工业级后台API v2
blame | history | raw
fengxiang
2018-02-01 cd16757f2cd963749850d6f8897381a8b7a849ef 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

package com.moral.security.config;


 


import com.fasterxml.jackson.databind.ObjectMapper;


import com.moral.security.CustomCorsFilter;


import com.moral.security.RestAuthenticationEntryPoint;


import com.moral.security.auth.login.LoginAuthenticationProvider;


import com.moral.security.auth.login.LoginProcessingFilter;


import com.moral.security.auth.jwt.JwtAuthenticationProvider;


import com.moral.security.auth.jwt.JwtTokenAuthenticationProcessingFilter;


import com.moral.security.auth.jwt.SkipPathRequestMatcher;


import com.moral.security.auth.jwt.extractor.TokenExtractor;


import org.springframework.beans.factory.annotation.Autowired;


import org.springframework.context.annotation.Bean;


import org.springframework.context.annotation.Configuration;


import org.springframework.security.authentication.AuthenticationManager;


import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;


import org.springframework.security.config.annotation.web.builders.HttpSecurity;


import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;


import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;


import org.springframework.security.config.http.SessionCreationPolicy;


import org.springframework.security.web.authentication.AuthenticationFailureHandler;


import org.springframework.security.web.authentication.AuthenticationSuccessHandler;


import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;


 


import java.util.Arrays;


import java.util.List;


 


/**


 * WebSecurityConfig


 * 


 * @author vladimir.stankovic


 *


 * Aug 3, 2016


 */


@Configuration


@EnableWebSecurity


public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    public static final String AUTHENTICATION_HEADER_NAME = "X-Authorization";


    public static final String AUTHENTICATION_URL = "/auth/login";


    public static final String REFRESH_TOKEN_URL = "/auth/token";


    public static final String API_ROOT_URL = "/*/**";


 


    @Autowired


    private RestAuthenticationEntryPoint authenticationEntryPoint;


    @Autowired


    private AuthenticationSuccessHandler successHandler;


    @Autowired


    private AuthenticationFailureHandler failureHandler;


    @Autowired


    private LoginAuthenticationProvider ajaxAuthenticationProvider;


    @Autowired


    private JwtAuthenticationProvider jwtAuthenticationProvider;


 


    @Autowired


    private TokenExtractor tokenExtractor;


 


    @Autowired


    private AuthenticationManager authenticationManager;


 


    @Autowired


    private ObjectMapper objectMapper;


 


    protected LoginProcessingFilter buildLoginProcessingFilter(String loginEntryPoint) throws Exception {


        LoginProcessingFilter filter = new LoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);


        filter.setAuthenticationManager(this.authenticationManager);


        return filter;


    }


 


    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) throws Exception {


        SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);


        JwtTokenAuthenticationProcessingFilter filter


            = new JwtTokenAuthenticationProcessingFilter(failureHandler, tokenExtractor, matcher);


        filter.setAuthenticationManager(this.authenticationManager);


        return filter;


    }


 


    @Bean


    @Override


    public AuthenticationManager authenticationManagerBean() throws Exception {


        return super.authenticationManagerBean();


    }


 


    @Override


    protected void configure(AuthenticationManagerBuilder auth) {


        auth.authenticationProvider(ajaxAuthenticationProvider);


        auth.authenticationProvider(jwtAuthenticationProvider);


    }


    


    @Override


    protected void configure(HttpSecurity http) throws Exception {


        List<String> permitAllEndpointList = Arrays.asList(


            AUTHENTICATION_URL,


            REFRESH_TOKEN_URL


        );


 


        http


            .csrf().disable() // We don't need CSRF for JWT based authentication


            .exceptionHandling()


            .authenticationEntryPoint(this.authenticationEntryPoint)


 


            .and()


                .sessionManagement()


                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)


 


            .and()


                .authorizeRequests()


                .antMatchers(permitAllEndpointList.toArray(new String[permitAllEndpointList.size()]))


                .permitAll()


            .and()


                .authorizeRequests()


                .antMatchers(API_ROOT_URL).authenticated() // Protected API End-points


            .and()


                .addFilterBefore(new CustomCorsFilter(), UsernamePasswordAuthenticationFilter.class)


                .addFilterBefore(buildLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class)


                .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointList,


                API_ROOT_URL), UsernamePasswordAuthenticationFilter.class);


    }


}