java/eyes.git - Gitblit

			@@ -1,5 +1,6 @@
			package com.jilongda.manage.config;

			import com.jilongda.common.security.ExceptionHandleFilter;
			import com.jilongda.manage.security.SecurityAccessDeniedHandler;
			import com.jilongda.manage.security.SysUserDetailsService;
			import com.jilongda.common.basic.Constant;
			@@ -22,6 +23,7 @@
			import org.springframework.security.config.http.SessionCreationPolicy;
			import org.springframework.security.crypto.password.PasswordEncoder;
			import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
			import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

			/**
			* 细粒度的访问控制
			@@ -107,14 +109,14 @@
			.logout().disable()
			.csrf().disable()
			// 放在 Cookie 中返回前端，防止跨域伪造
			//.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
			// .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
			//.and()
			.authorizeRequests()
			// 跨域预检请求
			// .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
			.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
			// 登录URL permitAll() 无需保护 ---> 此种方式配置忽略认证规则会走Spring Security 过滤器链，在过滤器链中，给请求放行
			// 不需要保护的请求,但需要经过过滤连
			.antMatchers(HttpMethod.POST, "/**").permitAll()
			// .antMatchers(HttpMethod.POST, "/**").permitAll()
			// 其他都需要权限认证
			.anyRequest()
			.authenticated()
			@@ -135,6 +137,8 @@
			http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
			// 访问控制时登录状态检查过滤器
			http.addFilterBefore(new AuthenticationFilter(securityUtils()), UsernamePasswordAuthenticationFilter.class);
			// 异常捕捉过滤器，必须在AuthenticationFilter之前才能捕捉到异常信息
			http.addFilterBefore(new ExceptionHandleFilter(), AuthenticationFilter.class);
			//禁用缓存
			http.headers().cacheControl();
			}