feat:
This commit is contained in:
parent
1790b245fe
commit
9099e915db
|
|
@ -18,6 +18,10 @@ public class CorsConfig {
|
|||
config.setAllowCredentials(true); // 允许凭证
|
||||
config.addAllowedMethod("*"); // 允许所有方法
|
||||
config.addAllowedHeader("*"); // 允许所有头
|
||||
// 允许跨域的头
|
||||
config.addExposedHeader("Authorization");
|
||||
// 预检请求的缓存时间
|
||||
config.setMaxAge(3600L);
|
||||
|
||||
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
||||
source.registerCorsConfiguration("/**", config); // 对所有路径应用配置
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import com.guwan.backend.security.JwtAuthenticationFilter;
|
|||
import lombok.RequiredArgsConstructor;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
|
|
@ -15,6 +16,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
|||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||
import org.springframework.security.config.Customizer;
|
||||
|
||||
/**
|
||||
* Spring Security 安全配置类
|
||||
|
|
@ -38,16 +40,17 @@ public class SecurityConfig {
|
|||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.csrf(AbstractHttpConfigurer::disable) // 禁用CSRF保护
|
||||
.cors(AbstractHttpConfigurer::disable) // 禁用CORS保护
|
||||
.cors(Customizer.withDefaults()) // 启用CORS
|
||||
.csrf(AbstractHttpConfigurer::disable)
|
||||
.sessionManagement(session ->
|
||||
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) // 使用无状态会话
|
||||
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
||||
.authorizeHttpRequests(auth -> auth
|
||||
.requestMatchers(SecurityConstants.WHITE_LIST.toArray(new String[0])).permitAll() // 配置API白名单
|
||||
.requestMatchers(SecurityConstants.STATIC_RESOURCES.toArray(new String[0])).permitAll() // 配置静态资源白名单
|
||||
.anyRequest().authenticated() // 其他所有请求都需要认证
|
||||
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll() // 允许所有OPTIONS请求
|
||||
.requestMatchers(SecurityConstants.WHITE_LIST.toArray(new String[0])).permitAll()
|
||||
.requestMatchers(SecurityConstants.STATIC_RESOURCES.toArray(new String[0])).permitAll()
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class); // 添加JWT过滤器
|
||||
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -52,6 +52,13 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
|
|||
protected void doFilterInternal(HttpServletRequest request,
|
||||
HttpServletResponse response,
|
||||
FilterChain chain) throws ServletException, IOException {
|
||||
// 处理OPTIONS请求
|
||||
if (request.getMethod().equals(HttpMethod.OPTIONS.name())) {
|
||||
response.setStatus(HttpServletResponse.SC_OK);
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
String path = request.getServletPath();
|
||||
|
||||
// 如果是白名单路径,直接放行
|
||||
|
|
@ -61,9 +68,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
|
|||
}
|
||||
|
||||
try {
|
||||
if (HttpMethod.OPTIONS.toString().equals(request.getMethod())) {
|
||||
return;
|
||||
}
|
||||
// 验证token
|
||||
String authHeader = request.getHeader("Authorization");
|
||||
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue