mark v1 SecurityConfig
package cn.efunbox.cms.configuration; import cn.efunbox.afw.core.entity.ApiCode; import cn.efunbox.afw.core.entity.ApiResult; import cn.efunbox.cms.code.CmsWebApiCode; import cn.efunbox.cms.interceptor.LoginInterceptor; import cn.efunbox.cms.security.CmsAuthenticationProvider; import cn.efunbox.cms.security.CmsUserDetailsService; import cn.efunbox.web.common.util.HttpUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; import org.springframework.security.web.authentication.session.*; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.session.ConcurrentSessionFilter; import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.util.WebUtils; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Arrays; import java.util.List; /** * 安全配置中心 * @author by tomas * @date 2017-06-06 15:30:00 */ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true)//允许进入页面方法前检验 @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class SecurityConfig extends WebSecurityConfigurerAdapter { private static final Logger logger = LoggerFactory.getLogger(LoginInterceptor.class); @Bean public UserDetailsService userDetailsService() { return new CmsUserDetailsService(); } @Bean public CmsAuthenticationProvider cmsAuthenticationProvider() { return new CmsAuthenticationProvider(); } /** * 设置那些 URL 忽略权限 * @param web * @throws Exception */ @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**"); web.ignoring().antMatchers(HttpMethod.GET,"/login/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() //先去掉 csrf .and().csrf().disable() //.and().csrf().ignoringAntMatchers("/login","/logout").csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class) .authorizeRequests().antMatchers("/login").permitAll(); http .formLogin().successHandler(new RestAuthenticationSuccessHandler()) .failureHandler(new RestAuthenticationFailureHandler()) .permitAll() .and() .logout().logoutSuccessHandler(new RestLogoutSuccessHandler()) .deleteCookies("JSESSIONID", "X-XSRF-TOKEN") .permitAll(); http.sessionManagement() .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .addFilter(concurrentSessionFilter()); http.exceptionHandling().authenticationEntryPoint(new RestAuthenticationEntryPoint()); // http // .rememberMe() // .rememberMeCookieName("") // .tokenValiditySeconds(200000) // .rememberMeServices(rememberMeServices); } /** * 自定义 认证密码 和 获取用户 服务 * @param auth * @throws Exception */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(cmsAuthenticationProvider()) .userDetailsService(userDetailsService()); } @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * csrf 过滤器 请求必须 * @return */ private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; } private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN");//repository.setSessionAttributeName(("X-XSRF-TOKEN")); return repository; } /** * 注册自定义的SessionRegistry */ @Bean public SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); } /** * 注册自定义 sessionAuthenticationStrategy * 设置 ConcurrentSessionControlAuthenticationStrategy 控制并发 * 设置 SessionFixationProtectionStrategy 可以防盗session * 设置 RegisterSessionAuthenticationStrategy 触发了注册新sessin */ @Bean public CompositeSessionAuthenticationStrategy sessionAuthenticationStrategy() { ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry()); concurrentSessionControlAuthenticationStrategy.setMaximumSessions(); concurrentSessionControlAuthenticationStrategy.setExceptionIfMaximumExceeded(true); SessionFixationProtectionStrategy sessionFixationProtectionStrategy = new SessionFixationProtectionStrategy(); RegisterSessionAuthenticationStrategy registerSessionStrategy = new RegisterSessionAuthenticationStrategy(sessionRegistry()); CompositeSessionAuthenticationStrategy sessionAuthenticationStrategy = new CompositeSessionAuthenticationStrategy( Arrays.asList(concurrentSessionControlAuthenticationStrategy, sessionFixationProtectionStrategy, registerSessionStrategy)); return sessionAuthenticationStrategy; } /** * 注册并发Session Filter */ @Bean public ConcurrentSessionFilter concurrentSessionFilter() { return new ConcurrentSessionFilter(sessionRegistry(), "/login?expired"); } /** * Rest 登陆成功后的处理 */ public class RestAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException { HttpUtil.responseOutWithJson(request,response, ApiResult.ok(authentication.getPrincipal())); clearAuthenticationAttributes(request); } } /** * Rest 登录认证失败后的处理 */ public class RestAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler { @Override public void onAuthenticationFailure (HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws ServletException, IOException { logger.error("登录失败 exception={}" ,exception); saveException(request, exception); //密码错误 if(exception instanceof BadCredentialsException){ HttpUtil.responseOutWithJson(request,response, ApiResult.error(CmsWebApiCode.PASSWORD_ERROR)); } //查询用户出错 else if(exception instanceof UsernameNotFoundException){ HttpUtil.responseOutWithJson(request,response, ApiResult.error(CmsWebApiCode.USERNAME_PASSWORD_ERROR)); } //查询用户出错 else if(exception instanceof SessionAuthenticationException){ HttpUtil.responseOutWithJson(request,response, ApiResult.error(CmsWebApiCode.MAX_COUNT_SESSION_ERROR)); } else { HttpUtil.responseOutWithJson(request,response, ApiResult.error(CmsWebApiCode.AUTHORIZED_FAILD)); } } } /** * Rest 登出成功后的处理 */ public class RestLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler { @Override public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { logger.info("登出成功! "); if (!StringUtils.isEmpty(request.getRequestedSessionId())){ //sessionRegistry().removeSessionInformation(request.getRequestedSessionId()); if(null!=authentication && null!=authentication.getDetails() && null!=authentication.getPrincipal()){ List<SessionInformation> sessionInformations= sessionRegistry().getAllSessions(authentication.getPrincipal(),false); for (SessionInformation sessionInformation : sessionInformations) { sessionInformation.expireNow(); } sessionRegistry().getAllPrincipals().remove(authentication.getDetails()); } } HttpUtil.delCookies(request,response,"JSESSIONID", "X-XSRF-TOKEN"); HttpUtil.responseOk(request,response); } } /** * Rest 权限不通过的处理 */ public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { //原生返回 response.sendError(HttpServletResponse.SC_UNAUTHORIZED,"Authentication Failed: " + authException.getMessage()); //cookie失效 if(authException instanceof InsufficientAuthenticationException){ HttpUtil.responseOutWithJson(request,response, ApiResult.error(CmsWebApiCode.INVALID_COOKIE)); } HttpUtil.responseApiCode(request,response, ApiCode.ACCESS_DENIED); } } }
http://git.oschina.net/xiangxik/castle-platform/blob/master/castle-sample/castle-sample-console/src/main/java/com/whenling/sample/security/MainWebSecurityConfigBean.java
@Configuration @Order(Ordered.HIGHEST_PRECEDENCE) publicclassMainWebSecurityConfigBeanextendsWebSecurityConfigurerAdapter{ @Value("${security.skip_auth_urls?:/assets/**,/captcha**,/upload/**}") privateString[]skipAuthUrls; @Autowired privateObjectFactoryobjectMapper; @Autowired privateObjectFactorymessageSourceAccessor; publicMainWebSecurityConfigBean(){ super(true); } @Override protectedvoidconfigure(HttpSecurityhttp)throwsException{ http.csrf().and().addFilter(newWebAsyncManagerIntegrationFilter()).exceptionHandling().and().headers().and().sessionManagement().and() .securityContext().and().requestCache().and().anonymous().and().servletApi().and().logout(); http.getSharedObject(AuthenticationManagerBuilder.class)// .authenticationProvider(null) .authenticationEventPublisher(defaultAuthenticationEventPublisher()); http.rememberMe().userDetailsService(userDetailsService()); FormLoginConfigurerconfigurer=http.headers().frameOptions().sameOrigin().and().csrf().disable().formLogin(); configurer.successHandler(newResultAuthenticationSuccessHandler(objectMapper.getObject())) .failureHandler(newResultAuthenticationFailureHanlder(objectMapper.getObject(),messageSourceAccessor.getObject())); ExceptionHandlingConfigurerexceptionConfigurer=configurer.permitAll().and().authorizeRequests().antMatchers(skipAuthUrls) .permitAll().anyRequest().authenticated().and().exceptionHandling(); exceptionConfigurer.authenticationEntryPoint( newExceptionAuthenticationEntryPoint(newHttp403ForbiddenEntryPoint(),newLoginUrlAuthenticationEntryPoint("/login"))); exceptionConfigurer.and().logout().logoutSuccessUrl("/login").permitAll(); } @Bean publicUserDetailsServiceuserDetailsService(){ returnnewAdminDetailsService(); } @Bean publicDefaultAuthenticationEventPublisherdefaultAuthenticationEventPublisher(){ returnnewDefaultAuthenticationEventPublisher(); } }
mark v1 SecurityConfig的更多相关文章
- [HNOI2019]校园旅行(构造+生成树+动规)
题目 [HNOI2019]校园旅行 做法 最朴素的做法就是点对扩展\(O(m^2)\) 发现\(n\)比较小,我们是否能从\(n\)下手减少边数呢?是肯定的 单独看一个颜色的联通块,如果是二分图,我们 ...
