login 404
是因爲在AUTH_WHITELIST放行的url加了/login
rbac不走是因爲在AUTH_WHITELIST放行的url加了/error
AUTH_WHITELIST 是忽略走rbac,但是jwtfilter裏面不能忽略,login還是會走fiter,不知道爲啥
package com.bmsoft.behavioranalysis.server.tenant.common.config;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAccessDeniedHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationEntryPoint;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationFailureHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationSuccessHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxLogoutSuccessHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.login.CustomAuthenticationProvider;
import com.bmsoft.behavioranalysis.server.tenant.security.permission.JwtAuthenticationTokenFilter;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
@Configuration //配置類
@EnableWebSecurity //開啓權限
@EnableGlobalMethodSecurity(prePostEnabled = true) //開啓權限註解
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 需要放行的URL
*/
private static final String[] AUTH_WHITELIST = {
"/druid/**",
"/v2/api-docs/**",
"/swagger-resources/**",
"/configuration/ui/**",
"/configuration/security/**",
"/swagger-ui.html/swagger-resources",
"/swagger-ui.html",
"/webjars/**",
"/index.html",
"/static/**",
"/api/**",
"/login_p",
"/serverTenant/login",
"/serverTenant/sysTenant/getTenantName",
"/serverTenant/sysTenantDetail/getPlateSuccessCode",
"/serverTenant/sysTenantDetail/getUrl",
"/menu/menu",
"/doLogin",
"/",
"/csrf"
};
@Autowired
private AjaxAuthenticationEntryPoint authenticationEntryPoint; //未登陸時返回 JSON 格式的數據給前端(否則爲 html)
@Autowired
private AjaxAuthenticationSuccessHandler authenticationSuccessHandler; //登錄成功返回的 JSON 格式數據給前端(否則爲 html)
@Autowired
private AjaxAuthenticationFailureHandler authenticationFailureHandler; //登錄失敗返回的 JSON 格式數據給前端(否則爲 html)
@Autowired
private AjaxLogoutSuccessHandler logoutSuccessHandler; //註銷成功返回的 JSON 格式數據給前端(否則爲 登錄時的 html)
@Autowired
private AjaxAccessDeniedHandler accessDeniedHandler; //無權訪問返回的 JSON 格式數據給前端(否則爲 403 html 頁面)
@Autowired
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter; // JWT 攔截器
@Autowired
private CustomAuthenticationProvider authenticationProvider;
@Autowired
private AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource;
/**
* 配置用戶信息,密碼加密方式
*
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
auth.authenticationProvider(authenticationProvider);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(AUTH_WHITELIST);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// 去掉 CSRF
http.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 使用 JWT,關閉token
.and()
.httpBasic().authenticationEntryPoint(authenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/index.html").permitAll()
.anyRequest()//任何請求,登錄後可以訪問
.access("@rbacauthorityservice.hasPermission(request,authentication)") // RBAC 動態 url 認證
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.permitAll()
.authenticationDetailsSource(authenticationDetailsSource)
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(logoutSuccessHandler)
.permitAll();
http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
http.addFilterBefore(jwtAuthenticationTokenFilter,
UsernamePasswordAuthenticationFilter.class);
}
}