fix(security): 优化安全配置及增加权限异常处理
- 在全局异常处理器中添加权限不足异常的处理方法 - 允许对 /api/public/* 路径的匿名访问,完善安全过滤链配置 - 确保其他请求需要认证,提升安全防护能力 - 维持无状态会话管理,禁用 CSRF 以适应前后端分离架构
This commit is contained in:
Chaos
@@ -47,13 +47,13 @@ public class SecurityConfig {
|
|||||||
return authenticationConfiguration.getAuthenticationManager();
|
return authenticationConfiguration.getAuthenticationManager();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
||||||
.authorizeHttpRequests(auth -> auth
|
.authorizeHttpRequests(auth -> auth
|
||||||
// 允许所有对 /api/public/** 的匿名访问
|
.requestMatchers("/api/public/*","/api/auth/login","/api/auth/register").permitAll()
|
||||||
.requestMatchers("/api/auth/login","/api/auth/register").permitAll()
|
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
// 禁用 CSRF,因为现代前后端分离项目通常使用 Token
|
// 禁用 CSRF,因为现代前后端分离项目通常使用 Token
|
||||||
|
|||||||
@@ -42,6 +42,9 @@ public class GlobalExceptionHandler {
|
|||||||
return ApiResult.failed("服务器内部错误,请联系管理员");
|
return ApiResult.failed("服务器内部错误,请联系管理员");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 处理权限不足异常
|
||||||
|
*/
|
||||||
@ExceptionHandler(AuthorizationDeniedException.class)
|
@ExceptionHandler(AuthorizationDeniedException.class)
|
||||||
public ApiResult<?> handleAuthorizationDeniedException(AuthorizationDeniedException ex) {
|
public ApiResult<?> handleAuthorizationDeniedException(AuthorizationDeniedException ex) {
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user