HttpSecurity:忽略 antMatchers 中使用的端点的身份验证,其他安全功能将生效。
WebSecurity:直接忽略也不会进行 CSRF xss等攻击保护。
package com.winning.dps.df.frame.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 忽略 antMatchers 中使用的端点的身份验证,其他安全功能将生效
* @param httpSecurity the {@link HttpSecurity} to modify
* @throws Exception
*/
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
super.configure(httpSecurity);
// 禁用 CSRF
httpSecurity
.csrf()
.disable()
.headers()
.frameOptions()
.disable()
// 不创建会话
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// 放行静态资源
.antMatchers(
HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/webSocket/**")
.permitAll()
// 放行swagger
.antMatchers("/swagger-ui.html")
.permitAll()
.antMatchers("/swagger-resources/**")
.permitAll()
.antMatchers("/webjars/**")
.permitAll()
.antMatchers("/*/api-docs")
.permitAll()
.antMatchers("/*/doc")
.permitAll()
.antMatchers("/api/v1/**")
.permitAll()
// 放行文件访问
.antMatchers("/files/**")
.permitAll()
.antMatchers("/static/**")
.permitAll()
// 放行druid
.antMatchers("/druid/**")
.permitAll()
// 放行OPTIONS请求
// .antMatchers(HttpMethod.OPTIONS, "/**")
// .permitAll()
// 允许匿名及登录用户访问
.antMatchers("/api/v1/**", "/error/**")
.permitAll()
.antMatchers("/profile/**").anonymous()
.antMatchers("/common/download**").anonymous()
.antMatchers("/common/download/resource**").anonymous()
.antMatchers("/swagger-ui.html").anonymous()
.antMatchers("/swagger-resources/**").anonymous()
.antMatchers("/webjars/**").anonymous()
.antMatchers("/*/api-docs").anonymous()
.antMatchers("/druid/**").anonymous()
.antMatchers("/api/v1/**")
.permitAll()
// 所有请求都需要认证
.anyRequest()
.authenticated();
// 禁用缓存
httpSecurity.headers().cacheControl();
}
/**
* WebSecurity 直接忽略也不会进行 CSRF xss等攻击保护
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
// web.ignoring()
// .antMatchers(
// "/api/v1/**",
// "/swagger-ui.html",
// "/v2/api-docs",
// "/doc.html",
// "/swagger-resources/**",
// "/webjars/**",
// "/","/csrf");
}
}
网友评论