WendyYang
1 year ago
6 changed files with 20 additions and 36 deletions
Split View
Diff Options
-
+3 -3pmapi/src/main/java/com/ningdatech/pmapi/user/controller/AuthorizationEventListener.java
-
+14 -23pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/WebSecurityConfig.java
-
+1 -1pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/agent/AgentAuthFilter.java
-
+1 -2pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/common/CommonAuthFilter.java
-
+1 -2pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/credential/CredentialAuthFilter.java
-
+0 -5pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/model/WebRequestDetails.java
+ 3
- 3
pmapi/src/main/java/com/ningdatech/pmapi/user/controller/AuthorizationEventListener.java
View File
| @@ -1,5 +1,6 @@ | |||
| package com.ningdatech.pmapi.user.controller; | |||
| import cn.hutool.core.date.LocalDateTimeUtil; | |||
| import com.ningdatech.log.model.OptLogDTO; | |||
| import com.ningdatech.log.model.enumeration.LogType; | |||
| import com.ningdatech.log.service.OptLogService; | |||
| @@ -16,7 +17,6 @@ import org.springframework.security.core.Authentication; | |||
| import org.springframework.stereotype.Component; | |||
| import java.time.LocalDateTime; | |||
| import java.time.temporal.ChronoUnit; | |||
| /** | |||
| * <p> | |||
| @@ -52,10 +52,10 @@ public class AuthorizationEventListener { | |||
| OptLogDTO optLog = new OptLogDTO(); | |||
| optLog.setActionMethod(webDetails.getServletPath()); | |||
| optLog.setDescription(description); | |||
| optLog.setStartTime(webDetails.getRequestTime()); | |||
| optLog.setStartTime(LocalDateTimeUtil.of(event.getTimestamp())); | |||
| optLog.setFinishTime(now); | |||
| optLog.setCreateOn(now); | |||
| long consumingTime = ChronoUnit.MILLIS.between(optLog.getStartTime(), optLog.getFinishTime()); | |||
| long consumingTime = System.currentTimeMillis() - event.getTimestamp(); | |||
| optLog.setConsumingTime(consumingTime); | |||
| optLog.setHttpMethod(webDetails.getMethod()); | |||
| optLog.setUserName(userDetails.getUsername()); | |||
+ 14
- 23
pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/WebSecurityConfig.java
View File
| @@ -8,6 +8,8 @@ import com.ningdatech.pmapi.user.security.auth.agent.AgentAuthSecurityConfig; | |||
| import com.ningdatech.pmapi.user.security.auth.common.CommonAuthSecurityConfig; | |||
| import com.ningdatech.pmapi.user.security.auth.credential.CredentialAuthSecurityConfig; | |||
| import com.ningdatech.pmapi.user.security.auth.handler.DefaultExpiredSessionStrategy; | |||
| import com.ningdatech.pmapi.user.security.auth.handler.DefaultLogoutSuccessHandler; | |||
| import lombok.RequiredArgsConstructor; | |||
| import org.springframework.beans.factory.annotation.Qualifier; | |||
| import org.springframework.context.annotation.Configuration; | |||
| import org.springframework.http.HttpStatus; | |||
| @@ -27,29 +29,16 @@ import java.util.Set; | |||
| * @Version 1.0 | |||
| */ | |||
| @Configuration | |||
| @RequiredArgsConstructor | |||
| public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |||
| private final AuthProperties authProperties; | |||
| private final CredentialAuthSecurityConfig credentialAuthSecurityConfig; | |||
| private final LogoutSuccessHandler logoutSuccessHandler; | |||
| private final DefaultLogoutSuccessHandler logoutSuccessHandler; | |||
| private final DefaultExpiredSessionStrategy defaultExpiredSessionStrategy; | |||
| private final AgentAuthSecurityConfig agentAuthSecurityConfig; | |||
| private final CommonAuthSecurityConfig commonAuthSecurityConfig; | |||
| public WebSecurityConfig(AuthProperties authProperties, | |||
| CredentialAuthSecurityConfig credentialAuthSecurityConfig, | |||
| AgentAuthSecurityConfig agentAuthSecurityConfig, | |||
| CommonAuthSecurityConfig commonAuthSecurityConfig, | |||
| @Qualifier(value = "defaultLogoutSuccessHandler") LogoutSuccessHandler logoutSuccessHandler, | |||
| DefaultExpiredSessionStrategy defaultExpiredSessionStrategy) { | |||
| this.authProperties = authProperties; | |||
| this.credentialAuthSecurityConfig = credentialAuthSecurityConfig; | |||
| this.agentAuthSecurityConfig = agentAuthSecurityConfig; | |||
| this.commonAuthSecurityConfig = commonAuthSecurityConfig; | |||
| this.logoutSuccessHandler = logoutSuccessHandler; | |||
| this.defaultExpiredSessionStrategy = defaultExpiredSessionStrategy; | |||
| } | |||
| @Override | |||
| protected void configure(HttpSecurity http) throws Exception { | |||
| assemblerPreAuthUrls(http); | |||
| @@ -59,27 +48,29 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |||
| .and().apply(agentAuthSecurityConfig) | |||
| .and().apply(commonAuthSecurityConfig) | |||
