shi
/
game-api
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
game-api/ff-base/src/main/java/com/ff/base/config/SecurityConfig.java

166 lines
7.2 KiB
Java
Raw Normal View History

项目初始化
2025-02-11 15:27:15 +08:00
package com.ff.base.config;
import com.ff.base.config.properties.PermitAllUrlProperties;
import com.ff.base.security.encode.CustomMd5PasswordEncoder;
import com.ff.base.security.filter.JwtAuthenticationTokenFilter;
import com.ff.base.security.handle.AuthenticationEntryPointImpl;
import com.ff.base.security.handle.LogoutSuccessHandlerImpl;
import com.ff.base.security.provider.MyDaoAuthenticationProvider;
import com.ff.base.web.service.MemberDetailsServiceImpl;
import com.ff.base.web.service.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.web.filter.CorsFilter;
import java.util.ArrayList;
import java.util.List;
/**
* spring security
*
* @author ff
*/
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Configuration
public class SecurityConfig {
/**
*
*/
@Autowired
private UserDetailsServiceImpl userDetailsService;
/**
*
*/
@Autowired
private MemberDetailsServiceImpl memberDetailsService;
/**
*
*/
@Autowired
private AuthenticationEntryPointImpl unauthorizedHandler;
/**
* 退
*/
@Autowired
private LogoutSuccessHandlerImpl logoutSuccessHandler;
/**
* token
*/
@Autowired
private JwtAuthenticationTokenFilter authenticationTokenFilter;
/**
*
*/
@Autowired
private CorsFilter corsFilter;
/**
* 访
*/
@Autowired
private PermitAllUrlProperties permitAllUrl;
/**
*
*/
@Bean
public AuthenticationManager authenticationManager() {
// 后台、会员两种验证方式实现类
List<UserDetailsService> userDetailsServices = new ArrayList<>();
userDetailsServices.add(userDetailsService);
userDetailsServices.add(memberDetailsService);
List<AuthenticationProvider> providers = new ArrayList<>();
MyDaoAuthenticationProvider adminDaoAuthenticationProvider = new MyDaoAuthenticationProvider();
adminDaoAuthenticationProvider.setUserDetailsService(userDetailsService); // or userDetailsService
adminDaoAuthenticationProvider.setPasswordEncoder(bCryptPasswordEncoder());
adminDaoAuthenticationProvider.setUserDetailsServices(userDetailsServices);
MyDaoAuthenticationProvider memberDaoAuthenticationProvider = new MyDaoAuthenticationProvider();
memberDaoAuthenticationProvider.setUserDetailsService(memberDetailsService); // or userDetailsService
memberDaoAuthenticationProvider.setPasswordEncoder(bCryptPasswordEncoder());
memberDaoAuthenticationProvider.setUserDetailsServices(userDetailsServices);
providers.add(adminDaoAuthenticationProvider);
providers.add(memberDaoAuthenticationProvider);
return new ProviderManager(providers);
}
/**
* anyRequest |
* access | SpringEltrue访
* anonymous | 访
* denyAll | 访
* fullyAuthenticated | 访remember-me
* hasAnyAuthority | 访
* hasAnyRole | 访
* hasAuthority | 访
* hasIpAddress | IPIP访
* hasRole | 访
* permitAll | 访
* rememberMe | remember-me访
* authenticated | 访
*/
@Bean
protected SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
// CSRF禁用因为不使用session
.csrf(csrf -> csrf.disable())
// 禁用HTTP响应标头
.headers((headersCustomizer) -> {
headersCustomizer.cacheControl(cache -> cache.disable()).frameOptions(options -> options.sameOrigin());
})
// 认证失败处理类
.exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler))
// 基于token所以不需要session
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
// 注解标记允许匿名访问的url
.authorizeHttpRequests((requests) -> {
permitAllUrl.getUrls().forEach(url -> requests.antMatchers(url).permitAll());
// 对于登录login 注册register 验证码captchaImage 允许匿名访问
requests.antMatchers("/api/**","/login", "/register","/ws", "/captchaImage").permitAll()
// 静态资源,可匿名访问
.antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitAll()
.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll()
// 除上面外的所有请求全部需要鉴权认证
.anyRequest().authenticated();
})
// 添加Logout filter
.logout(logout -> logout.logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler))
// 添加JWT filter
.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class)
// 添加CORS filter
.addFilterBefore(corsFilter, JwtAuthenticationTokenFilter.class)
.addFilterBefore(corsFilter, LogoutFilter.class)
.build();
}
/**
*
*/
@Bean
public CustomMd5PasswordEncoder bCryptPasswordEncoder() {
return new CustomMd5PasswordEncoder();
}
}