产品供销存-后端
blame | 历史 | 补丁 | 提交 | 提交对比 | 忽略空白
RuoYi
2022-10-28 cc9bb1d05dece7f8b17aeb5f4ebfa1f99c83de38 
 src/main/java/com/ruoyi/framework/config/SecurityConfig.java


@@ -8,12 +8,14 @@


import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;



import org.springframework.security.config.annotation.web.builders.HttpSecurity;



import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;



import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;



import org.springframework.security.config.http.SessionCreationPolicy;



import org.springframework.security.core.userdetails.UserDetailsService;



import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;



import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;



import org.springframework.security.web.authentication.logout.LogoutFilter;



import org.springframework.web.filter.CorsFilter;



import com.ruoyi.framework.config.properties.PermitAllUrlProperties;



import com.ruoyi.framework.security.filter.JwtAuthenticationTokenFilter;



import com.ruoyi.framework.security.handle.AuthenticationEntryPointImpl;



import com.ruoyi.framework.security.handle.LogoutSuccessHandlerImpl;



@@ -55,7 +57,13 @@


     */



    @Autowired



    private CorsFilter corsFilter;



    






    /**



     * 允许匿名访问的地址



     */



    @Autowired



    private PermitAllUrlProperties permitAllUrl;







    /**



     * 解决 无法直接注入 AuthenticationManager



     *



@@ -87,9 +95,15 @@


    @Override



    protected void configure(HttpSecurity httpSecurity) throws Exception



    {



        // 注解标记允许匿名访问的url



        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = httpSecurity.authorizeRequests();



        permitAllUrl.getUrls().forEach(url -> registry.antMatchers(url).permitAll());







        httpSecurity



                // CSRF禁用,因为不使用session



                .csrf().disable()



                // 禁用HTTP响应标头



                .headers().cacheControl().disable().and()



                // 认证失败处理类



                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()



                // 基于token,所以不需要session



@@ -105,6 +119,7 @@


                .anyRequest().authenticated()



                .and()



                .headers().frameOptions().disable();



        // 添加Logout filter



        httpSecurity.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);



        // 添加JWT filter



        httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);