- Mina工具类v1.5
package com.cucpay.fundswap.util; import java.net.InetSocketAddress; import java.nio.charset.Charset ...
- 使用升级版的 Bootstrap typeahead v1.2.2
上次介绍了 Bootstrap 2 中附带的 typeahead,功能强大,但是使用起来不太方便,作者 Terry Rosen 已经升级了一个新版本 v1.2.2,作出了很大的改进. 下载地址 htt ...
- [iOS UI进阶 - 2.0] 彩票Demo v1.0
A.需求 1.模仿“网易彩票”做出有5个导航页面和相应功能的Demo 2.v1.0 版本搭建基本框架 code source:https://github.com/hellovoidworld/H ...
- 《Ruby语言入门教程v1.0》学习笔记-01
<Ruby语言入门教程v1.0> 编著:张开川 邮箱:kaichuan_zhang@126.com 想要学习ruby是因为公司的自动化测试使用到了ruby语言,但是公司关于ruby只给了一 ...
- 名片管理系统v1.1(main)
# version: 1.1# author: Mark import cords_tools while True: # 显示界面 cords_tools.show_cords() cords ...
- 开源项目——小Q聊天机器人V1.0
小Q聊天机器人V1.0 http://blog.csdn.net/baiyuliang2013/article/details/51386281 小Q聊天机器人V1.1 http://blog.csd ...
- Ubuntu16.04搭建kubernetes v1.11.2集群
1.节点介绍 master cluster-1 cluster-2 cluster-3 hostname k8s-55 k8s-5 ...
- 使用kubeadm安装Kubernetes v1.10
关于K8S: Kubernetes是Google开源的容器集群管理系统.它构建于docker技术之上,为容器化的应用提供资源调度.部署运行.服务发现.扩 容缩容等整一套功能,本质上可看作是基于容器技术 ...
随机推荐
- JAVA-数据类型、变量、常量
http://blog.csdn.net/yuhailong626/article/details/7245571 http://www.cnblogs.com/JackieADBM/p/534222 ...
- hdu 1532 Drainage Ditches (最大流)
最大流的第一道题,刚开始学这玩意儿,感觉好难啊!哎····· 希望慢慢地能够理解一点吧! #include<stdio.h> #include<string.h> #inclu ...
- 使用cwrsync做服务器文件夹同步
首先要下载cwRsync的服务端和客户端软件(4.05免费版),下载地址如下: https://www.itefix.no/i2/cwrsync 具体的配置过程和遇到的问题可参考: http://ww ...
- 在Android 5.0中使用JobScheduler
在Android 5.0中使用JobScheduler 原文链接 : using-the-jobscheduler-api-on-android-lollipop 译者 : Mr.Simple 校对者 ...
- [Android Pro] android root权限破解分析
许 多机友新购来的Android机器没有破解过Root权限,无法使用一些需要高权限的软件,以及进行一些高权限的操作,其实破解手机Root权限是比较简 单及安全的,破解Root权限的原理就是在手机的/s ...
- WebView利用UserAgent传递SESSIONID
mWebView.getSettings().setUserAgentString(mWebView.getSettings().getUserAgentString()+"SESSIONI ...
- 数学图形(2.5)Loxodrome曲线
这也是一种贴在球上的曲线 #http://www.mathcurve.com/courbes3d/loxodromie/sphereloxodromie.shtml vertices = 1000 t ...
- SQL IN
here are some additional clause in the SQL language that can be used to simplify queries by decrease ...
- JS辨别访问浏览器
项目中需要扫描二维码之后自动分辨出是android还是ios系统,针对于不同的系统进行不同的下载. <script type="text/javascript"> /* ...
- HDU 2897 邂逅明下 (博弈)
题意: 给你n.p.q,每次操作是令n减小 [p, q]区间中的数,当n < p时必须全部取完了,取完最后一次的人算输,问先手必胜还是必败. 解题思路: 这种非常类似巴什博弈,可以找出必胜区间和 ...