package me.zhengjie.core.config;

import me.zhengjie.core.security.JwtAuthenticationEntryPoint;

import me.zhengjie.core.security.JwtAuthorizationTokenFilter;

import me.zhengjie.core.service.JwtUserDetailsService;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.http.HttpMethod;

import org.springframework.security.authentication.AuthenticationManager;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.builders.WebSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import org.springframework.security.config.http.SessionCreationPolicy;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import org.springframework.security.crypto.password.PasswordEncoder;

import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration

@EnableWebSecurity

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired

    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Autowired

    private JwtUserDetailsService jwtUserDetailsService;

    /**

     * 自定义基于JWT的安全过滤器

     */

    @Autowired

    JwtAuthorizationTokenFilter authenticationTokenFilter;

    @Value("${jwt.header}")

    private String tokenHeader;

    @Value("${jwt.auth.path}")

    private String authenticationPath;

    @Autowired

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        auth

                .userDetailsService(jwtUserDetailsService)

                .passwordEncoder(passwordEncoderBean());

    }

    @Bean

    public PasswordEncoder passwordEncoderBean() {

        return new BCryptPasswordEncoder();

    }

    @Bean

    @Override

    public AuthenticationManager authenticationManagerBean() throws Exception {

        return super.authenticationManagerBean();

    }

    @Override

    protected void configure(HttpSecurity httpSecurity) throws Exception {

        httpSecurity

                // 禁用 CSRF

                .csrf().disable()

                // 授权异常

                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

                // 不创建会话

                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .authorizeRequests()

                .antMatchers("/auth/**").permitAll()

                .antMatchers("/websocket/**").permitAll()

                .antMatchers("/druid/**").anonymous()

                // 支付宝回调

                .antMatchers("/api/aliPay/return").anonymous()

                .antMatchers("/api/aliPay/notify").anonymous()

                // swagger start

                .antMatchers("/swagger-ui.html").anonymous()

                .antMatchers("/swagger-resources/**").anonymous()

                .antMatchers("/webjars/**").anonymous()

                .antMatchers("/*/api-docs").anonymous()

                // swagger end

                .antMatchers("/test/**").anonymous()

                .antMatchers(HttpMethod.OPTIONS, "/**").anonymous()

                // 所有请求都需要认证

                .anyRequest().authenticated();

        httpSecurity

                .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);

    }

    @Override

    public void configure(WebSecurity web) throws Exception {

        // AuthenticationTokenFilter will ignore the below paths

        web.ignoring()

            .antMatchers(

                    HttpMethod.POST,

                    authenticationPath

            )

            // allow anonymous resource requests

            .and()

            .ignoring()

            .antMatchers(

                    HttpMethod.GET,

                    "/*.html",

                    "/**/*.html",

                    "/**/*.css",

                    "/**/*.js"

            );

    }

}

WebSecurityConfig的更多相关文章

  1. spring session 和 spring security整合

    背景: 我要做的系统前面放置zuul. 使用自己公司提供的单点登录服务.后面的业务应用也是spring boot支撑的rest服务. 目标: 使用spring security管理权限包括权限.用户请 ...

  2. Java 生成验证码图片

    生成验证码图片并对提交的输入进行验证 // HttpServletResponse常见应用——生成验证码 // 利用BufferedImage类生产随机图片 public static final i ...

  3. spring security method security

    参考 Spring Security 官方文档 http://www.concretepage.com/spring/spring-security/preauthorize-postauthoriz ...

  4. spring注解配置启动过程

    最近看起spring源码,突然想知道没有web.xml的配置,spring是怎么通过一个继承于AbstractAnnotationConfigDispatcherServletInitializer的 ...

  5. Spring Boot 5 SpringSecurity身份验证

    对于没有访问权限的用户需要转到登录表单页面.要实现访问控制的方法多种多样,可以通过Aop.拦截器实现,也可以通过框架实现(如:Apache Shiro.Spring Security). pom.xm ...

  6. spring security之httpSecurity使用示例

    如果在HttpSecurity中配置需要authenticate(),则如果没有登陆,或没有相关权限,则会无法访问 2017-01-02 23:39:32.027 DEBUG 10396 --- [n ...

  7. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web - Annotations

    @Configuration @EnableWebMvcSecurity @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabl ...

  8. How to use JDBC-Authentication of Spring Boot/Spring Security with Flyway

    java.lang.IllegalStateException: Failed to load ApplicationContext at org.springframework.test.conte ...

  9. Cross Site Request Forgery (CSRF)--spring security -转

    http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...

随机推荐

  1. 百度链接提交-js代码推送批量推送版

    1原百度JS链接推送代码 首先我们来看一下原百度JS链接推送代码是这*样的 用百度自己的话讲:JS链接推送代码以网页为最小对象,服务于全平台多终端,PC站和移动站均可使用.安装代码的页面在任意平台(浏 ...

  2. 创建简单spring boot项目

    简介 使用spring boot可以轻松创建独立的,基于Spring框架的生产级别应用程序.Spring boot应用程序只需要很少的spring配置 特点 创建独立的Spring应用程序 直接嵌入t ...

  3. eclipse maven配置问题:org.apache.maven.archiver.mavenarchiver.getmanifest

    原因就是你的maven的配置文件不是最新的 1.help ->Install New Software -> add ->https://otto.takari.io/content ...

  4. UVA 10534 LCS变种题

    求一个序列中 的2*n-1个数字 ,前n+1个数字为严格升序 后n+1个为严格降序,求最长的长度 一开始还没想清楚怎么解,其实就是一个LCS问题,从头到尾以及反序求一下LCS 由于 d[i]为包含了自 ...

  5. Windows下MariaDB数据搬家问题

    背景:公司买了一台服务器要将原来老服务器数据库数据导入新的服务器上,两台服务器环境如下 做好准备后开始实施,老数据库进行停库 找到MariaDB的安装目录下的整data目录进行拷贝,然后到新服务器进行 ...

  6. 吴裕雄--天生自然 JAVASCRIPT开发学习: JSON

    <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title> ...

  7. A - Color the ball HDU - 1556 (差分数组+前缀和)

    思路等引自博客 https://blog.csdn.net/johnwayne0317/article/details/84928568 对数组a[7]: a[0]=1; = d[0] a[1]=1; ...

  8. ftp主动和被动模式区别

    转载自:http://www.west999.com/cms/wiki/server/2018-11-16/49417.html FTP是基于TCP的服务的,FTP不同之处在于FTP使用两个端口,一个 ...

  9. Thread--对象锁猜想

    堆内存地址未发生变化: 对象堆内存地址没发生变化的情况下,即值是否与变仍然是同一把锁. 堆内存地址变化: 在线程尝试进入过同步代码时复制当前对象锁副本. 在复制对象锁副本之后改变对象指向不影响对象锁, ...

  10. Java--定时

    TimerTask task = new TimerTask() { @Override public void run() { // TODO Auto-generated method stub ...