@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
成都創(chuàng)新互聯(lián)是一家專業(yè)提供康平企業(yè)網(wǎng)站建設(shè),專注與網(wǎng)站建設(shè)�、成都網(wǎng)站建設(shè)��、H5網(wǎng)站設(shè)計(jì)、小程序制作等業(yè)務(wù)���。10年已為康平眾多企業(yè)��、政府機(jī)構(gòu)等服務(wù)�。創(chuàng)新互聯(lián)專業(yè)網(wǎng)站設(shè)計(jì)公司優(yōu)惠進(jìn)行中。
private Logger logger = LoggerFactory.getLogger(this.getClass());
@Autowired
MemDetailsService memDetailsService;
@Autowired
SimpleLoginSuccessHandler simpleLoginSuccessHandler;
@Override
//WebSecurity:For example, if you wish to ignore certain requests.
//用于配置類似防火墻����,放行某些URL。
public void configure(WebSecurity web) throws Exception {
// 設(shè)置不攔截規(guī)則
//web.ignoring().antMatchers("/js/**", "/css/**", "/images/**", "/**/favicon.ico", "/swagger*/**", "/image/**", "/webjars/**","/v2/**");
web.ignoring().antMatchers("/js/**", "/css/**", "/images/**", "/**/favicon.ico", "/image/**");
}
@Override
//HttpSecurity:一般用它來具體控制權(quán)限��,角色���,url等安全的東西����。
protected void configure(HttpSecurity http) throws Exception {
// 設(shè)置CSRF規(guī)則
http.csrf().requireCsrfProtectionMatcher(new SimpleCsrfSecurityRequestMatcher()).and().
// 設(shè)置攔截規(guī)則
authorizeRequests()
.antMatchers("/api/**", "/index", "/updateIndex.html", "/browserIndex.html", "/policy-zcff.html", "/policy-hydj.html", "/policy-jf.html", "/policy-card.html", "/faq.html", "/cm/satCm01Init", "/cm/satCm01List", "/faq/satFaq01", "/logout", "/loginSso", "/bulterservice.html", "/verifySso").permitAll()
.antMatchers("/autoconfig/**", "/beans/**", "/configprops/**", "/dump/**", "/env/**", "/health/**", "/info/**", "/metrics/**", "/mappings/**", "/shutdown/**", "/trace/**").access("hasRole('ADMIN')")
.anyRequest().authenticated()
.and().formLogin().loginPage("/login").usernameParameter("saID").passwordParameter("password").permitAll().defaultSuccessUrl("/home", true).failureForwardUrl("/index").successHandler(simpleLoginSuccessHandler)
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/index")
.and().exceptionHandling().accessDeniedPage("/logout")
.and().sessionManagement().maximumSessions(1).expiredUrl("/index");
}
@Override
//用于配置Authentication����,比如LDAP, Database連接,以及用戶和角色的查詢方法�����。
public void configure(AuthenticationManagerBuilder auth) throws Exception {
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setHideUserNotFoundExceptions(false);
daoAuthenticationProvider.setUserDetailsService(memDetailsService);
auth.authenticationProvider(daoAuthenticationProvider);
//auth.userDetailsService(memDetailsService);
//.passwordEncoder(new BCryptPasswordEncoder())
}
}
要解決403訪問權(quán)限問題 必須加http.csrf().requireCsrfProtectionMatcher(new SimpleCsrfSecurityRequestMatcher()
要把上傳頁面URL過濾掉才能解決403
SimpleCsrfSecurityRequestMatcher具體實(shí)現(xiàn)
public class SimpleCsrfSecurityRequestMatcher implements RequestMatcher {
private Logger logger = LoggerFactory.getLogger(this.getClass());
private Pattern allowedMethods = Pattern
.compile("^(GET|HEAD|TRACE|OPTIONS)$");
@Override
public boolean matches(HttpServletRequest request) {
if (execludeUrls.size() > 0) {
String servletPath = request.getServletPath();
for (String url : execludeUrls) {
if (servletPath.contains(url)) {
logger.debug("SimpleCsrfSecurityRequestMatcher排除的url:" + servletPath);
return false;
}
}
}
return !allowedMethods.matcher(request.getMethod()).matches();
}
/**
* 需要排除的url列表
*/
private final List execludeUrls = new ArrayList() {{
add("/upload");
add("/upload/uploadActivateAttachment");
add("/buy02");
add("/buy02/uploadActivationSel");
}};
}
網(wǎng)站標(biāo)題:springboot訪問上傳頁面因csrf出現(xiàn)403的問題
地址分享:
http://weahome.cn/article/jsgsgj.html
重慶分公司
重慶分公司
