@Configuration
@EnableWebSecurity //启用web权限
@EnableGlobalMethodSecurity(prePostEnabled = true) //启用方法验证
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 定义安全策略
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
String casIsEnable = env.getProperty("cas.server.enable");
final MyCallbackFilter callbackFilter = new MyCallbackFilter(config);
callbackFilter.setMultiProfile(true);
callbackFilter.setSaveInSession(true);
if (env.getProperty("app.login.type") != null && env.getProperty("app.login.type").toLowerCase().equals("oauth")) {
http.authorizeRequests()
.anyRequest().authenticated()
.and().exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "MyOauthClient"))
.and().addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
.addFilterAfter(new CoreFilter(), BasicAuthenticationFilter.class).cors()// 跨域设置
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
} else {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(new Pac4jEntryPoint(config, "CasClient"))
.and()
.addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
.addFilterAfter(new CoreFilter(), BasicAuthenticationFilter.class)
.formLogin()// 使用form表单登录
.and()
.logout().permitAll()
.logoutSuccessUrl(casProperties.getCasServerLogoutUrl())
.and()
.cors()// 跨域设置
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/user/getUserInfo");
}
}
// @Bean
// public FilterRegistrationBean csrfFilter() {
// FilterRegistrationBean registration = new FilterRegistrationBean();
// //registration.setFilter(new CsrfFilter(new CookieCsrfTokenRepository()));
// registration.setFilter(new CsrfFilter(new HttpSessionCsrfTokenRepository()));
// registration.addUrlPatterns("/user/save");
// return registration;
// }
}
下面注如FilterRegistrationBean不需要了,因为前面csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())。其实内部也是走了csrfFilter过滤器的。
而且一般repository有3种,这里只介绍2种CookieCsrfTokenRepository和HttpSessionCsrfTokenRepository,CookieCsrfTokenRepository就是把token放在cookie种,然后前端直接从
cookie上取,HttpSessionCsrfTokenRepository就是把token放到session里,但是因为前端是不能从session取数的,所以这种方式适用于前后端不分离的项目,如果是前后端分离的项目,则需单独再出getToken的接口。
前端现在有的ajax请求会自动将x-xsrf-token设置到请求头中,需要视前端js库版本情况而定