From a2627d6b05a26609ffb93b50aff439b0889b0e7c Mon Sep 17 00:00:00 2001
From: Xia Kaixiang <kaixiang.xia@supwisdom.com>
Date: Mon, 22 Apr 2019 09:21:00 +0800
Subject: [PATCH] =?utf8?q?=E7=99=BB=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 .../framework/filter/ValidateCodeFilter.java  |  2 +-
 .../security/MyInvalidSessionStrategy.java    | 30 +++++++++
 .../security/ValidateCodeSecurityConfig.java  | 24 +++++++
 .../kotlin/com/supwisdom/dlpay/security.kt    | 65 ++++++++++++++-----
 4 files changed, 103 insertions(+), 18 deletions(-)
 create mode 100644 src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java
 create mode 100644 src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java

diff --git a/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java b/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java
index fd8c4d1d..04a150ec 100755
--- a/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java
+++ b/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java
@@ -21,7 +21,7 @@ import java.io.IOException;
 
 
 @Component("validateCodeFilter")
-public class ValidateCodeFilter extends OncePerRequestFilter implements InitializingBean {
+public class ValidateCodeFilter extends OncePerRequestFilter{
 
 	/**
 	 * æ ¡éªå¤±è´¥å¤çå¨
diff --git a/src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java b/src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java
new file mode 100644
index 00000000..7b87a263
--- /dev/null
+++ b/src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java
@@ -0,0 +1,30 @@
+package com.supwisdom.dlpay.framework.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.supwisdom.dlpay.consume.bean.JsonResult;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.web.session.InvalidSessionStrategy;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component("myInvalidSessionStrategy")
+public class MyInvalidSessionStrategy implements InvalidSessionStrategy {
+  @Autowired
+  private ObjectMapper objectMapper = new ObjectMapper();
+
+  @Override
+  public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response)
+      throws IOException, ServletException {
+    JsonResult result =new JsonResult();
+    result.setCode(401);
+    result.setMessage("sessionå·²ç»å¤±æäº");
+    response.setStatus(HttpStatus.OK.value());
+    response.setContentType("application/json;charset=UTF-8");
+    response.getWriter().write(objectMapper.writeValueAsString(result));
+  }
+}
diff --git a/src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java b/src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java
new file mode 100644
index 00000000..56782db7
--- /dev/null
+++ b/src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java
@@ -0,0 +1,24 @@
+package com.supwisdom.dlpay.framework.security;
+
+import javax.servlet.Filter;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.stereotype.Component;
+
+@Component("validateCodeSecurityConfig")
+public class ValidateCodeSecurityConfig  extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {
+	
+	@Autowired
+	private Filter validateCodeFilter;
+
+
+	@Override
+	public void configure(HttpSecurity http) throws Exception {
+		http.addFilterBefore(validateCodeFilter, AbstractPreAuthenticatedProcessingFilter.class);
+	}
+	
+}
\ No newline at end of file
diff --git a/src/main/kotlin/com/supwisdom/dlpay/security.kt b/src/main/kotlin/com/supwisdom/dlpay/security.kt
index 26e2df7d..61b07e2d 100644
--- a/src/main/kotlin/com/supwisdom/dlpay/security.kt
+++ b/src/main/kotlin/com/supwisdom/dlpay/security.kt
@@ -2,6 +2,10 @@ package com.supwisdom.dlpay
 
 import com.supwisdom.dlpay.framework.core.JwtConfig
 import com.supwisdom.dlpay.framework.core.JwtTokenUtil
+import com.supwisdom.dlpay.framework.filter.ValidateCodeFilter
+import com.supwisdom.dlpay.framework.security.MyInvalidSessionStrategy
+import com.supwisdom.dlpay.framework.security.ValidateCodeSecurityConfig
+import com.supwisdom.dlpay.framework.service.OperatorDetailService
 import org.jose4j.jwt.consumer.InvalidJwtException
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
@@ -15,11 +19,17 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.http.SessionCreationPolicy
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.core.context.SecurityContextHolder
+import org.springframework.security.core.session.SessionRegistry
+import org.springframework.security.core.session.SessionRegistryImpl
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
+import org.springframework.security.web.authentication.AuthenticationFailureHandler
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
-import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler
+import org.springframework.security.web.session.InvalidSessionStrategy
+import org.springframework.security.web.session.SessionInformationExpiredStrategy
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher
 import org.springframework.web.filter.OncePerRequestFilter
 import javax.servlet.FilterChain
 import javax.servlet.http.HttpServletRequest
@@ -48,16 +58,6 @@ class ApiJwtAuthenticationFilter(jwt: JwtTokenUtil) : OncePerRequestFilter() {
 @EnableWebSecurity
 class WebSecurityConfig {
 
-    @Bean
-    fun userDetailsService(): UserDetailsService {
-        val manager = InMemoryUserDetailsManager()
-        manager.createUser(User.withDefaultPasswordEncoder()
-                .username("admin")
-                .password("123456")
-                .roles("USER").build())
-        return manager
-    }
-
 //    @Bean
 //    fun daoProvider(detailsService: UserDetailsService): DaoAuthenticationProvider {
 //        return DaoAuthenticationProvider().also {
@@ -100,20 +100,51 @@ class WebSecurityConfig {
 
         @Configuration
         class MvcWebSecurityConfigurationAdapter : WebSecurityConfigurerAdapter() {
+            @Autowired
+            lateinit var validateCodeSecurityConfig: ValidateCodeSecurityConfig
+            @Autowired
+            lateinit var userDetailsService: OperatorDetailService
+            @Autowired
+            lateinit var zyAuthenticationFailureHandler: AuthenticationFailureHandler
+            @Autowired
+            lateinit var zyAuthenticationSuccessHandler: AuthenticationSuccessHandler
+            @Autowired
+            lateinit var myInvalidSessionStrategy: InvalidSessionStrategy
+
 
             override fun configure(http: HttpSecurity) {
                 // è®¾ç½® Web MVC åºç¨æé
-                http.authorizeRequests()
-                        .anyRequest().authenticated()
+                http.apply(validateCodeSecurityConfig)
                         .and()
                         .formLogin()
-                        .loginPage("/user/login").permitAll()
+                        .loginPage("/login")
+                        .loginProcessingUrl("/login/form")
+                        .successHandler(zyAuthenticationSuccessHandler)
+                        .failureHandler(zyAuthenticationFailureHandler)
                         .and()
                         .logout()
-                        .logoutUrl("/user/logout")
-                        .logoutSuccessUrl("/user/home")
+                        .logoutRequestMatcher(AntPathRequestMatcher("/logout"))
+                        .logoutSuccessUrl("/login")
+                        .deleteCookies("JSESSIONID")
                         .invalidateHttpSession(true)
-                        .addLogoutHandler(CookieClearingLogoutHandler())
+                        .and()
+                        .userDetailsService(userDetailsService)
+                        .authorizeRequests()
+                        .antMatchers("/login").permitAll()
+                        .antMatchers("/static/**").permitAll()
+                        .antMatchers("/code/image").permitAll()
+                        .anyRequest().authenticated()
+                        .and()
+                        .sessionManagement()
+                        .invalidSessionStrategy(myInvalidSessionStrategy)
+                        .maximumSessions(1)
+                        .sessionRegistry(SessionRegistryImpl())
+                        .maxSessionsPreventsLogin(true)
+                        .and()
+                        .and()
+                        .headers().frameOptions().disable()
+                        .and()
+                        .csrf().disable()
             }
         }
     }
-- 
2.17.1