package com.izouma.jiashanxia.security; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableConfigurationProperties({JwtConfig.class}) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private JwtAuthenticationEntryPoint unauthorizedHandler; @Autowired private JwtUserDetailsService jwtUserDetailsService; // Custom JWT based security filter @Autowired JwtAuthorizationTokenFilter authenticationTokenFilter; @Value("${jwt.header}") private String tokenHeader; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(jwtUserDetailsService) .passwordEncoder(passwordEncoderBean()); } @Bean public PasswordEncoder passwordEncoderBean() { return new BCryptPasswordEncoder(); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity httpSecurity) throws Exception { // We don't need CSRF for this example httpSecurity.csrf().disable() .cors().and() // dont authenticate this particular request .authorizeRequests() //swagger-ui放行路径 .antMatchers("/v2/api-docs", "/swagger-ui.html", "/swagger-resources/**", "/webjars/**").permitAll() .antMatchers("/user/register").permitAll() .antMatchers("/upload/**").permitAll() .antMatchers("/files/**").permitAll() .antMatchers("/static/**").permitAll() .antMatchers("/auth/**").permitAll() .antMatchers("/captcha/**").permitAll() .antMatchers("/admin/**").permitAll() .antMatchers("/systemVariable/all").permitAll() .antMatchers("/**/excel").permitAll() .antMatchers("/wx/**").permitAll() .antMatchers("/sms/sendVerify").permitAll() .antMatchers("/error").permitAll() .antMatchers("/401").permitAll() .antMatchers("/404").permitAll() .antMatchers("/500").permitAll() .antMatchers("/MP_verify*").permitAll() // all other requests need to be authenticated .anyRequest().authenticated().and() // make sure we use stateless session; session won't be used to // store user's state. .exceptionHandling().authenticationEntryPoint(unauthorizedHandler) .and().sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // Add a filter to validate the tokens with every request httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); } @Override public void configure(WebSecurity web) throws Exception { // AuthenticationTokenFilter will ignore the below paths web.ignoring() .antMatchers("/auth/**") // allow anonymous resource requests .and() .ignoring() .antMatchers( HttpMethod.GET, "/", "/*.html", "/**/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js" ); } }