feat:
This commit is contained in:
parent
1790b245fe
commit
9099e915db
|
|
@ -18,6 +18,10 @@ public class CorsConfig {
|
||||||
config.setAllowCredentials(true); // 允许凭证
|
config.setAllowCredentials(true); // 允许凭证
|
||||||
config.addAllowedMethod("*"); // 允许所有方法
|
config.addAllowedMethod("*"); // 允许所有方法
|
||||||
config.addAllowedHeader("*"); // 允许所有头
|
config.addAllowedHeader("*"); // 允许所有头
|
||||||
|
// 允许跨域的头
|
||||||
|
config.addExposedHeader("Authorization");
|
||||||
|
// 预检请求的缓存时间
|
||||||
|
config.setMaxAge(3600L);
|
||||||
|
|
||||||
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
||||||
source.registerCorsConfiguration("/**", config); // 对所有路径应用配置
|
source.registerCorsConfiguration("/**", config); // 对所有路径应用配置
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ import com.guwan.backend.security.JwtAuthenticationFilter;
|
||||||
import lombok.RequiredArgsConstructor;
|
import lombok.RequiredArgsConstructor;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.http.HttpMethod;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
|
@ -15,6 +16,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||||
|
import org.springframework.security.config.Customizer;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Spring Security 安全配置类
|
* Spring Security 安全配置类
|
||||||
|
|
@ -38,16 +40,17 @@ public class SecurityConfig {
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.csrf(AbstractHttpConfigurer::disable) // 禁用CSRF保护
|
.cors(Customizer.withDefaults()) // 启用CORS
|
||||||
.cors(AbstractHttpConfigurer::disable) // 禁用CORS保护
|
.csrf(AbstractHttpConfigurer::disable)
|
||||||
.sessionManagement(session ->
|
.sessionManagement(session ->
|
||||||
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) // 使用无状态会话
|
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
||||||
.authorizeHttpRequests(auth -> auth
|
.authorizeHttpRequests(auth -> auth
|
||||||
.requestMatchers(SecurityConstants.WHITE_LIST.toArray(new String[0])).permitAll() // 配置API白名单
|
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll() // 允许所有OPTIONS请求
|
||||||
.requestMatchers(SecurityConstants.STATIC_RESOURCES.toArray(new String[0])).permitAll() // 配置静态资源白名单
|
.requestMatchers(SecurityConstants.WHITE_LIST.toArray(new String[0])).permitAll()
|
||||||
.anyRequest().authenticated() // 其他所有请求都需要认证
|
.requestMatchers(SecurityConstants.STATIC_RESOURCES.toArray(new String[0])).permitAll()
|
||||||
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class); // 添加JWT过滤器
|
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
|
||||||
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,13 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
|
||||||
protected void doFilterInternal(HttpServletRequest request,
|
protected void doFilterInternal(HttpServletRequest request,
|
||||||
HttpServletResponse response,
|
HttpServletResponse response,
|
||||||
FilterChain chain) throws ServletException, IOException {
|
FilterChain chain) throws ServletException, IOException {
|
||||||
|
// 处理OPTIONS请求
|
||||||
|
if (request.getMethod().equals(HttpMethod.OPTIONS.name())) {
|
||||||
|
response.setStatus(HttpServletResponse.SC_OK);
|
||||||
|
chain.doFilter(request, response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
String path = request.getServletPath();
|
String path = request.getServletPath();
|
||||||
|
|
||||||
// 如果是白名单路径,直接放行
|
// 如果是白名单路径,直接放行
|
||||||
|
|
@ -61,9 +68,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (HttpMethod.OPTIONS.toString().equals(request.getMethod())) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
// 验证token
|
// 验证token
|
||||||
String authHeader = request.getHeader("Authorization");
|
String authHeader = request.getHeader("Authorization");
|
||||||
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
|
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue