package xyz.wbsite.dbtool.web.config; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.Authentication; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import xyz.wbsite.dbtool.web.frame.auth.LocalData; import xyz.wbsite.dbtool.web.frame.base.Token; import xyz.wbsite.dbtool.web.frame.utils.CookieUtil; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import java.io.IOException; import java.util.regex.Matcher; import java.util.regex.Pattern; @Configuration @EnableGlobalMethodSecurity(securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Value("${web.url.auth.included}") private String[] included; @Value("${web.url.auth.excluded}") private String[] excluded; @Value("${spring.mvc.static-path-pattern}") private String[] staticPath; @Override public void configure(WebSecurity web) throws Exception { web.ignoring().mvcMatchers(staticPath); } @Override protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore(new TokenFilter(), FilterSecurityInterceptor.class)// 过滤器用于处理Token .authorizeRequests() .antMatchers(excluded).permitAll()// 放行排除的URL .antMatchers(included).access("@Authorization.hasPermission(request,authentication)")// 需要权限的URL .and().cors() .and().headers().frameOptions().disable() .and().csrf().disable(); } /** * 此方法不要删除 用于屏蔽默认用户密码生成 *

* 例如 Using generated security password: f6b42a66-71b1-4c31-b6a8-942838c81408 * * @return * @throws Exception */ @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } public static class TokenFilter implements Filter { @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; String token = request.getParameter("token"); if (token == null || token.isEmpty()) { token = CookieUtil.getCookieValue(request.getCookies(), "token"); } if (token == null) { LocalData.setToken(LocalData.getTempToken()); } else { // 组装Token ~ 这边根据实际的业务组装Token Token token1 = new Token(); token1.setId(1L); token1.setUserId(1L); token1.setUserName("admin"); //继承临时Token token1.addResourceSet(LocalData.getTempToken()); //管理员特有资源(这边请用正则表达式) token1.putResource(".*"); LocalData.setToken(token1); } // Action String servletPath = request.getServletPath(); Pattern compile = Pattern.compile("^/(.+)\\.htm"); Matcher matcher = compile.matcher(servletPath); if (matcher.find()) { LocalData.setAction(matcher.group(1)); } filterChain.doFilter(servletRequest, servletResponse); } } @Bean("Authorization") public Object getAuthorization() { return new Object() { public boolean hasPermission(HttpServletRequest request, Authentication authentication) { // 授权 Token token_ = LocalData.getToken(); if (token_.hasResource(request.getServletPath())) { return true; } return false; } }; } }