配置一个spring boot的security配置
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
@EnableWebSecurity
@Order(100)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
Logger logger = LoggerFactory.getLogger(getClass());
@Autowired
public SecurityUserService securityUserService;
@Autowired
private RedisConnectionFactory redisConnectionFactory;
@Autowired
private LoginAuthenticationFilter loginAuthenticationFilter;
@Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
@Bean
public RedisTokenStore tokenStore() {
RedisTokenStore rts = new RedisTokenStore(redisConnectionFactory);
return rts;
}
@Override
public void configure(WebSecurity web) throws Exception {
// @formatter:off
web.ignoring().antMatchers(
"/**/favicon.ico",
"/webjars/**",
"/js/**",
"/css/**",
"/img/**",
"/dist/**",
"/vendor/**",
"/services/**",
"/api/**",
"/esb/**"
);
// @formatter:on
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable();
// @formatter:off
http.authorizeRequests().antMatchers(
"/login",
"/code/image",
"/api/**",
"/esb/**"
).permitAll().anyRequest().authenticated()
.and()
.addFilterBefore(loginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.formLogin().loginPage("/login").successHandler ( authenticationSuccessHandler ).permitAll()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll()
.and().sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(false)
.expiredUrl("/login?expired");
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setHideUserNotFoundExceptions(false);
provider.setUserDetailsService(securityUserService);
provider.setPasswordEncoder(passwordEncoder());
return provider;
}
}