diff --git a/common/core/src/main/java/org/funcode/portal/server/common/core/config/security/DefaultSecurityConfig.java b/common/core/src/main/java/org/funcode/portal/server/common/core/config/security/DefaultSecurityConfig.java index 251c205..80907e9 100644 --- a/common/core/src/main/java/org/funcode/portal/server/common/core/config/security/DefaultSecurityConfig.java +++ b/common/core/src/main/java/org/funcode/portal/server/common/core/config/security/DefaultSecurityConfig.java @@ -20,6 +20,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.ProviderManager; @@ -30,7 +31,9 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler; import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter; @@ -82,10 +85,18 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, "/v3/api-docs", "/v3/api-docs/**", "/webjars/**", - "favicon.ico", "/doc.html", defaultLoginPage ).permitAll() + .requestMatchers( + "/**.js", + "/**.css", + "/**.html", + "/**.png", + "/**.txt", + "/**.ico", + "/_next/**" + ).permitAll() .requestMatchers(HttpMethod.POST, WECHAT_LOGIN_PATH).permitAll() .requestMatchers(HttpMethod.OPTIONS).permitAll() .requestMatchers(antMatcher("/**/anonymous")).permitAll() @@ -94,7 +105,6 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, .formLogin(login -> login .usernameParameter("username") .passwordParameter("password") - .loginPage(defaultLoginPage) .loginProcessingUrl("/api/v1/auth/login") .successHandler(customAuthenticationSuccessHandler) .failureHandler(customAuthenticationFailureHandler) @@ -105,6 +115,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, .logoutSuccessUrl( StringUtils.isBlank(applicationConfig.getSecurity().logoutSuccessUrl()) ? "/login?logout" : applicationConfig.getSecurity().logoutSuccessUrl()) ) + .exceptionHandling(exceptionHandling -> exceptionHandling + .authenticationEntryPoint(unauthorizedEntryPoint()) // 未登录处理 + ) .authenticationProvider(weChatAuthenticationProvider) .authenticationProvider(daoAuthenticationProvider()) .addFilterBefore( @@ -114,6 +127,12 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, return http.build(); } + @Bean + public AuthenticationEntryPoint unauthorizedEntryPoint() { + // 返回401 Unauthorized,而不是重定向 + return new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED); + } + @Bean public DaoAuthenticationProvider daoAuthenticationProvider() { DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); diff --git a/common/core/src/main/java/org/funcode/portal/server/common/core/security/service/impl/JwtServiceImpl.java b/common/core/src/main/java/org/funcode/portal/server/common/core/security/service/impl/JwtServiceImpl.java index 27ff0e9..d6d85f0 100644 --- a/common/core/src/main/java/org/funcode/portal/server/common/core/security/service/impl/JwtServiceImpl.java +++ b/common/core/src/main/java/org/funcode/portal/server/common/core/security/service/impl/JwtServiceImpl.java @@ -85,9 +85,9 @@ public void filterVerifyAccessToken(@NonNull String accessToken, @NonNull HttpServletRequest request, @NonNull HttpServletResponse response) throws IOException { SecurityContext context = SecurityContextHolder.createEmptyContext(); - try { - String username = this.extractUserName(accessToken); - if (StringUtils.isNotEmpty(username) + try { + String username = this.extractUserName(accessToken); + if (StringUtils.isNotEmpty(username) && SecurityContextHolder.getContext().getAuthentication() == null) { User userDetails = (User) userDetailsService .loadUserByUsername(username); diff --git a/starter/src/main/resources/application.yml b/starter/src/main/resources/application.yml index a3a8228..65f5a51 100644 --- a/starter/src/main/resources/application.yml +++ b/starter/src/main/resources/application.yml @@ -19,7 +19,7 @@ application: # 签名密钥 signing-key: portalserver8fas8hage9SHVfsd847GD8475fd8880ejf # access-token过期时间,单位:分钟 - expiration: 30 + expiration: 10080 # refresh-token的过期时间,单位:分钟 refresh-expiration: 10080 cors-allowed-origin-patterns: