WebSecurityConfig.java
4.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package com.bsth.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import com.bsth.common.Constants;
import com.bsth.security.filter.LoginInterceptor;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailServiceImpl customUserDetailService;
@Autowired
CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
SecurityMetadataSourceService securityMetadataSourceService;
@Override
public void configure(WebSecurity web) throws Exception {
// 白名单
web.ignoring().antMatchers(Constants.LOGIN_PAGE, Constants.LOGIN, Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.CAPTCHA,
Constants.SERVICE_INTERFACE, Constants.METRONIC_URL, Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.UP_RFID_URL,Constants.STATION_AND_SECTION_COUNT);
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(customUserDetailService).passwordEncoder(
new BCryptPasswordEncoder(4));
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").permitAll().anyRequest()
.authenticated().and()
.formLogin()
//指定登录页
.loginPage(Constants.LOGIN_PAGE)
.loginProcessingUrl(Constants.LOGIN).permitAll()
.and().logout()
//禁用CXRF
.and().csrf().disable()
//禁用匿名用户功能
.anonymous().disable()
//允许同源 iframe
.headers().frameOptions().sameOrigin().httpStrictTransportSecurity().disable();
// 同时只保持一个回话
http.sessionManagement().maximumSessions(1)
.expiredUrl(Constants.LOGIN_PAGE + "?error=true")
.maxSessionsPreventsLogin(false)//让之前的登录过期
.sessionRegistry(sessionRegistry());
http.addFilterBefore(new LoginInterceptor(), FilterSecurityInterceptor.class);
http.addFilter(filterSecurityInterceptor());
}
private FilterSecurityInterceptor filterSecurityInterceptor()
throws Exception {
FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
filterSecurityInterceptor
.setAccessDecisionManager(customAccessDecisionManager);
filterSecurityInterceptor
.setSecurityMetadataSource(securityMetadataSourceService);
filterSecurityInterceptor
.setAuthenticationManager(authenticationManager());
return filterSecurityInterceptor;
}
/* @Bean
public LoginSuccessHandler loginSuccessHandler(){
return new LoginSuccessHandler();
}*/
/* @Bean
public LogoutHandler logoutHandler(){
return new CustomLogoutHandler();
}*/
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Bean
public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(
new HttpSessionEventPublisher());
}
}