java source code of FebsSecurityConfig

FEBS-Security-master
- febs-system
  - src
    - main
      - resources
        mapper
        system
        DeptMapper.xml
        DictMapper.xml
        MenuMapper.xml
        UserMapper.xml
        RoleMapper.xml
      - java
        cc
        mrbird
        system
        dao
        DeptMapper.java
        RoleMapper.java
        MenuMapper.java
        LogMapper.java
        UserMapper.java
        DictMapper.java
        RoleMenuMapper.java
        UserConnectionMapper.java
        UserRoleMapper.java
        service
        impl
        DeptServiceImpl.java
        RoleServiceImpl.java
        LogServiceImpl.java
        MenuServiceImpl.java
        DictServiceImpl.java
        RoleMenuServiceImpl.java
        UserServiceImpl.java
        UserRoleServiceImpl.java
        UserConnectionImpl.java
        UserService.java
        UserRoleService.java
        RoleMenuServie.java
        UserConnectionService.java
        DictService.java
        RoleService.java
        MenuService.java
        DeptService.java
        LogService.java
        domain
        RoleMenu.java
        UserRole.java
        SysLog.java
        Dict.java
        RoleWithMenu.java
        Menu.java
        MyUser.java
        Dept.java
        Role.java
        UserConnection.java
        UserWithRole.java
  - pom.xml
- init.sql
- images
- pom.xml
- febs-quartz
  - src
    - main
      - resources
        mapper
        quartz
        JobMapper.xml
      - java
        cc
        mrbird
        quartz
        dao
        JobLogMapper.java
        JobMapper.java
        task
        TestTask.java
        util
        ScheduleJob.java
        ScheduleRunnable.java
        ScheduleUtils.java
        config
        ScheduleConfig.java
        service
        impl
        JobServiceImpl.java
        JobLogServiceImpl.java
        JobService.java
        JobLogService.java
        domain
        Job.java
        JobLog.java
  - pom.xml
- LICENSE
- febs-security
  - src
    - main
      - java
        cc
        mrbird
        security
        code
        ValidateCode.java
        img
        ImageCodeGenerator.java
        ImageCodeFilter.java
        ImageCode.java
        ValidateCodeGenerator.java
        sms
        SmsCodeGenerator.java
        SmsCodeAuthenticationProvider.java
        DefaultSmsSender.java
        SmsCodeFilter.java
        SmsCodeAuthenticationFilter.java
        SmsCodeAuthenticationToken.java
        SmsCodeSender.java
        properties
        ImageCodeProperties.java
        FebsSecurityProperties.java
        QQProperties.java
        SocialProperties.java
        SessionProperties.java
        SmsCodeProperties.java
        WeiXinProperties.java
        ValidateCodeProperties.java
        xss
        XssHttpServletRequestWrapper.java
        XssFilter.java
        JsoupUtil.java
        social
        qq
        api
        QQImpl.java
        QQUserInfo.java
        QQ.java
        config
        QQAutoConfig.java
        connect
        QQOAuth2Template.java
        QQConnectionFactory.java
        QQAdapter.java
        QQServiceProvider.java
        SocialConnectedView.java
        SocialConnectionStatusView.java
        FebsSpringSocialConfigurer.java
        weixin
        api
        WeiXinUserInfo.java
        WeiXinImpl.java
        WeiXin.java
        config
        WeixinAutoConfiguration.java
        connect
        WeiXinOAuth2Template.java
        WeiXinAdapter.java
        WeiXinConnectionFactory.java
        WeiXinServiceProvider.java
        WeiXinAccessGrant.java
        SocialUserInfo.java
        config
        FebsSocialWebAutoConfiguration.java
        FebsSecurityConfig.java
        FebsSocialConfig.java
        FebsSmsCodeAuthenticationSecurityConfig.java
        service
        FebsUserDetailService.java
        exception
        FebsCredentialExcetion.java
        ValidateCodeException.java
        domain
        LoginType.java
        FebsUserDetails.java
        FebsSocialUserDetails.java
        handler
        FebsAuthenticationSucessHandler.java
        FebsLogoutHandler.java
        FebsAuthenticationFailureHandler.java
        FebsAuthenticationAccessDeniedHandler.java
        session
        FebsInvalidSessionStrategy.java
        FebsExpiredSessionStrategy.java
  - pom.xml
- .gitattributes
- febs-common
  - src
    - main
      - resources
        config
        mybatis-generator.xml
      - java
        cc
        mrbird
        common
        utils
        poi
        POIUtils.java
        pojo
        ExportItem.java
        ExportHandler.java
        convert
        TimeConvert.java
        ExportConvert.java
        ExcelUtils.java
        HttpUtils.java
        SpringContextUtils.java
        AddressUtils.java
        QiniuOssUtil.java
        HttpContextUtils.java
        FileUtils.java
        DateUtil.java
        FebsUtil.java
        IPUtils.java
        TreeUtils.java
        properties
        FebsProperies.java
        FebsOssProperties.java
        FebsQiniuProperties.java
        config
        AsyncExecutorPoolConfig.java
        RedisConfig.java
        MyBatisConfig.java
        MyMapper.java
        service
        impl
        BaseService.java
        RedisServiceImpl.java
        RedisService.java
        IService.java
        exception
        FileDownloadException.java
        LimitAccessException.java
        interceptor
        SqlStatementInterceptor.java
        annotation
        Limit.java
        ExportConfig.java
        Log.java
        CronTag.java
        aspect
        LimitAspect.java
        domain
        RedisInfo.java
        ResponseBo.java
        LimitType.java
        QueryRequest.java
        Tree.java
        EnumOss.java
        FebsConstant.java
  - pom.xml
- readme.md
- .gitignore
- febs-web
  - src
    - main
      - resources
        application.yml
        ip2region
        templates
        social_regist.html
        error
        404.html
        403.html
        500.html
        common
        main.html
        aside.html
        common.html
        footer.html
        header.html
        job
        log
        log.html
        job
        job.html
        jobAdd.html
