依赖
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>Spring Security配置
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public static final String AUTHENTICATION_HEADER_NAME = "Authorization"; public static final String AUTHENTICATION_URL = "/api/auth/login"; public static final String REFRESH_TOKEN_URL = "/api/auth/token"; public static final String API_ROOT_URL = "/api/**"; @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint; @Autowired private AuthenticationSuccessHandler successHandler; @Autowired private AuthenticationFailureHandler failureHandler; @Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider; @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider; @Autowired private TokenExtractor tokenExtractor; @Autowired private AuthenticationManager authenticationManager; @Autowired private ObjectMapper objectMapper; protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint) throws Exception { AjaxLoginProcessingFilter filter = new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper); filter.setAuthenticationManager(this.authenticationManager); return filter; } protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) throws Exception { SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern); JwtTokenAuthenticationProcessingFilter filter = new JwtTokenAuthenticationProcessingFilter(failureHandler, tokenExtractor, matcher); filter.setAuthenticationManager(this.authenticationManager); return filter; } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(AuthenticationManagerBuilder auth) { auth.authenticationProvider(ajaxAuthenticationProvider); auth.authenticationProvider(jwtAuthenticationProvider); } @Override protected void configure(HttpSecurity http) throws Exception { List<String> permitAllEndpointList = Arrays.asList( AUTHENTICATION_URL, REFRESH_TOKEN_URL, "/console" ); http .csrf().disable() // 我们不需要基于CSWF的JWT认证 .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(permitAllEndpointList.toArray(new String[permitAllEndpointList.size()])) .permitAll() .and() .authorizeRequests() .antMatchers(API_ROOT_URL).authenticated() // Protected API End-points .and() .addFilterBefore(new CustomCorsFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointList, API_ROOT_URL), UsernamePasswordAuthenticationFilter.class); } }通过 @EnableWebMvcSecurity 注解开启Spring Security的功能
继承 WebSecurityConfigurerAdapter ,并重写它的方法来设置一些web安全的细节configure(HttpSecurity http) 方法 通过 authorizeRequests() 定义哪些URL需要被保护、哪些不需要被保护。例如以上代码指定了 / 和 /home 不需要任何认证就可以访问,其他的路径都必须通过身份验证。通过 formLogin() 定义当需要用户登录时候,转到的登录页面。configureGlobal(AuthenticationManagerBuilder auth) 方法,在内存中创建了一个用户,该用户的名称为user,密码为password,用户角色为USER。
