0
点赞
收藏
分享

微信扫一扫

spring security的核心配置

技术只适用于干活 2021-09-29 阅读 72
技术博客

关于核心配置项

spring security 最核心的注解就是 @EnableWebSecurity了:

package org.springframework.security.config.annotation.web.configuration;

import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;

@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE})
@Documented
@Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class})
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
    boolean debug() default false;
}

这个注解的主要用处就是用来引入默认 WebSecurityConfiguration 和 AuthenticationConfiguration 配置,SpringWebMvcImportSelector用来判断是否包含spring mvc,避免 DispatcherServlet 重复配置。

当然为了符合业务需求,我们需要自定义安全配置。

WebSecurityConfigurerAdapter

这里 spring security 采用了适配器模式,极大方便了我们自定义,我们可以选择性修改某一部分配置,不用覆盖不相关的配置。

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author pilsy
 */
@Configuration
@EnableWebSecurity
public class WebSecurityConfig  extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        super.configure(auth);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
    }
}

重写这三个方法,分别可以对 AuthenticationManagerBuilder,WebSecurity,HttpSecurity 进行自定义配置。

  • AuthenticationManagerBuilder
  • WebSecurity
  • HttpSecurity
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().disable();//允许iframe
//        http.sessionManagement().maximumSessions(1).expiredSessionStrategy(sessionInformationExpiredStrategy);
        http.authorizeRequests()
                .antMatchers("/css/**", "/fonts/**", "/images/**", "/js/**").permitAll()
                .antMatchers("/**/v2/api-docs", "/swagger/**", "/swagger-ui.html", "/swagger-resources/**", "/v2/**", "/webjars/**").permitAll()
                .antMatchers("/favicon.ico").permitAll()
                .antMatchers("/**").access("@antAuthService.canAccess(request,authentication)")
                .anyRequest()
                .authenticated() //任何请求,登录后可以访问
                .and()
                .formLogin()
                .usernameParameter("username")
                .passwordParameter("password")
                .authenticationDetailsSource(authenticationDetailsSource)
//                .loginPage("/login")//登录页面
//                .defaultSuccessUrl("/")//登陆成功跳转
                .successHandler(simpleLoginSuccessHandler)
                .failureHandler(simpleFailureHandler)
                .permitAll() //登录页面用户任意访问
                .and()
                .logout().addLogoutHandler(simpleLogoutHandler).deleteCookies("JSESSIONID").permitAll()
                .and().exceptionHandling().authenticationEntryPoint(new MyAuthenticationEntryPoint("/login")); //注销行为任意访问
        // 添加JWT filter
        http.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
        http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class).csrf().disable();
        http.cors().configurationSource(corsConfigurationSource());
    }
举报

相关推荐

0 条评论