        others
        one
        paint.html
        yuwen.html
        essay.html
        weather
        weather.html
        article
        article.html
        movie
        movieDetail.html
        coming.html
        hot.html
        movieComments.html
        connect
        bind_success.html
        unbind_success.html
        system
        redis
        terminal.html
        info.html
        user
        profile.html
        user.html
        updatePassword.html
        userAdd.html
        menu
        menuIcon.html
        menu.html
        menuAdd.html
        log
        log.html
        dept
        dept.html
        deptAdd.html
        monitor
        online.html
        dict
        dictAdd.html
        dict.html
        role
        roleAdd.html
        role.html
        index.html
        login.html
        logback-spring.xml
        banner.txt
        static
        img
        social
        QQ_bind.svg
        QQ.svg
        wechat.svg
        wechat_bind.svg
        favicon.ico
        avatar
        20180414165927.jpg
        20180414170003.jpg
        20180414165827.jpg
        default.jpg
        20180414165754.jpg
        20180414165846.jpg
        20180414165815.jpg
        20180414165855.jpg
        20180414165920.jpg
        20180414165821.jpg
        20180414165955.jpg
        20180414165834.jpg
        20180414165936.jpg
        20180414165914.jpg
        20180414165840.jpg
        20180414165942.jpg
        20180414165947.jpg
        20180414165909.jpg
        file
        city.json
        fonts
        roboto
        Roboto-Medium-webfont.eot
        Roboto-Medium-webfont.svg
        Roboto-Bold-webfont.ttf
        Roboto-Light-webfont.eot
        Roboto-Bold-webfont.eot
        Roboto-Regular-webfont.svg
        Roboto-Medium-webfont.ttf
        Roboto-Regular-webfont.ttf
        Roboto-Light-webfont.svg
        Roboto-Regular-webfont.eot
        Roboto-Bold-webfont.svg
        Roboto-Light-webfont.woff
        Roboto-Bold-webfont.woff
        Roboto-Light-webfont.ttf
        Roboto-Regular-webfont.woff
        Roboto-Medium-webfont.woff
        js
        iCheck
        icheck.js
        common.js
        bootstrap
        bootstrap.min.js
        tether
        tether.min.js
        waves
        waves.min.js
        jquery.min.js
        highchart
        highcharts.js
        exporting.js
        highcharts-zh_CN.js
        jquery-scrollLock
        jquery-scrollLock.min.js
        sweetalert2
        sweetalert2.js
        jquery-validate
        additional-methods.min.js
        jquery.validate.min.js
        messages_zh.min.js
        bootstrap-table
        locale
        bootstrap-table-zh-CN.js
        bootstrap-table.min.js
        jsTree
        jstree.js
        daterangepicker
        daterangepicker.js
        moment.min.js
        jqTreeGrid
        jquery.treegrid.extension.js
        jquery.treegrid.js
        bootstrap-notify
        bootstrap-notify.min.js
        jquery.scrollbar
        jquery.scrollbar.min.js
        multiple-select
        multiple-select.js
        autocomplete
        autocomplete.js
        autocomplete_weather.js
        app
        socialRegist.js
        job
        log
        jobLog.js
        job
        jobAdd.js
        job.js
        jobEdit.js
        others
        weather
        weather.js
        article
        article.js
        movie
        coming.js
        hot.js
        login.js
        system
        redis
        info.js
        terminal.js
        user
        updatePassword.js
        userEdit.js
        userAdd.js
        user.js
        profile.js
        menu
        menuEdit.js
        menuUrlAndPermsList.js
        menuAdd.js
        menu.js
        log
        log.js
        dept
        deptAdd.js
        deptEdit.js
        dept.js
        monitor
        online.js
        dict
        dict.js
        dictEdit.js
        dictAdd.js
        role
        roleEdit.js
        roleAdd.js
        role.js
        index.js
        dropzone
        dropzone.min.js
        css
        iCheck
        minimal
        minimal.css
        aero.css
        grey.css
        _all.css
        green.css
        blue.css
        yellow.css
        pink.css
        purple.css
        orange.css
        red.css
        login.css
        sweetalert2
        sweetalert2.css
        bootstrap-table
        bootstrap-table.css
        jsTree
        style.min.css
        throbber.gif
        daterangepicker
        daterangepicker.css
        jqTreeGrid
        jquery.treegrid.css
        jquery.scrollbar
        jquery.scrollbar.css
        multiple-select
        multiple-select.css
        autocomplete
        autocomplete.css
        material-design-iconic-font
        fonts
        Material-Design-Iconic-Font.ttf
        Material-Design-Iconic-Font.eot
        Material-Design-Iconic-Font.woff
        Material-Design-Iconic-Font.woff2
        css
        material-design-iconic-font.min.css
        animate
        animate.min.css
      - java
        cc
        mrbird
        web
        common
        thymeleaf
        config
        DialectConfig.java
        dict
        DictSelectProcessor.java
        DictShowProcessor.java
        DictDialect.java
        service
        InitService.java
        aspect
        LogAspect.java
        domain
        UserOnLine.java
        handler
        GlobalExceptionHandler.java
        controller
        security
        ExceptionController.java
        SocialController.java
        ValidateCodeController.java
        MobileController.java
        SessionController.java
        test
        TestController.java
        base
        BaseController.java
        RedisController.java
        FileController.java
        others
        ArticleController.java
        WeatherController.java
        MovieController.java
        quartz
        JobController.java
        JobLogController.java
        system
        DictController.java
        UserController.java
        LoginController.java
        MenuController.java
        RoleController.java
        LogController.java
        DeptController.java
        FesbApplicationTest.java
        FebsApplication.java
  - pom.xml

