diff --git a/pig-auth/src/main/java/com/pig4cloud/pig/auth/config/WebSecurityConfiguration.java b/pig-auth/src/main/java/com/pig4cloud/pig/auth/config/WebSecurityConfiguration.java index c8ded5f8..8c9cc5ca 100755 --- a/pig-auth/src/main/java/com/pig4cloud/pig/auth/config/WebSecurityConfiguration.java +++ b/pig-auth/src/main/java/com/pig4cloud/pig/auth/config/WebSecurityConfiguration.java @@ -22,6 +22,9 @@ import org.springframework.context.annotation.Bean; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; +import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer; +import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer; import org.springframework.security.web.SecurityFilterChain; /** @@ -42,8 +45,10 @@ public class WebSecurityConfiguration { @Bean SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(authorizeRequests -> authorizeRequests.requestMatchers("/token/*").permitAll()// 开放自定义的部分端点 - .anyRequest().authenticated()).headers().frameOptions().sameOrigin()// 避免iframe同源无法登录 - .and().apply(new FormIdentityLoginConfigurer()); // 表单登录个性化 + .anyRequest().authenticated()).headers(httpSecurityHeadersConfigurer -> { + // 避免iframe同源无法登录 + httpSecurityHeadersConfigurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin); + }).apply(new FormIdentityLoginConfigurer()); // 表单登录个性化 // 处理 UsernamePasswordAuthenticationToken http.authenticationProvider(new PigDaoAuthenticationProvider()); return http.build(); @@ -51,7 +56,7 @@ public class WebSecurityConfiguration { /** * 暴露静态资源 - * + *

* https://github.com/spring-projects/spring-security/issues/10938 * @param http * @return @@ -61,8 +66,9 @@ public class WebSecurityConfiguration { @Order(0) SecurityFilterChain resources(HttpSecurity http) throws Exception { http.securityMatchers((matchers) -> matchers.requestMatchers("/actuator/**", "/css/**", "/error")) - .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll()).requestCache().disable() - .securityContext().disable().sessionManagement().disable(); + .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll()) + .requestCache(RequestCacheConfigurer::disable).securityContext(AbstractHttpConfigurer::disable) + .sessionManagement(AbstractHttpConfigurer::disable); return http.build(); } diff --git a/pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/FormIdentityLoginConfigurer.java b/pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/FormIdentityLoginConfigurer.java index c836e238..bb869487 100644 --- a/pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/FormIdentityLoginConfigurer.java +++ b/pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/FormIdentityLoginConfigurer.java @@ -8,7 +8,7 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHt /** * @author lengleng * @data 2022-06-04 - * + *

* 基于授权码模式 统一认证登录 spring security & sas 都可以使用 所以抽取成 HttpConfigurer */ public final class FormIdentityLoginConfigurer @@ -21,9 +21,13 @@ public final class FormIdentityLoginConfigurer formLogin.loginProcessingUrl("/token/form"); formLogin.failureHandler(new FormAuthenticationFailureHandler()); - }).logout() // SSO登出成功处理 - .logoutSuccessHandler(new SsoLogoutSuccessHandler()).deleteCookies("JSESSIONID") - .invalidateHttpSession(true).and().csrf().disable(); + }).logout(httpSecurityLogoutConfigurer -> { + // SSO登出成功处理 + httpSecurityLogoutConfigurer.logoutSuccessHandler(new SsoLogoutSuccessHandler()).deleteCookies("JSESSIONID") + .invalidateHttpSession(true); + } + + ).csrf(AbstractHttpConfigurer::disable); } } diff --git a/pig-common/pig-common-security/src/main/java/com/pig4cloud/pig/common/security/component/PigResourceServerConfiguration.java b/pig-common/pig-common-security/src/main/java/com/pig4cloud/pig/common/security/component/PigResourceServerConfiguration.java index 858168ee..eec84daa 100644 --- a/pig-common/pig-common-security/src/main/java/com/pig4cloud/pig/common/security/component/PigResourceServerConfiguration.java +++ b/pig-common/pig-common-security/src/main/java/com/pig4cloud/pig/common/security/component/PigResourceServerConfiguration.java @@ -24,13 +24,15 @@ import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; +import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer; import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.web.SecurityFilterChain; /** * @author lengleng * @date 2022-06-04 - * + *

* 资源服务器认证授权配置 */ @Slf4j @@ -57,7 +59,9 @@ public class PigResourceServerConfiguration { oauth2 -> oauth2.opaqueToken(token -> token.introspector(customOpaqueTokenIntrospector)) .authenticationEntryPoint(resourceAuthExceptionEntryPoint) .bearerTokenResolver(pigBearerTokenExtractor)) - .headers().frameOptions().disable().and().csrf().disable(); + .headers(httpSecurityHeadersConfigurer -> httpSecurityHeadersConfigurer + .frameOptions(HeadersConfigurer.FrameOptionsConfig::disable)) + .csrf(AbstractHttpConfigurer::disable); return http.build(); } diff --git a/pig-visual/pig-monitor/src/main/java/com/pig4cloud/pig/monitor/config/WebSecurityConfigurer.java b/pig-visual/pig-monitor/src/main/java/com/pig4cloud/pig/monitor/config/WebSecurityConfigurer.java index 3685a239..5d07246a 100755 --- a/pig-visual/pig-monitor/src/main/java/com/pig4cloud/pig/monitor/config/WebSecurityConfigurer.java +++ b/pig-visual/pig-monitor/src/main/java/com/pig4cloud/pig/monitor/config/WebSecurityConfigurer.java @@ -20,6 +20,8 @@ import de.codecentric.boot.admin.server.config.AdminServerProperties; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; +import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; @@ -49,12 +51,21 @@ public class WebSecurityConfigurer { SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successHandler.setTargetUrlParameter("redirectTo"); successHandler.setDefaultTargetUrl(adminContextPath + "/"); - http.headers().frameOptions().disable().and().authorizeHttpRequests() - .requestMatchers(adminContextPath + "/assets/**", adminContextPath + "/login", - adminContextPath + "/instances/**", adminContextPath + "/actuator/**") - .permitAll().anyRequest().authenticated().and().formLogin().loginPage(adminContextPath + "/login") - .successHandler(successHandler).and().logout().logoutUrl(adminContextPath + "/logout").and().httpBasic() - .and().csrf().disable(); + http.headers(httpSecurityHeadersConfigurer -> { + httpSecurityHeadersConfigurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable); + }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> { + authorizationManagerRequestMatcherRegistry + .requestMatchers(adminContextPath + "/assets/**", adminContextPath + "/login", + adminContextPath + "/instances/**", adminContextPath + "/actuator/**") + .permitAll().anyRequest().authenticated(); + + }).formLogin(httpSecurityFormLoginConfigurer -> { + httpSecurityFormLoginConfigurer.loginPage(adminContextPath + "/login"); + httpSecurityFormLoginConfigurer.successHandler(successHandler); + }).logout(httpSecurityLogoutConfigurer -> { + httpSecurityLogoutConfigurer.logoutUrl(adminContextPath + "/logout"); + }).httpBasic(httpSecurityHttpBasicConfigurer -> { + }).csrf(AbstractHttpConfigurer::disable); return http.build(); }