25eeab4940
添加JWT依赖并实现token生成与验证功能 在控制器方法上添加权限注解保护API端点 更新安全配置以集成JWT过滤器 移除无用的编码测试工具类 修改JWT相关配置为更安全的设置
95 lines
4.2 KiB
Java
95 lines
4.2 KiB
Java
package com.qf.myafterprojecy.config;
|
||
|
||
import javax.ws.rs.HttpMethod;
|
||
|
||
import org.springframework.beans.factory.annotation.Autowired;
|
||
import org.springframework.context.annotation.Bean;
|
||
import org.springframework.context.annotation.Configuration;
|
||
import org.springframework.security.authentication.AuthenticationManager;
|
||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||
import org.springframework.security.web.SecurityFilterChain;
|
||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||
|
||
/**
|
||
* Spring Security配置类
|
||
* 配置权限管理功能
|
||
*/
|
||
@Configuration
|
||
@EnableWebSecurity
|
||
// 启用方法级别的安全控制
|
||
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
|
||
public class SecurityConfig {
|
||
|
||
@Autowired
|
||
private UserDetailsService userDetailsService;
|
||
|
||
@Autowired
|
||
private PasswordEncoder passwordEncoder;
|
||
|
||
@Autowired
|
||
private JwtAuthenticationFilter jwtAuthenticationFilter;
|
||
|
||
/**
|
||
* 配置AuthenticationManager Bean
|
||
* 使用AuthenticationConfiguration来获取认证管理器,这是更现代的方式
|
||
*/
|
||
@Bean
|
||
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
|
||
return authenticationConfiguration.getAuthenticationManager();
|
||
}
|
||
|
||
/**
|
||
* 配置安全过滤器链
|
||
* @param http HttpSecurity对象,用于配置HTTP安全策略
|
||
* @return 配置好的SecurityFilterChain对象
|
||
* @throws Exception 配置过程中可能出现的异常
|
||
*/
|
||
@Bean
|
||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||
http
|
||
// 禁用CSRF保护(对于API服务通常不需要)
|
||
.csrf().disable()
|
||
// 配置URL访问权限
|
||
.authorizeRequests()
|
||
// 允许公开访问的路径
|
||
// 公开get请求
|
||
.antMatchers(HttpMethod.GET,"/api/auth/**").permitAll()
|
||
.antMatchers(HttpMethod.GET,"/api/help/**").permitAll()
|
||
.antMatchers(HttpMethod.GET,"/api/category-attributes/**").permitAll()
|
||
.antMatchers(HttpMethod.GET,"/api/markdowns/**").permitAll()
|
||
.antMatchers(HttpMethod.GET,"/api/articles/**").permitAll()
|
||
.antMatchers(HttpMethod.GET,"/api/messages/**").permitAll()
|
||
.antMatchers(HttpMethod.GET,"/api/categories/**").permitAll()
|
||
// 公开post请求
|
||
.antMatchers(HttpMethod.POST,"/api/messages/**").permitAll()
|
||
.antMatchers(HttpMethod.POST,"/api/users/**").permitAll()
|
||
// 管理员才能访问的路径
|
||
.antMatchers("/api/admin/**").hasRole("ADMIN")
|
||
// 其他所有请求都需要认证
|
||
.anyRequest().authenticated()
|
||
.and()
|
||
// 配置会话管理,使用无状态会话
|
||
.sessionManagement()
|
||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
|
||
|
||
// 添加JWT认证过滤器
|
||
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
|
||
|
||
// 确保Spring Security不会添加额外的CharacterEncodingFilter
|
||
// 因为我们在CharacterEncodingConfig中已经配置了自定义的过滤器
|
||
http.addFilterBefore((request, response, chain) -> {
|
||
// 确保响应使用UTF-8编码
|
||
response.setCharacterEncoding("UTF-8");
|
||
response.setContentType("text/html;charset=UTF-8");
|
||
chain.doFilter(request, response);
|
||
}, JwtAuthenticationFilter.class);
|
||
|
||
return http.build();
|
||
}
|
||
} |