import com.example.websocket.chat.security.filer.CustomUsernamePasswordAuthenticationFilter; import com.example.websocket.chat.security.filer.JwtAuthenticationFilter; import com.example.websocket.chat.security.handler.*; import com.example.websocket.chat.security.service.JwtStoreService; import com.example.websocket.chat.security.service.impl.UserDetailsServiceImpl; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Lazy; import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.BeanIds; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.core.GrantedAuthorityDefaults; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.logout.LogoutFilter; import javax.annotation.Resource; /** * @author zhong */ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) public class SpringSecurityConfig { @Resource private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler; @Resource private CustomAuthenticationFailureHandler customAuthenticationFailureHandler; @Resource private CustomAuthenticationEntryPoint customAuthenticationEntryPoint; @Resource private CustomLogoutHandler customLogoutHandler; @Resource private CustomLogoutSuccessHandler customLogoutSuccessHandler; @Resource private CustomAccessDeniedHandler customAccessDeniedHandler; @Resource private SecurityProperties securityProperties; @Resource private JwtStoreService jwtStoreService; @Resource private UserDetailsServiceImpl userDetailsService; @Resource private AuthenticationConfiguration authenticationConfiguration; /** * 静态文件放行 */ @Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers(securityProperties.getStaticPaths()); } /** * 取消ROLE_前缀 */ @Bean public GrantedAuthorityDefaults grantedAuthorityDefaults() { // Remove the ROLE_ prefix return new GrantedAuthorityDefaults(""); } /** * 设置密码编码器 */ @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } /** * 设置中文配置 */ @Bean public ReloadableResourceBundleMessageSource messageSource() { ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource(); messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN"); return messageSource; } /** * 认证管理器，登录的时候参数会传给 authenticationManager */ @Bean public AuthenticationManager authenticationManager() throws Exception { return authenticationConfiguration.getAuthenticationManager(); } /** * 设置默认认证提供 */ @Bean public DaoAuthenticationProvider daoAuthenticationProvider() { final DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setUserDetailsService(userDetailsService); authenticationProvider.setPasswordEncoder(passwordEncoder()); return authenticationProvider; } /** * 安全配置 */ @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationConfiguration authenticationConfiguration) throws Exception { // 表单 http.formLogin() // 登录成功处理器 .successHandler(customAuthenticationSuccessHandler) // 登录错误处理器 .failureHandler(customAuthenticationFailureHandler) .and() //添加登录逻辑拦截器，不使用默认的UsernamePasswordAuthenticationFilter .addFilterBefore( new CustomUsernamePasswordAuthenticationFilter( authenticationManager(), customAuthenticationSuccessHandler, customAuthenticationFailureHandler ) , UsernamePasswordAuthenticationFilter.class) //添加token验证过滤器 .addFilterBefore(new JwtAuthenticationFilter(jwtStoreService), LogoutFilter.class); //退出 http .logout() // URL .logoutUrl("/user/logout") // 登出处理 .addLogoutHandler(customLogoutHandler) // 登出成功处理 .logoutSuccessHandler(customLogoutSuccessHandler); //拦截设置 http .authorizeRequests() //公开以下urls .antMatchers(securityProperties.getPublicPaths()).permitAll() //其他路径必须验证 .anyRequest().authenticated(); //异常处理 http .exceptionHandling() // 未登录处理 .authenticationEntryPoint(customAuthenticationEntryPoint) // 无权限处理 .accessDeniedHandler(customAccessDeniedHandler); //关闭session http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // 关闭cors http.cors().disable(); // 关闭csrf http.csrf().disable(); // 关闭headers http.headers().frameOptions().disable(); return http.build(); } }