package cc.mrbird.security.config;

import cc.mrbird.common.domain.FebsConstant;
import cc.mrbird.security.code.ValidateCodeGenerator;
import cc.mrbird.security.code.img.ImageCodeFilter;
import cc.mrbird.security.code.img.ImageCodeGenerator;
import cc.mrbird.security.code.sms.DefaultSmsSender;
import cc.mrbird.security.code.sms.SmsCodeFilter;
import cc.mrbird.security.code.sms.SmsCodeSender;
import cc.mrbird.security.handler.FebsAuthenticationAccessDeniedHandler;
import cc.mrbird.security.handler.FebsAuthenticationFailureHandler;
import cc.mrbird.security.handler.FebsAuthenticationSucessHandler;
import cc.mrbird.security.handler.FebsLogoutHandler;
import cc.mrbird.security.properties.FebsSecurityProperties;
import cc.mrbird.security.service.FebsUserDetailService;
import cc.mrbird.security.session.FebsExpiredSessionStrategy;
import cc.mrbird.security.session.FebsInvalidSessionStrategy;
import cc.mrbird.security.xss.XssFilter;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.session.InvalidSessionStrategy;
import org.springframework.social.security.SpringSocialConfigurer;

import javax.sql.DataSource;
import java.util.HashMap;
import java.util.Map;

/**
 * security 配置中心
 */
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class FebsSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private FebsAuthenticationSucessHandler febsAuthenticationSucessHandler;

    @Autowired
    private FebsAuthenticationFailureHandler febsAuthenticationFailureHandler;

    @Autowired
    private FebsSecurityProperties febsSecurityProperties;

    @Autowired
    private FebsSmsCodeAuthenticationSecurityConfig febsSmsCodeAuthenticationSecurityConfig;

    @Autowired
    private FebsUserDetailService febsUserDetailService;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private SpringSocialConfigurer febsSocialSecurityConfig;

    // spring security自带的密码加密工具类
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    // 处理 rememberMe 自动登录认证
    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl jdbcTokenRepository = new JdbcTokenRepositoryImpl();
        jdbcTokenRepository.setDataSource(dataSource);
        jdbcTokenRepository.setCreateTableOnStartup(false);
        return jdbcTokenRepository;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        String[] anonResourcesUrl = StringUtils.splitByWholeSeparatorPreserveAllTokens(febsSecurityProperties.getAnonResourcesUrl(),",");

        ImageCodeFilter imageCodeFilter = new ImageCodeFilter();
        imageCodeFilter.setAuthenticationFailureHandler(febsAuthenticationFailureHandler);
        imageCodeFilter.setSecurityProperties(febsSecurityProperties);
        imageCodeFilter.afterPropertiesSet();

