鉴权

travel/admin/pom.xml

@@ -18,6 +18,11 @@
 
     <dependencies>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>com.cl.mbg</groupId>
             <artifactId>mbg</artifactId>

travel/admin/src/main/java/com/lc/admin/config/SecurityConfig.java

@@ -0,0 +1,54 @@
+package com.lc.admin.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import javax.annotation.Resource;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    @Resource
+    SecurityFilter securityFilter;
+
+    @Bean
+    public SecurityFilterChain t(HttpSecurity http) throws Exception {
+        HttpSecurity and = http
+                .headers().disable()
+                //配置跨站攻击
+                .csrf()
+                //禁用跨站攻击
+                .disable()
+                //配置session
+                .sessionManagement()
+                //关闭session
+                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
+                //结束session配置
+                .and()
+                //配置用户权限
+                .authorizeRequests()
+                //通过URL 匹配权限路径， 配置权限
+                //URL 匹配了  /user/login 这个请求， 则放行
+                .antMatchers(
+                        "/login.html",
+                        "/login.do",
+                        "/logout.do",
+                        "/static/**"
+                ).permitAll()
+                //其他请求  全部必须登录才能访问
+                .anyRequest().authenticated()
+                //结束权限配置
+                .and();
+
+        and.addFilterBefore( securityFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return and.build();
+    }
+
+}

travel/admin/src/main/java/com/lc/admin/config/SecurityFilter.java

@@ -0,0 +1,46 @@
+package com.lc.admin.config;
+
+import com.cl.mbg.model.TUser;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.util.Objects;
+
+@Component
+public class SecurityFilter extends OncePerRequestFilter {
+
+    /**
+     * Security 有两个功能
+     * 1 鉴权
+     * 2 授权
+     * @param request
+     * @param response
+     * @param filterChain
+     * @throws ServletException
+     * @throws IOException
+     */
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        HttpSession session = request.getSession(true);
+        TUser user = (TUser) session.getAttribute("user");
+        SecurityContext context = SecurityContextHolder.getContext();
+        if (Objects.nonNull(user)) {
+            UsernamePasswordAuthenticationToken AuthenticationToken =
+                    new UsernamePasswordAuthenticationToken( user.getUsername(), null, null );
+            context.setAuthentication( AuthenticationToken );
+        } else {
+            SecurityContextHolder.clearContext();
+        }
+        filterChain.doFilter( request, response );
+    }
+}