想通过拦截器的方式把所有的请求 带一个token过去 然后再去验证。
现在问题是没有等到我的拦截器执行就报401了 无权限了。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
@Order(-1)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private SuccessAuthenticationSuccessHandler successAuthenticationSuccessHandler;
@Bean
public BCryptPasswordEncoder passwordEncoder() {
// 设置默认的加密方式
return new BCryptPasswordEncoder();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
return new UserDetailsServiceImpl();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 使用自定义认证与授权
auth.userDetailsService(userDetailsService());
}
@Override
public void configure(WebSecurity web) throws Exception {
// 将 check_token 暴露出去,否则资源服务器访问时报 403 错误
web.ignoring().antMatchers("/oauth/check_token");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//自定义TokenFilter 不执行为什么?
http.addFilterAt(new TokenFilter(), FilterSecurityInterceptor.class);
http.requestMatchers().antMatchers(HttpMethod.OPTIONS, "/oauth/token")
.and()
.cors()
.and()
.csrf().disable();
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Autowired
private AdminPermissionRepository adminPermissionRepository;
@Autowired
private SuccessAuthenticationSuccessHandler successAuthenticationSuccessHandler;
@Override
public void configure(HttpSecurity http) throws Exception {
List<AdminPermission> permissions = adminPermissionRepository.findAll();
http .headers().frameOptions().sameOrigin();
http
.exceptionHandling()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/","/login","/static/**","/assets/**").permitAll();
permissions.forEach(permission->{
try {
http.authorizeRequests().antMatchers(permission.getUrl()).hasAuthority(permission.getNameEn());
} catch (Exception e) {
e.printStackTrace();
}
});
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
super.configure(resources);
}
}