtils.isNotBlank(excludesPattern)) {
+            for (String excludePattern : excludesPattern.split("\\s*,\\s*")) {
+                authenticationTokenFilter.addExcludePattern(excludePattern);
+                httpSecurity.authorizeRequests().antMatchers(excludePattern).permitAll();
+            }
+        }
 
-                // 所有请求都需要认证
-                .anyRequest().authenticated()
+        httpSecurity.authorizeRequests().anyRequest().authenticated()
                 // 防止iframe 造成跨域
                 .and().headers().frameOptions().disable();
 

ibzuaa-util/src/main/java/cn/ibizlab/util/security/AuthorizationTokenFilter.java

@@ -10,6 +10,8 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.stereotype.Component;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.beans.factory.annotation.Qualifier;
 
@@ -18,6 +20,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
 
 @Slf4j
 @Component
@@ -26,6 +32,8 @@ public class AuthorizationTokenFilter extends OncePerRequestFilter {
     private final UserDetailsService userDetailsService;
     private final AuthTokenUtil authTokenUtil;
     private final String tokenHeader;
+    private Set<String> excludesPattern = new HashSet<>();
+    private PathMatcher pathMatcher = new AntPathMatcher();
 
     public AuthorizationTokenFilter(AuthenticationUserService userDetailsService, AuthTokenUtil authTokenUtil, @Value("${ibiz.jwt.header:Authorization}") String tokenHeader) {
         this.userDetailsService = userDetailsService;
@@ -35,8 +43,12 @@ public class AuthorizationTokenFilter extends OncePerRequestFilter {
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
+        if (isExclusion(request.getRequestURI())) {
+            chain.doFilter(request, response);
+            return;
+        }
 
-        if(request.getRequestURI().equals("/uaa/publickey")||request.getRequestURI().indexOf("/uaa/lgoin")>=0){
+        if (request.getRequestURI().equals("/uaa/publickey") || request.getRequestURI().indexOf("/uaa/lgoin") >= 0) {
             chain.doFilter(request, response);
             return;
         }
@@ -71,4 +83,28 @@ public class AuthorizationTokenFilter extends OncePerRequestFilter {
         }
         chain.doFilter(request, response);
     }
+
+    public void setExcludesPattern(String excludesPattern) {
+        this.excludesPattern = new HashSet(Arrays.asList(excludesPattern.split("\\s*,\\s*")));
+    }
+
+    public void addExcludePattern(String excludePattern) {
+        excludesPattern.add(excludePattern);
+    }
+
+    private boolean isExclusion(String requestURI) {
+        if (this.excludesPattern == null) {
+            return false;
+        } else {
+            Iterator excludeIterator = this.excludesPattern.iterator();
+            String pattern;
+            do {
+                if (!excludeIterator.hasNext()) {
+                    return false;
+                }
+                pattern = (String) excludeIterator.next();
+            } while (!pathMatcher.match(pattern, requestURI));
+            return true;
+        }
+    }
 }