blame | 历史 | 补丁 | 提交 | 提交对比 | ignore whitespace
#
zhou zhou
1 天以前 2ce6327ec49e7fe73cc1cd3bcc2b63b28d89d38f 
 rsf-server/src/main/java/com/vincent/rsf/server/common/security/SecurityConfig.java


@@ -2,26 +2,27 @@




import com.vincent.rsf.server.common.constant.Constants;


import com.vincent.rsf.server.common.utils.CommonUtil;


import jakarta.annotation.Resource;


import jakarta.servlet.ServletException;


import jakarta.servlet.http.HttpServletRequest;


import jakarta.servlet.http.HttpServletResponse;


import org.springframework.context.annotation.Bean;


import org.springframework.context.annotation.Configuration;


import org.springframework.http.HttpMethod;


import org.springframework.security.access.AccessDeniedException;


import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;


import org.springframework.security.config.Customizer;


import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;


import org.springframework.security.config.annotation.web.builders.HttpSecurity;


import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;


import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;


import org.springframework.security.config.http.SessionCreationPolicy;


import org.springframework.security.core.AuthenticationException;


import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;


import org.springframework.security.web.AuthenticationEntryPoint;


import org.springframework.security.web.SecurityFilterChain;


import org.springframework.security.web.access.AccessDeniedHandler;


import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;


import org.springframework.stereotype.Component;




import javax.annotation.Resource;


import javax.servlet.ServletException;


import javax.servlet.http.HttpServletRequest;


import javax.servlet.http.HttpServletResponse;


import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;


import java.io.IOException;




/**


@@ -30,10 +31,10 @@


 */


@Configuration


@EnableWebSecurity


@EnableGlobalMethodSecurity(prePostEnabled = true)


public class SecurityConfig extends WebSecurityConfigurerAdapter {


@EnableMethodSecurity(prePostEnabled = true)


public class SecurityConfig {




    public static final String[] FILTER_PATH = new String[]{


    public static final String[] FILTER_PATH = new String[] {


            "/demo/**",


            "/test/**",


            "/system/info",


@@ -41,6 +42,8 @@


            "/email/code",


            "/pda/login",


            "/erp/**",


            "/base/**",


            "/order/**",


            "/login",


            "/register",


            "/druid/**",


@@ -51,7 +54,12 @@


            "/v2/api-docs/**",


            "/v3/api-docs/**",


            "/swagger-ui/**",


            "/ws/**"


            "/ws/**",


            "/wcs/**",


            "/monitor/**",


            "/mcp/**",


            "/ai/mcp",


            "/mes/**"


    };




    @Resource


@@ -61,40 +69,28 @@


    @Resource


    private JwtAuthenticationFilter jwtAuthenticationFilter;




    @Override


    protected void configure(HttpSecurity http) throws Exception {


        http.authorizeRequests()


                .antMatchers(HttpMethod.OPTIONS, "/**")


                .permitAll()


                .antMatchers(HttpMethod.GET, "/file/**", "/captcha", "/")


                .permitAll()


                .antMatchers(FILTER_PATH)


                .permitAll()


                .anyRequest()


                .authenticated()


                .and()


                .sessionManagement()


                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)


                .and()


                .csrf()


                .disable()


                .cors()


                .and()


                .logout()


                .disable()


                .headers()


                .frameOptions()


                .disable()


                .and()


                .exceptionHandling()


                .accessDeniedHandler(jwtAccessDeniedHandler)


                .authenticationEntryPoint(jwtAuthenticationEntryPoint)


                .and()


    @Bean


    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {


        http


                .authorizeHttpRequests(authorize -> authorize


                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()


                        .requestMatchers(HttpMethod.GET, "/file/**", "/captcha", "/").permitAll()


                        .requestMatchers(FILTER_PATH).permitAll()


                        .anyRequest().authenticated())


                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))


                .csrf(AbstractHttpConfigurer::disable)


                .cors(Customizer.withDefaults())


                .logout(AbstractHttpConfigurer::disable)


                .headers(headers -> headers.frameOptions(frame -> frame.disable()))


                .exceptionHandling(exception -> exception


                        .accessDeniedHandler(jwtAccessDeniedHandler)


                        .authenticationEntryPoint(jwtAuthenticationEntryPoint))


                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);


        return http.build();


    }




    @Bean


    public BCryptPasswordEncoder bCryptPasswordEncoder() {


    public static BCryptPasswordEncoder bCryptPasswordEncoder() {


        return new BCryptPasswordEncoder();


    }




@@ -124,3 +120,4 @@


    }




}