login 404
是因为在AUTH_WHITELIST放行的url加了/login
rbac不走是因为在AUTH_WHITELIST放行的url加了/error
AUTH_WHITELIST 是忽略走rbac,但是jwtfilter里面不能忽略,login还是会走fiter,不知道为啥
package com.bmsoft.behavioranalysis.server.tenant.common.config;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAccessDeniedHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationEntryPoint;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationFailureHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxAuthenticationSuccessHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.hander.AjaxLogoutSuccessHandler;
import com.bmsoft.behavioranalysis.server.tenant.security.login.CustomAuthenticationProvider;
import com.bmsoft.behavioranalysis.server.tenant.security.permission.JwtAuthenticationTokenFilter;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
@Configuration //配置类
@EnableWebSecurity //开启权限
@EnableGlobalMethodSecurity(prePostEnabled = true) //开启权限注解
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 需要放行的URL
*/
private static final String[] AUTH_WHITELIST = {
"/druid/**",
"/v2/api-docs/**",
"/swagger-resources/**",
"/configuration/ui/**",
"/configuration/security/**",
"/swagger-ui.html/swagger-resources",
"/swagger-ui.html",
"/webjars/**",
"/index.html",
"/static/**",
"/api/**",
"/login_p",
"/serverTenant/login",
"/serverTenant/sysTenant/getTenantName",
"/serverTenant/sysTenantDetail/getPlateSuccessCode",
"/serverTenant/sysTenantDetail/getUrl",
"/menu/menu",
"/doLogin",
"/",
"/csrf"
};
@Autowired
private AjaxAuthenticationEntryPoint authenticationEntryPoint; //未登陆时返回 JSON 格式的数据给前端(否则为 html)
@Autowired
private AjaxAuthenticationSuccessHandler authenticationSuccessHandler; //登录成功返回的 JSON 格式数据给前端(否则为 html)
@Autowired
private AjaxAuthenticationFailureHandler authenticationFailureHandler; //登录失败返回的 JSON 格式数据给前端(否则为 html)
@Autowired
private AjaxLogoutSuccessHandler logoutSuccessHandler; //注销成功返回的 JSON 格式数据给前端(否则为 登录时的 html)
@Autowired
private AjaxAccessDeniedHandler accessDeniedHandler; //无权访问返回的 JSON 格式数据给前端(否则为 403 html 页面)
@Autowired
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter; // JWT 拦截器
@Autowired
private CustomAuthenticationProvider authenticationProvider;
@Autowired
private AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource;
/**
* 配置用户信息,密码加密方式
*
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
auth.authenticationProvider(authenticationProvider);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(AUTH_WHITELIST);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// 去掉 CSRF
http.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 使用 JWT,关闭token
.and()
.httpBasic().authenticationEntryPoint(authenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/index.html").permitAll()
.anyRequest()//任何请求,登录后可以访问
.access("@rbacauthorityservice.hasPermission(request,authentication)") // RBAC 动态 url 认证
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.permitAll()
.authenticationDetailsSource(authenticationDetailsSource)
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(logoutSuccessHandler)
.permitAll();
http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
http.addFilterBefore(jwtAuthenticationTokenFilter,
UsernamePasswordAuthenticationFilter.class);
}
}