注:基于url做动态权限校验(同时不重写FilterInvocationSecurityMetadataSource以及
AccessDecisionManager重写会导致springSecurity原有的校验流程失效)
1,SecurityConfig.java
基于url做动态权限校验最重要的点就是将权限与uri一一对应查询出来初始化
@Configuration
@EnableWebSecurity(debug = true)
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Resource
private MenuFacade menuFacade;
@Resource
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Resource
private PasswordEncoder passwordEncoder;
@Resource
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
@Resource
private DataEncryptWrapperFilter dataEncryptWrapperFilter;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = httpSecurity
.authorizeRequests();
// 白名单
for (String url : ignoreUrlsConfig()) {
registry.antMatchers(url).permitAll();
}
// 允许跨域请求的OPTIONS请求
registry.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll();
//初始化所有地址与权限
for (MenuCodeUriResDTO urlAuth : authUrl()) {
registry.antMatchers(urlAuth.getRequestUri()).hasAuthority(urlAuth.getAuthorityCode());
}
registry
//所有请求必须认证,除了白名单
.anyRequest().authenticated()
// 关闭跨站请求防护及不使用session
.and()
.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// 自定义权限拒绝处理类
.and()
.exceptionHandling()
//未登录或登录过期
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
// 自定义权限拦截器JWT过滤器 before在什么之前加。。
.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthentic