springSecurity login 404 ,rbac不走

login  404 

是因爲在AUTH_WHITELIST放行的url加了/login

 

rbac不走是因爲在AUTH_WHITELIST放行的url加了/error

 

AUTH_WHITELIST  是忽略走rbac，但是jwtfilter裏面不能忽略,login還是會走fiter，不知道爲啥

 

 

 

package com.bmsoft.behavioranalysis.server.tenant.common.config;

import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAccessDeniedHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationEntryPoint;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationFailureHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationSuccessHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxLogoutSuccessHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.login.CustomAuthenticationProvider;
import com.bmsoft.behavioranalysis.server.tenant.security.permission.JwtAuthenticationTokenFilter;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

@Configuration  //配置類
@EnableWebSecurity  //開啓權限
@EnableGlobalMethodSecurity(prePostEnabled = true)  //開啓權限註解
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  /**
   * 需要放行的URL
   */
  private static final String[] AUTH_WHITELIST = {
      "/druid/**",
      "/v2/api-docs/**",
      "/swagger-resources/**",
      "/configuration/ui/**",
      "/configuration/security/**",
      "/swagger-ui.html/swagger-resources",
      "/swagger-ui.html",
      "/webjars/**",
      "/index.html",
      "/static/**",
      "/api/**",
      "/login_p",
      "/serverTenant/login",
      "/serverTenant/sysTenant/getTenantName",
      "/serverTenant/sysTenantDetail/getPlateSuccessCode",
      "/serverTenant/sysTenantDetail/getUrl",
      "/menu/menu",
      "/doLogin",
      "/",
      "/csrf"
  };

  @Autowired
  private AjaxAuthenticationEntryPoint authenticationEntryPoint;  //未登陸時返回 JSON 格式的數據給前端（否則爲 html）
  @Autowired
  private AjaxAuthenticationSuccessHandler authenticationSuccessHandler;   //登錄成功返回的 JSON 格式數據給前端（否則爲 html）
  @Autowired
  private AjaxAuthenticationFailureHandler authenticationFailureHandler;   //登錄失敗返回的 JSON 格式數據給前端（否則爲 html）
  @Autowired
  private AjaxLogoutSuccessHandler logoutSuccessHandler;  //註銷成功返回的 JSON 格式數據給前端（否則爲 登錄時的 html）
  @Autowired
  private AjaxAccessDeniedHandler accessDeniedHandler;  //無權訪問返回的 JSON 格式數據給前端（否則爲 403 html 頁面）

  @Autowired
  private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;    // JWT 攔截器

  @Autowired
  private CustomAuthenticationProvider authenticationProvider;

  @Autowired
  private AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource;

  /**
   * 配置用戶信息，密碼加密方式
   *
   * @param auth
   * @throws Exception
   */
  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    // auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    auth.authenticationProvider(authenticationProvider);
  }

  @Override
  public void configure(WebSecurity web) throws Exception {

    web.ignoring().antMatchers(AUTH_WHITELIST);
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // 去掉 CSRF
    http.csrf().disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 使用 JWT，關閉token
        .and()

        .httpBasic().authenticationEntryPoint(authenticationEntryPoint)

        .and()
        .authorizeRequests()
        .antMatchers("/index.html").permitAll()
        .anyRequest()//任何請求,登錄後可以訪問
        .access("@rbacauthorityservice.hasPermission(request,authentication)") // RBAC 動態 url 認證

        .and()
        .formLogin()
        .successHandler(authenticationSuccessHandler)
        .failureHandler(authenticationFailureHandler)
        .permitAll()
        .authenticationDetailsSource(authenticationDetailsSource)

        .and()
        .logout()
        .logoutUrl("/logout")
        .logoutSuccessHandler(logoutSuccessHandler)
        .permitAll();

    http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
    http.addFilterBefore(jwtAuthenticationTokenFilter,
        UsernamePasswordAuthenticationFilter.class);

  }

}