github
/
eladmin
mirror of https://github.com/elunez/eladmin
1
0
Fork 0
Code Issues Releases Wiki Activity

修复匿名访问控制只允许匿名访问的问题。 

next:
允许 匿名和带权限以及登录用户访问
done
pull/135/head
Your Name 2019-09-30 16:06:35 +08:00
parent 5c8f4b5e46
commit 1e795f4b8a
2 changed files with 4 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
eladmin-system/src/main/java/me/zhengjie/modules/security/config/SecurityConfig.java
View File

@ -92,13 +92,14 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// 搜寻 匿名标记 url PreAuthorize("hasAnyRole('ROLE_ANONYMOUS')") 和 AnonymousAccess
Map<RequestMappingInfo, HandlerMethod> handlerMethodMap = applicationContext.getBean(RequestMappingHandlerMapping.class).getHandlerMethods();
Set<String> anonymousUrls = new HashSet<>();
for (Map.Entry<RequestMappingInfo, HandlerMethod> infoEntry : handlerMethodMap.entrySet()) {
HandlerMethod handlerMethod = infoEntry.getValue();
AnonymousAccess anonymousAccess = handlerMethod.getMethodAnnotation(AnonymousAccess.class);
PreAuthorize preAuthorize = handlerMethod.getMethodAnnotation(PreAuthorize.class);
// PreAuthorize("hasAnyRole('ROLE_ANONYMOUS')") 和 AnonymousAccess
if (null != preAuthorize && preAuthorize.value().contains("ROLE_ANONYMOUS")) {
anonymousUrls.addAll(infoEntry.getKey().getPatternsCondition().getPatterns());
} else if (null != anonymousAccess && null == preAuthorize) {
@ -140,8 +141,6 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
.antMatchers("/*/api-docs").anonymous()
// swagger end
// 接口限流测试
.antMatchers("/test/**").anonymous()
// 文件
.antMatchers("/avatar/**").anonymous()
.antMatchers("/file/**").anonymous()
@ -150,8 +149,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
.antMatchers(HttpMethod.OPTIONS, "/**").anonymous()
.antMatchers("/druid/**").anonymous()
// 自定义匿名访问所有url放行
.antMatchers(anonymousUrls.toArray(new String[0])).anonymous()
// 自定义匿名访问所有url放行 允许 匿名和带权限以及登录用户访问
.antMatchers(anonymousUrls.toArray(new String[0])).permitAll()
// 所有请求都需要认证
.anyRequest().authenticated()

6
eladmin-system/src/main/java/me/zhengjie/modules/security/security/JwtAuthorizationTokenFilter.java
View File

@ -5,9 +5,7 @@ import lombok.extern.slf4j.Slf4j;
import me.zhengjie.modules.security.utils.JwtTokenUtil;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
@ -63,10 +61,6 @@ public class JwtAuthorizationTokenFilter extends OncePerRequestFilter {
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
} else {
// AnonymousAuthenticationToken anonymousAuthenticationToken = new AnonymousAuthenticationToken("anonymous", "anonymousUser", AuthorityUtils.createAuthorityList(new String[]{"ROLE_ANONYMOUS"}));
// anonymousAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
// SecurityContextHolder.getContext().setAuthentication(anonymousAuthenticationToken);
}
chain.doFilter(request, response);
}