登录
diff --git a/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java b/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java
index fd8c4d1..04a150e 100755
--- a/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java
+++ b/src/main/java/com/supwisdom/dlpay/framework/filter/ValidateCodeFilter.java
@@ -21,7 +21,7 @@
@Component("validateCodeFilter")
-public class ValidateCodeFilter extends OncePerRequestFilter implements InitializingBean {
+public class ValidateCodeFilter extends OncePerRequestFilter{
/**
* 校验失败处理器
diff --git a/src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java b/src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java
new file mode 100644
index 0000000..7b87a26
--- /dev/null
+++ b/src/main/java/com/supwisdom/dlpay/framework/security/MyInvalidSessionStrategy.java
@@ -0,0 +1,30 @@
+package com.supwisdom.dlpay.framework.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.supwisdom.dlpay.consume.bean.JsonResult;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.web.session.InvalidSessionStrategy;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component("myInvalidSessionStrategy")
+public class MyInvalidSessionStrategy implements InvalidSessionStrategy {
+ @Autowired
+ private ObjectMapper objectMapper = new ObjectMapper();
+
+ @Override
+ public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response)
+ throws IOException, ServletException {
+ JsonResult result =new JsonResult();
+ result.setCode(401);
+ result.setMessage("session已经失效了");
+ response.setStatus(HttpStatus.OK.value());
+ response.setContentType("application/json;charset=UTF-8");
+ response.getWriter().write(objectMapper.writeValueAsString(result));
+ }
+}
diff --git a/src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java b/src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java
new file mode 100644
index 0000000..56782db
--- /dev/null
+++ b/src/main/java/com/supwisdom/dlpay/framework/security/ValidateCodeSecurityConfig.java
@@ -0,0 +1,24 @@
+package com.supwisdom.dlpay.framework.security;
+
+import javax.servlet.Filter;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.stereotype.Component;
+
+@Component("validateCodeSecurityConfig")
+public class ValidateCodeSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {
+
+ @Autowired
+ private Filter validateCodeFilter;
+
+
+ @Override
+ public void configure(HttpSecurity http) throws Exception {
+ http.addFilterBefore(validateCodeFilter, AbstractPreAuthenticatedProcessingFilter.class);
+ }
+
+}
\ No newline at end of file
diff --git a/src/main/kotlin/com/supwisdom/dlpay/security.kt b/src/main/kotlin/com/supwisdom/dlpay/security.kt
index 26e2df7..61b07e2 100644
--- a/src/main/kotlin/com/supwisdom/dlpay/security.kt
+++ b/src/main/kotlin/com/supwisdom/dlpay/security.kt
@@ -2,6 +2,10 @@
import com.supwisdom.dlpay.framework.core.JwtConfig
import com.supwisdom.dlpay.framework.core.JwtTokenUtil
+import com.supwisdom.dlpay.framework.filter.ValidateCodeFilter
+import com.supwisdom.dlpay.framework.security.MyInvalidSessionStrategy
+import com.supwisdom.dlpay.framework.security.ValidateCodeSecurityConfig
+import com.supwisdom.dlpay.framework.service.OperatorDetailService
import org.jose4j.jwt.consumer.InvalidJwtException
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.context.annotation.Bean
@@ -15,11 +19,17 @@
import org.springframework.security.config.http.SessionCreationPolicy
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.core.context.SecurityContextHolder
+import org.springframework.security.core.session.SessionRegistry
+import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.core.userdetails.User
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.provisioning.InMemoryUserDetailsManager
+import org.springframework.security.web.authentication.AuthenticationFailureHandler
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
-import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler
+import org.springframework.security.web.session.InvalidSessionStrategy
+import org.springframework.security.web.session.SessionInformationExpiredStrategy
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher
import org.springframework.web.filter.OncePerRequestFilter
import javax.servlet.FilterChain
import javax.servlet.http.HttpServletRequest
@@ -48,16 +58,6 @@
@EnableWebSecurity
class WebSecurityConfig {
- @Bean
- fun userDetailsService(): UserDetailsService {
- val manager = InMemoryUserDetailsManager()
- manager.createUser(User.withDefaultPasswordEncoder()
- .username("admin")
- .password("123456")
- .roles("USER").build())
- return manager
- }
-
// @Bean
// fun daoProvider(detailsService: UserDetailsService): DaoAuthenticationProvider {
// return DaoAuthenticationProvider().also {
@@ -100,20 +100,51 @@
@Configuration
class MvcWebSecurityConfigurationAdapter : WebSecurityConfigurerAdapter() {
+ @Autowired
+ lateinit var validateCodeSecurityConfig: ValidateCodeSecurityConfig
+ @Autowired
+ lateinit var userDetailsService: OperatorDetailService
+ @Autowired
+ lateinit var zyAuthenticationFailureHandler: AuthenticationFailureHandler
+ @Autowired
+ lateinit var zyAuthenticationSuccessHandler: AuthenticationSuccessHandler
+ @Autowired
+ lateinit var myInvalidSessionStrategy: InvalidSessionStrategy
+
override fun configure(http: HttpSecurity) {
// 设置 Web MVC 应用权限
- http.authorizeRequests()
- .anyRequest().authenticated()
+ http.apply(validateCodeSecurityConfig)
.and()
.formLogin()
- .loginPage("/user/login").permitAll()
+ .loginPage("/login")
+ .loginProcessingUrl("/login/form")
+ .successHandler(zyAuthenticationSuccessHandler)
+ .failureHandler(zyAuthenticationFailureHandler)
.and()
.logout()
- .logoutUrl("/user/logout")
- .logoutSuccessUrl("/user/home")
+ .logoutRequestMatcher(AntPathRequestMatcher("/logout"))
+ .logoutSuccessUrl("/login")
+ .deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
- .addLogoutHandler(CookieClearingLogoutHandler())
+ .and()
+ .userDetailsService(userDetailsService)
+ .authorizeRequests()
+ .antMatchers("/login").permitAll()
+ .antMatchers("/static/**").permitAll()
+ .antMatchers("/code/image").permitAll()
+ .anyRequest().authenticated()
+ .and()
+ .sessionManagement()
+ .invalidSessionStrategy(myInvalidSessionStrategy)
+ .maximumSessions(1)
+ .sessionRegistry(SessionRegistryImpl())
+ .maxSessionsPreventsLogin(true)
+ .and()
+ .and()
+ .headers().frameOptions().disable()
+ .and()
+ .csrf().disable()
}
}
}