package com.movie.api.filter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class CustomSecurityFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// 检查请求路径,如果是登录或公开资源,直接放行
if (request.getRequestURI().matches(".*/login.*|.*/public.*")) {
filterChain.doFilter(request, response);
} else {
// 检查 SecurityContextHolder 中是否存在有效的 Authentication 对象
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null || !authentication.isAuthenticated()) {
// 如果没有认证,重定向到登录页面或返回错误信息
response.sendRedirect(request.getContextPath() + "/login?error");
} else {
// 如果已认证,继续过滤器链
filterChain.doFilter(request, response);
}
}
}
}
package com.movie.api.config;
import com.movie.api.filter.CustomSecurityFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class SecurityConfig {
// 其他配置...
@Bean
public FilterRegistrationBean<CustomSecurityFilter> customSecurityFilter() {
FilterRegistrationBean<CustomSecurityFilter> registrationBean = new FilterRegistrationBean<>();
CustomSecurityFilter customFilter = new CustomSecurityFilter();
registrationBean.setFilter(customFilter);
// 将过滤器添加到特定的顺序,确保其在 Spring Security 过滤器之前或之后执行
registrationBean.addUrlPatterns("/api/*");
return registrationBean;
}
}
// 在 SecurityConfig 中配置登录页和登录成功后的重定向
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// 其他配置...
.formLogin()
.loginPage("/login") // 指定登录页
.defaultSuccessUrl("/dashboard", true) // 登录成功后的重定向 URL
.and()
.exceptionHandling()
.accessDeniedPage("/access-denied"); // 指定无权限访问时的页面
}