| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 |
- package com.izouma.awesomeAdmin.security;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.beans.factory.annotation.Value;
- import org.springframework.context.annotation.Bean;
- import org.springframework.http.HttpMethod;
- import org.springframework.security.authentication.AuthenticationManager;
- import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
- import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
- import org.springframework.security.config.annotation.web.builders.HttpSecurity;
- import org.springframework.security.config.annotation.web.builders.WebSecurity;
- import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
- import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
- import org.springframework.security.config.http.SessionCreationPolicy;
- import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
- import org.springframework.security.crypto.password.PasswordEncoder;
- import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
- @EnableWebSecurity
- @EnableGlobalMethodSecurity(prePostEnabled = true)
- public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
- @Autowired
- private JwtAuthenticationEntryPoint unauthorizedHandler;
- @Autowired
- private JwtUserDetailsService jwtUserDetailsService;
- // Custom JWT based security filter
- @Autowired
- JwtAuthorizationTokenFilter authenticationTokenFilter;
- @Value("${jwt.header}")
- private String tokenHeader;
- @Autowired
- public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
- auth.userDetailsService(jwtUserDetailsService)
- .passwordEncoder(passwordEncoderBean());
- }
- @Bean
- public PasswordEncoder passwordEncoderBean() {
- return new BCryptPasswordEncoder();
- }
- @Bean
- @Override
- public AuthenticationManager authenticationManagerBean() throws Exception {
- return super.authenticationManagerBean();
- }
- @Override
- protected void configure(HttpSecurity httpSecurity) throws Exception {
- // We don't need CSRF for this example
- httpSecurity.csrf().disable()
- .cors().and()
- // dont authenticate this particular request
- .authorizeRequests()
- //swagger-ui放行路径
- .antMatchers("/v2/api-docs", "/swagger-ui.html", "/swagger-resources/**", "/webjars/**").permitAll()
- .antMatchers("/user/register").permitAll()
- .antMatchers("/upload/**").permitAll()
- .antMatchers("/static/**").permitAll()
- .antMatchers("/auth/**").permitAll()
- .antMatchers("/admin/**").permitAll()
- .antMatchers("/orderNotify/**").permitAll()
- .antMatchers("/order/logistic").permitAll()
- .antMatchers("/systemVariable/all").permitAll()
- .antMatchers("/**/excel").permitAll()
- .antMatchers("/wx/**").permitAll()
- .antMatchers("/sms/sendVerify").permitAll()
- // all other requests need to be authenticated
- .anyRequest().authenticated().and()
- // make sure we use stateless session; session won't be used to
- // store user's state.
- .exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
- .and().sessionManagement()
- .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
- // Add a filter to validate the tokens with every request
- httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
- }
- @Override
- public void configure(WebSecurity web) throws Exception {
- // AuthenticationTokenFilter will ignore the below paths
- web.ignoring()
- .antMatchers("/auth/**")
- // allow anonymous resource requests
- .and()
- .ignoring()
- .antMatchers(
- HttpMethod.GET,
- "/",
- "/*.html",
- "/**/favicon.ico",
- "/**/*.html",
- "/**/*.css",
- "/**/*.js"
- );
- }
- }
|
