/
ApiBootWebSecurityConfiguration.java
142 lines (130 loc) · 4.49 KB
/
ApiBootWebSecurityConfiguration.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
package org.minbox.framework.api.boot.secuirty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;
import java.util.Collections;
import java.util.List;
/**
* ApiBoot integrates SpringSecurity configuration class
*
* @author 恒宇少年
*/
public abstract class ApiBootWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* Configure Excluded Path List
*
* @return Path list
*/
protected List<String> configureIgnoreUrls() {
return Collections.emptyList();
}
/**
* Configure SpringSecurity Web
* <p>
* Set a list of paths to exclude security intercepts
* </p>
*
* @param web {@link WebSecurity}
*/
@Override
public void configure(WebSecurity web) {
WebSecurity.IgnoredRequestConfigurer ignoredRequestConfigurer = web.ignoring();
configureIgnoreUrls().forEach(url -> ignoredRequestConfigurer.antMatchers(url));
}
/**
* Configure user authentication management
* <p>
* Password encryption method {@link #passwordEncoder()}
* </p>
*
* @param auth {@link AuthenticationManagerBuilder}
* @throws Exception exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
}
/**
* Authorized manager
*
* @return {@link AuthenticationManager}
* @throws Exception exception
*/
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* Disable basic http
*
* @param http {@link HttpSecurity}
* @throws Exception exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
if (disableHttpBasic()) {
http.httpBasic().disable();
}
if (disableCsrf()) {
http.csrf().disable();
}
http.exceptionHandling().accessDeniedHandler(getAccessDeniedHandler());
http.exceptionHandling().authenticationEntryPoint(getAuthenticationEntryPoint());
}
/**
* Password encryption method
*
* @return {@link BCryptPasswordEncoder}
* @see PasswordEncoder
*/
@Bean
@ConditionalOnMissingBean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* Get spring security exception handler
* <p>
* This method is left to the implementation class to obtain the customized {@link AccessDeniedHandler} implementation class IOC instance from the project
* If the implementation class does not return an instance,
* the default {@link org.minbox.framework.api.boot.plugin.security.handler.ApiBootDefaultAccessDeniedHandler} is used to return
* </p>
*
* @return {@link AccessDeniedHandler}
*/
protected abstract AccessDeniedHandler getAccessDeniedHandler();
/**
* Get authentication endpoint processing
*
* @return {@link AuthenticationEntryPoint}
*/
protected abstract AuthenticationEntryPoint getAuthenticationEntryPoint();
/**
* Disable basic http
* <p>
* This method is an abstract method, and the logic is implemented by subclasses
* </p>
*
* @return Disable HttpBasic or not
* @see ApiBootWebSecurityConfiguration#configure(HttpSecurity)
*/
protected abstract boolean disableHttpBasic();
/**
* Disable csrf
* <p>
* This method is an abstract method, and the logic is implemented by subclasses
* </p>
*
* @return Disable Csrf or not
*/
protected abstract boolean disableCsrf();
}