修复关闭接口鉴权后跨域设置失效的问题

2.6.7
648540858 2023-03-23 08:52:35 +08:00
parent 663f394177
commit a4328e3d4f
2 changed files with 27 additions and 21 deletions

View File

@ -1,7 +1,9 @@
package com.genersoft.iot.vmp.conf.security; package com.genersoft.iot.vmp.conf.security;
import com.genersoft.iot.vmp.conf.UserSetting;
import com.genersoft.iot.vmp.conf.security.dto.JwtUser; import com.genersoft.iot.vmp.conf.security.dto.JwtUser;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
@ -22,6 +24,10 @@ import java.util.ArrayList;
public class JwtAuthenticationFilter extends OncePerRequestFilter { public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private UserSetting userSetting;
@Override @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
@ -31,6 +37,13 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
chain.doFilter(request, response); chain.doFilter(request, response);
return; return;
} }
if (!userSetting.isInterfaceAuthentication()) {
// 构建UsernamePasswordAuthenticationToken,这里密码为null是因为提供了正确的JWT,实现自动登录
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null, new ArrayList<>() );
SecurityContextHolder.getContext().setAuthentication(token);
chain.doFilter(request, response);
return;
}
String jwt = request.getHeader(JwtUtils.getHeader()); String jwt = request.getHeader(JwtUtils.getHeader());
// 这里如果没有jwt继续往后走因为后面还有鉴权管理器等去判断是否拥有身份凭证所以是可以放行的 // 这里如果没有jwt继续往后走因为后面还有鉴权管理器等去判断是否拥有身份凭证所以是可以放行的
// 没有jwt相当于匿名访问若有一些接口是需要权限的则不能访问这些接口 // 没有jwt相当于匿名访问若有一些接口是需要权限的则不能访问这些接口
@ -62,9 +75,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
default: default:
} }
// String password = SecurityUtils.encryptPassword(jwtUser.getPassword());
// user.setPassword(password);
// 构建UsernamePasswordAuthenticationToken,这里密码为null是因为提供了正确的JWT,实现自动登录 // 构建UsernamePasswordAuthenticationToken,这里密码为null是因为提供了正确的JWT,实现自动登录
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, jwtUser.getPassword(), new ArrayList<>() ); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, jwtUser.getPassword(), new ArrayList<>() );
SecurityContextHolder.getContext().setAuthentication(token); SecurityContextHolder.getContext().setAuthentication(token);

View File

@ -73,24 +73,20 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override @Override
public void configure(WebSecurity web) { public void configure(WebSecurity web) {
if (!userSetting.isInterfaceAuthentication()) { ArrayList<String> matchers = new ArrayList<>();
web.ignoring().antMatchers("**"); matchers.add("/");
}else { matchers.add("/#/**");
ArrayList<String> matchers = new ArrayList<>(); matchers.add("/static/**");
matchers.add("/"); matchers.add("/index.html");
matchers.add("/#/**"); matchers.add("/doc.html");
matchers.add("/static/**"); matchers.add("/webjars/**");
matchers.add("/index.html"); matchers.add("/swagger-resources/**");
matchers.add("/doc.html"); matchers.add("/v3/api-docs/**");
matchers.add("/webjars/**"); matchers.add("/js/**");
matchers.add("/swagger-resources/**"); matchers.add("/api/device/query/snap/**");
matchers.add("/v3/api-docs/**"); matchers.addAll(userSetting.getInterfaceAuthenticationExcludes());
matchers.add("/js/**"); // 可以直接访问的静态数据
matchers.add("/api/device/query/snap/**"); web.ignoring().antMatchers(matchers.toArray(new String[0]));
matchers.addAll(userSetting.getInterfaceAuthenticationExcludes());
// 可以直接访问的静态数据
web.ignoring().antMatchers(matchers.toArray(new String[0]));
}
} }
/** /**