工业级后台API v2
blame | history | patch | commit | commitdiff | ignore whitespace
ZhuDongming
2019-08-15 50e24cdfd75ada4dd6ea5dce74803b7f96e3ba81 
 src/main/java/com/moral/security/config/WebSecurityConfig.java


@@ -1,6 +1,7 @@


package com.moral.security.config;




import com.fasterxml.jackson.databind.ObjectMapper;


import com.moral.common.util.ResourceUtil;


import com.moral.security.CustomCorsFilter;


import com.moral.security.RestAuthenticationEntryPoint;


import com.moral.security.auth.login.LoginAuthenticationProvider;


@@ -9,6 +10,8 @@


import com.moral.security.auth.jwt.JwtTokenAuthenticationProcessingFilter;


import com.moral.security.auth.jwt.SkipPathRequestMatcher;


import com.moral.security.auth.jwt.extractor.TokenExtractor;


import org.apache.commons.lang3.ArrayUtils;


import org.apache.commons.lang3.StringUtils;


import org.springframework.beans.factory.annotation.Autowired;


import org.springframework.context.annotation.Bean;


import org.springframework.context.annotation.Configuration;


@@ -22,6 +25,7 @@


import org.springframework.security.web.authentication.AuthenticationSuccessHandler;


import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;




import java.util.ArrayList;


import java.util.Arrays;


import java.util.List;




@@ -36,6 +40,8 @@


@EnableWebSecurity


public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    public static final String AUTHENTICATION_HEADER_NAME = "X-Authorization";


    public static final String REFRESH_TOKEN_HEADER_NAME = "X-Refrsh-Token";


    public static final String AUTHENTICATION_PARAM_NAME = "_token";


    public static final String AUTHENTICATION_URL = "/auth/login";


    public static final String REFRESH_TOKEN_URL = "/auth/token";


    public static final String API_ROOT_URL = "/**/*";


@@ -88,12 +94,19 @@


    


    @Override


    protected void configure(HttpSecurity http) throws Exception {


        List<String> permitAllEndpointList = Arrays.asList(


            AUTHENTICATION_URL,


            REFRESH_TOKEN_URL,


            "/screen/**"


        );




        List<String> permitAllEndpointList = new ArrayList<>(Arrays.asList(


                AUTHENTICATION_URL,


                REFRESH_TOKEN_URL


        ));


        // 添加不过滤的url


        String noFilters = ResourceUtil.getValue("noFilters");


        if(!StringUtils.isBlank(noFilters)){


            String[] noFilterArray = noFilters.split(",");


            if(!ArrayUtils.isEmpty(noFilterArray)){


                permitAllEndpointList.addAll(Arrays.asList(noFilterArray));


            }


        }


        http


            .csrf().disable() // We don't need CSRF for JWT based authentication


            .exceptionHandling()


@@ -108,6 +121,8 @@


                .antMatchers(permitAllEndpointList.toArray(new String[permitAllEndpointList.size()]))


                .permitAll()


            .and()


                .headers().frameOptions().disable()


            .and()


                .authorizeRequests()


                .antMatchers(API_ROOT_URL).authenticated() // Protected API End-points


            .and()