bonus
/
gz_car_manage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug 修改

This commit is contained in:
jiang 2025-08-24 19:23:06 +08:00
parent 4e7787bb29
commit 31f2cef0a3
1 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/main/java/com/bonus/gzcar/manager/common/config/SecurityConfig.java
View File

@ -14,13 +14,16 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/**
* SpringSecurity配置类
*
* @Author
* @CreateTime 2023/09/12
*/
@ -68,18 +71,20 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 加密方式
*
* @Author
* @CreateTime 2023/09/12
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder(){
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 注入自定义PermissionEvaluator
*/
@Bean
public DefaultWebSecurityExpressionHandler userSecurityExpressionHandler(){
public DefaultWebSecurityExpressionHandler userSecurityExpressionHandler() {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(new UserPermissionEvaluator());
return handler;
@ -89,11 +94,33 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
* 配置登录验证逻辑
*/
@Override
protected void configure(AuthenticationManagerBuilder auth){
protected void configure(AuthenticationManagerBuilder auth) {
//这里可启用我们自己的登陆验证逻辑
auth.authenticationProvider(userAuthenticationProvider);
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.headers(headers -> headers
// ClickJacking
.frameOptions(frame -> frame.deny())
// CSP 配置
.contentSecurityPolicy(csp -> csp
.policyDirectives("default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors 'none';")
)
// 其他安全头
.xssProtection(xss -> xss.block(true))
.contentTypeOptions(withDefaults -> {
})
.httpStrictTransportSecurity(hsts -> hsts
.includeSubDomains(true)
.maxAgeInSeconds(31536000) // 1年
)
);
return http.build();
}
/**
* 添加-App登录-用户名和密码登陆验证的过滤器
*/
@ -117,17 +144,19 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
filter.setAuthenticationFailureHandler(userLoginFailureHandler);
return filter;
}
/**
* 配置security的控制逻辑
*
* @Author
* @CreateTime 2023/09/12
* @Param http 请求
* @Param http 请求
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// 不进行权限验证的请求或资源(从配置文件中读取)
.antMatchers("/", "/**","/favicon.ico","/config/**","/login/**").permitAll()
.antMatchers("/", "/**", "/favicon.ico", "/config/**", "/login/**").permitAll()
// 其他的需要登陆后才能访问
.anyRequest().authenticated()
.and()
@ -157,6 +186,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
.and()
// 取消跨站请求伪造防护
.csrf().disable();
// 基于Token不需要session
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 禁用缓存