|
|
|
@ -1,9 +1,8 @@
|
|
|
|
|
package ${basePackage}.config;
|
|
|
|
|
|
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
|
import org.springframework.beans.factory.annotation.Value;
|
|
|
|
|
import org.springframework.context.annotation.Bean;
|
|
|
|
|
import org.springframework.context.annotation.Configuration;
|
|
|
|
|
import org.springframework.core.env.Environment;
|
|
|
|
|
import org.springframework.security.access.AccessDeniedException;
|
|
|
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
|
|
|
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
|
|
|
@ -34,12 +33,19 @@ import java.util.regex.Pattern;
|
|
|
|
|
@Configuration
|
|
|
|
|
@EnableGlobalMethodSecurity(securedEnabled = true)
|
|
|
|
|
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
|
@Autowired
|
|
|
|
|
private Environment environment;
|
|
|
|
|
|
|
|
|
|
@Value("${r'${web.url.auth.included}'}")
|
|
|
|
|
private String[] included;
|
|
|
|
|
@Value("${r'${web.url.auth.excluded}'}")
|
|
|
|
|
private String[] excluded;
|
|
|
|
|
@Value("${r'${spring.mvc.static-path-pattern}'}")
|
|
|
|
|
private String[] staticPath;
|
|
|
|
|
@Value("${r'${web.login.page}'}")
|
|
|
|
|
private String loginPage;
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public void configure(WebSecurity web) throws Exception {
|
|
|
|
|
web.ignoring().mvcMatchers(environment.getProperty("spring.mvc.static-path-pattern", ""));
|
|
|
|
|
web.ignoring().mvcMatchers(staticPath);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
@ -48,8 +54,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
|
.and()
|
|
|
|
|
.addFilterBefore(new TokenFilter(), FilterSecurityInterceptor.class)// 过滤器用于处理Token
|
|
|
|
|
.authorizeRequests()
|
|
|
|
|
.antMatchers(environment.getProperty("web.url.auth.excluded")).permitAll()// 放行排除的URL
|
|
|
|
|
.antMatchers(environment.getProperty("web.url.auth.included")).access("@Authorization.hasPermission(request,authentication)")// 需要权限的URL
|
|
|
|
|
.antMatchers(excluded).permitAll()// 放行排除的URL
|
|
|
|
|
.antMatchers(included).access("@Authorization.hasPermission(request,authentication)")// 需要权限的URL
|
|
|
|
|
.and().cors()
|
|
|
|
|
.and().headers().frameOptions().disable()
|
|
|
|
|
.and().csrf().disable();
|
|
|
|
|