| .and() | |||
| .authorizeRequests().antMatchers(authProperties.getIgnoreAuthUrlsArray()).permitAll().anyRequest() | |||
| .authorizeRequests() | |||
| .antMatchers(authProperties.getIgnoreAuthUrlsArray()) | |||
| .permitAll() | |||
| .anyRequest() | |||
| .authenticated().and() | |||
| // 防止固定会话攻击,Spring security的默认配置就是如此: | |||
| // 登陆成功之后会创建一个新的会话,然后将旧的session信息复制到新的session中(客户端的sessionId变了) | |||
| .sessionManagement().invalidSessionUrl(authProperties.getInvalidSessionUrl()).sessionFixation() | |||
| .sessionManagement() | |||
| .invalidSessionUrl(authProperties.getInvalidSessionUrl()) | |||
| .sessionFixation() | |||
| .migrateSession() | |||
| // .invalidSessionStrategy(defaultInvalidSessionStrategy) | |||
| .maximumSessions(10) | |||
| .maxSessionsPreventsLogin(true) | |||
| .expiredSessionStrategy(defaultExpiredSessionStrategy) | |||
| .and().and() | |||
| .logout().logoutUrl(authProperties.getLogoutUrl()).logoutSuccessHandler(logoutSuccessHandler) | |||
| .logout() | |||
| .logoutUrl(authProperties.getLogoutUrl()) | |||
| .logoutSuccessHandler(logoutSuccessHandler) | |||
| .deleteCookies(CommonConst.COOKIE_KEY) | |||
| // .and() | |||
| // .cors().configurationSource(corsConfigurationSource()) | |||
| .and() | |||
| // .csrf().disable(); | |||
| // 开启csrf验证,需要前端同步传入token | |||
| .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) | |||
| .ignoringAntMatchers(authProperties.getIgnoreCsrfUrlsArray()); | |||
| // http.anonymous().authenticationFilter(availableUserAuthenticationFilter); | |||
| } | |||
| private AuthenticationEntryPoint authenticationEntryPoint() { | |||
+ 1
- 1
pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/agent/AgentAuthFilter.java
View File
| @@ -51,7 +51,7 @@ public class AgentAuthFilter extends AbstractAuthenticationProcessingFilter { | |||
| userId = trim(userId); | |||
| try { | |||
| AgentAuthToken authRequest = new AgentAuthToken(userId, userId); | |||
| authRequest.setDetails(new WebRequestDetails(request, LocalDateTime.now())); | |||
| authRequest.setDetails(new WebRequestDetails(request)); | |||
| return this.getAuthenticationManager().authenticate(authRequest); | |||
| } catch (AuthenticationException e) { | |||
| throw new BadCredentialsException("用户id 不能为空"); | |||
+ 1
- 2
pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/common/CommonAuthFilter.java
View File
| @@ -15,7 +15,6 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; | |||
| import javax.servlet.http.HttpServletRequest; | |||
| import javax.servlet.http.HttpServletResponse; | |||
| import java.time.LocalDateTime; | |||
| /** | |||
| * @Author LiuXinXin | |||
| @@ -58,7 +57,7 @@ public class CommonAuthFilter extends AbstractAuthenticationProcessingFilter { | |||
| credential = trim(credential); | |||
| try { | |||
| CommonAuthToken authRequest = new CommonAuthToken(platform, credential); | |||
| authRequest.setDetails(new WebRequestDetails(request, LocalDateTime.now())); | |||
| authRequest.setDetails(new WebRequestDetails(request)); | |||
| return this.getAuthenticationManager().authenticate(authRequest); | |||
| } catch (AuthenticationException e) { | |||
| throw new BadCredentialsException("用户状态"); | |||
+ 1
- 2
pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/credential/CredentialAuthFilter.java
View File
| @@ -16,7 +16,6 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; | |||
| import javax.servlet.http.HttpServletRequest; | |||
| import javax.servlet.http.HttpServletResponse; | |||
| import java.time.LocalDateTime; | |||
| /** | |||
| * @Author LiuXinXin | |||
| @@ -61,7 +60,7 @@ public class CredentialAuthFilter extends AbstractAuthenticationProcessingFilter | |||
| loginType = trim(loginType); | |||
| try { | |||
| CredentialAuthToken authRequest = new CredentialAuthToken(identifier, credential, loginType); | |||
| authRequest.setDetails(new WebRequestDetails(request, LocalDateTime.now())); | |||
| authRequest.setDetails(new WebRequestDetails(request)); | |||
| return this.getAuthenticationManager().authenticate(authRequest); | |||
| } catch (CommonLoginException e) { | |||
| throw new CommonLoginException(e.getMessage()); | |||
+ 0
- 5
pmapi/src/main/java/com/ningdatech/pmapi/user/security/auth/model/WebRequestDetails.java
View File
| @@ -49,11 +49,6 @@ public class WebRequestDetails extends WebAuthenticationDetails { | |||
| this.userAgent = StrUtil.sub(request.getHeader("user-agent"), 0, 500); | |||
| } | |||
| public WebRequestDetails(HttpServletRequest request, LocalDateTime requestTime) { | |||
| this(request); | |||
| this.requestTime = requestTime; | |||
| } | |||
| public LocalDateTime getRequestTime() { | |||
| return requestTime; | |||
| } | |||