diff --git a/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java b/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java index 58af2ba22..cfd08d42f 100644 --- a/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java +++ b/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java @@ -77,26 +77,45 @@ public class SecurityConfig { @Order(1) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { - OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); - // 注册自定义登录类型 - http.getConfigurer(OAuth2AuthorizationServerConfigurer.class) - .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new PasswordGrantAuthenticationConvert()) - .authenticationProvider(new PasswordGrantAuthenticationProvider(authorizationService, tokenGenerator()))) - .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new PhoneGrantAuthenticationConvert()) - .authenticationProvider(new PhoneGrantAuthenticationProvider(authorizationService, tokenGenerator()))) - .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new AppGrantAuthenticationConvert()) - .authenticationProvider(new AppGrantAuthenticationProvider(authorizationService, tokenGenerator()))) - .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new SocialGrantAuthenticationConvert()) - .authenticationProvider(new SocialGrantAuthenticationProvider(authorizationService, tokenGenerator()))) - //开启OpenID Connect 1.0(其中oidc为OpenID Connect的缩写)。 访问 /.well-known/openid-configuration即可获取认证信息 - .oidc(Customizer.withDefaults()); + // 使用新的配置方式替代弃用的applyDefaultSecurity + http.securityMatcher(new AntPathRequestMatcher("/oauth2/**")) + .authorizeHttpRequests(authorize -> + authorize.anyRequest().authenticated() + ) + .csrf(csrf -> csrf.disable()) + .with(new OAuth2AuthorizationServerConfigurer(), oauth2 -> { + oauth2 + .tokenEndpoint(tokenEndpoint -> tokenEndpoint + .accessTokenRequestConverter(new PasswordGrantAuthenticationConvert()) + .authenticationProvider(new PasswordGrantAuthenticationProvider(authorizationService, tokenGenerator())) + ) + .tokenEndpoint(tokenEndpoint -> tokenEndpoint + .accessTokenRequestConverter(new PhoneGrantAuthenticationConvert()) + .authenticationProvider(new PhoneGrantAuthenticationProvider(authorizationService, tokenGenerator())) + ) + .tokenEndpoint(tokenEndpoint -> tokenEndpoint + .accessTokenRequestConverter(new AppGrantAuthenticationConvert()) + .authenticationProvider(new AppGrantAuthenticationProvider(authorizationService, tokenGenerator())) + ) + .tokenEndpoint(tokenEndpoint -> tokenEndpoint + .accessTokenRequestConverter(new SocialGrantAuthenticationConvert()) + .authenticationProvider(new SocialGrantAuthenticationProvider(authorizationService, tokenGenerator())) + ) + //开启OpenID Connect 1.0(其中oidc为OpenID Connect的缩写)。 访问 /.well-known/openid-configuration即可获取认证信息 + .oidc(Customizer.withDefaults()); + }); - //将需要认证的请求,抛出异常,不跳转页面 + //请求接口异常处理:无Token和Token无效的情况 http.exceptionHandling(exceptions -> exceptions .authenticationEntryPoint((request, response, authException) -> { - // 记录详细的异常信息 - log.error("接口访问失败,请求路径:{},错误信息:{}", request.getRequestURI(), authException.getMessage(), authException); - JwtUtil.responseError(response,401,authException.getMessage()); + // 记录详细的异常信息 - 未认证 + log.error("接口访问失败(未认证),请求路径:{},错误信息:{}", request.getRequestURI(), authException.getMessage(), authException); + JwtUtil.responseError(response, 401, "Token格式错误或已过期"); + }) + .accessDeniedHandler((request, response, accessDeniedException) -> { + // 记录详细的异常信息 - token无效或权限不足 + log.error("接口访问失败(token无效或权限不足),请求路径:{},错误信息:{}", request.getRequestURI(), accessDeniedException.getMessage(), accessDeniedException); + JwtUtil.responseError(response, 403, "权限不足"); }) ); @@ -175,7 +194,7 @@ public class SecurityConfig { .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/onlDragDatasetHead/getTotalDataByCompId")).permitAll() .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/onlDragDatasetHead/getDictByCodes")).permitAll() .requestMatchers(AntPathRequestMatcher.antMatcher("/dragChannelSocket/**")).permitAll() - + //大屏模板例子 .requestMatchers(AntPathRequestMatcher.antMatcher("/test/bigScreen/**")).permitAll() .requestMatchers(AntPathRequestMatcher.antMatcher("/bigscreen/template1/**")).permitAll() @@ -199,13 +218,33 @@ public class SecurityConfig { return config; })) .csrf(AbstractHttpConfigurer::disable) - // 添加异常处理 + // 配置OAuth2资源服务器,并添加JWT异常处理 + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(jwt -> jwt.jwtAuthenticationConverter(jeecgAuthenticationConvert)) + .authenticationEntryPoint((request, response, authException) -> { + // 处理JWT解析失败的情况 + log.error("JWT验证失败,请求路径:{},错误信息:{}", request.getRequestURI(), authException.getMessage(), authException); + JwtUtil.responseError(response, 401, "Token格式错误或已过期"); + }) + .accessDeniedHandler((request, response, accessDeniedException) -> { + // 处理权限不足的情况 + log.error("权限验证失败,请求路径:{},错误信息:{}", request.getRequestURI(), accessDeniedException.getMessage(), accessDeniedException); + JwtUtil.responseError(response, 403, "权限不足"); + }) + ) + // 全局异常处理 .exceptionHandling(exceptions -> exceptions .authenticationEntryPoint((request, response, authException) -> { - log.error("接口访问失败,请求路径:{},错误信息:{}", request.getRequestURI(), authException.getMessage(), authException); - JwtUtil.responseError(response,401,authException.getMessage()); - })) - .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(jeecgAuthenticationConvert))); + // 记录详细的异常信息 - 未认证 + log.error("接口访问失败(未认证),请求路径:{},错误信息:{}", request.getRequestURI(), authException.getMessage(), authException); + JwtUtil.responseError(response, 401, "Token格式错误或已过期"); + }) + .accessDeniedHandler((request, response, accessDeniedException) -> { + // 记录详细的异常信息 - token无效或权限不足 + log.error("接口访问失败(token无效或权限不足),请求路径:{},错误信息:{}", request.getRequestURI(), accessDeniedException.getMessage(), accessDeniedException); + JwtUtil.responseError(response, 403, "权限不足"); + }) + ); return http.build(); } @@ -268,5 +307,4 @@ public class SecurityConfig { new OAuth2RefreshTokenGenerator() ); } - -} +} \ No newline at end of file