关于核心配置项
spring security 最核心的注解就是 @EnableWebSecurity了:
package org.springframework.security.config.annotation.web.configuration;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE})
@Documented
@Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class})
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
boolean debug() default false;
}
这个注解的主要用处就是用来引入默认 WebSecurityConfiguration 和 AuthenticationConfiguration 配置,SpringWebMvcImportSelector用来判断是否包含spring mvc,避免 DispatcherServlet 重复配置。
当然为了符合业务需求,我们需要自定义安全配置。
WebSecurityConfigurerAdapter
这里 spring security 采用了适配器模式,极大方便了我们自定义,我们可以选择性修改某一部分配置,不用覆盖不相关的配置。
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author pilsy
*/
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
}
}
重写这三个方法,分别可以对 AuthenticationManagerBuilder,WebSecurity,HttpSecurity 进行自定义配置。
- AuthenticationManagerBuilder
- WebSecurity
- HttpSecurity
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable();//允许iframe
// http.sessionManagement().maximumSessions(1).expiredSessionStrategy(sessionInformationExpiredStrategy);
http.authorizeRequests()
.antMatchers("/css/**", "/fonts/**", "/images/**", "/js/**").permitAll()
.antMatchers("/**/v2/api-docs", "/swagger/**", "/swagger-ui.html", "/swagger-resources/**", "/v2/**", "/webjars/**").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("/**").access("@antAuthService.canAccess(request,authentication)")
.anyRequest()
.authenticated() //任何请求,登录后可以访问
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.authenticationDetailsSource(authenticationDetailsSource)
// .loginPage("/login")//登录页面
// .defaultSuccessUrl("/")//登陆成功跳转
.successHandler(simpleLoginSuccessHandler)
.failureHandler(simpleFailureHandler)
.permitAll() //登录页面用户任意访问
.and()
.logout().addLogoutHandler(simpleLogoutHandler).deleteCookies("JSESSIONID").permitAll()
.and().exceptionHandling().authenticationEntryPoint(new MyAuthenticationEntryPoint("/login")); //注销行为任意访问
// 添加JWT filter
http.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class).csrf().disable();
http.cors().configurationSource(corsConfigurationSource());
}