        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();
        smsCodeFilter.setAuthenticationFailureHandler(febsAuthenticationFailureHandler);
        smsCodeFilter.setSecurityProperties(febsSecurityProperties);
        smsCodeFilter.setSessionRegistry(sessionRegistry());
        smsCodeFilter.afterPropertiesSet();

        http.exceptionHandling().accessDeniedHandler(accessDeniedHandler()) // 权限不足处理器
             .and()
                .addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class) // 短信验证码校验
                .addFilterBefore(imageCodeFilter, UsernamePasswordAuthenticationFilter.class) // 添加图形证码校验过滤器
                .formLogin() // 表单方式
                .loginPage(febsSecurityProperties.getLoginUrl()) // 未认证跳转 URL
                .loginProcessingUrl(febsSecurityProperties.getCode().getImage().getLoginProcessingUrl()) // 处理登录认证 URL
                .successHandler(febsAuthenticationSucessHandler) // 处理登录成功
                .failureHandler(febsAuthenticationFailureHandler) // 处理登录失败
            .and()
                .rememberMe() // 添加记住我功能
                .tokenRepository(persistentTokenRepository()) // 配置 token 持久化仓库
                .tokenValiditySeconds(febsSecurityProperties.getRememberMeTimeout()) // rememberMe 过期时间，单为秒
                .userDetailsService(febsUserDetailService) // 处理自动登录逻辑
            .and()
                .sessionManagement() // 配置 session管理器
                .invalidSessionStrategy(invalidSessionStrategy()) // 处理 session失效
                .maximumSessions(febsSecurityProperties.getSession().getMaximumSessions()) // 最大并发登录数量
                .expiredSessionStrategy(new FebsExpiredSessionStrategy()) // 处理并发登录被踢出
                .sessionRegistry(sessionRegistry()) // 配置 session注册中心
            .and()
            .and()
                .logout() // 配置登出
                .addLogoutHandler(logoutHandler()) // 配置登出处理器
                .logoutUrl(febsSecurityProperties.getLogoutUrl()) // 处理登出 url
                .logoutSuccessUrl("/") // 登出后跳转到 /
                .deleteCookies("JSESSIONID") // 删除 JSESSIONID
            .and()
                .authorizeRequests() // 授权配置
                .antMatchers(anonResourcesUrl).permitAll() // 免认证静态资源路径
                .antMatchers(
                        febsSecurityProperties.getLoginUrl(), // 登录路径
                        FebsConstant.FEBS_REGIST_URL, // 用户注册 url
                        febsSecurityProperties.getCode().getImage().getCreateUrl(), // 创建图片验证码路径
                        febsSecurityProperties.getCode().getSms().getCreateUrl(), // 创建短信验证码路径
                        febsSecurityProperties.getSocial().getSocialRedirectUrl(), // 重定向到社交账号注册（绑定）页面路径
                        febsSecurityProperties.getSocial().getSocialBindUrl(), // 社交账号绑定 URL
                        febsSecurityProperties.getSocial().getSocialRegistUrl() // 注册并绑定社交账号 URL
                ).permitAll() // 配置免认证路径
                .anyRequest()  // 所有请求
                .authenticated() // 都需要认证
            .and()
                .csrf().disable()
                .apply(febsSmsCodeAuthenticationSecurityConfig) // 添加短信验证码认证流程
            .and()
                .apply(febsSocialSecurityConfig); // social 配置
    }


    @Bean
    @ConditionalOnMissingBean(name = "imageCodeGenerator")
    public ValidateCodeGenerator imageCodeGenerator() {
        ImageCodeGenerator imageCodeGenerator = new ImageCodeGenerator();
        imageCodeGenerator.setSecurityProperties(febsSecurityProperties);
        return imageCodeGenerator;
    }

    @Bean
    @ConditionalOnMissingBean(SmsCodeSender.class)
    public SmsCodeSender smsCodeSender() {
        return new DefaultSmsSender();
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    // 使用 javaconfig 的方式配置是为了注入 sessionRegistry
    @Bean
    public FebsAuthenticationSucessHandler febsAuthenticationSucessHandler() {
        FebsAuthenticationSucessHandler authenticationSucessHandler = new FebsAuthenticationSucessHandler();
        authenticationSucessHandler.setSessionRegistry(sessionRegistry());
        return authenticationSucessHandler;
    }

    // 配置登出处理器
    @Bean
    public LogoutHandler logoutHandler(){
        FebsLogoutHandler febsLogoutHandler = new FebsLogoutHandler();
        febsLogoutHandler.setSessionRegistry(sessionRegistry());
        return febsLogoutHandler;
    }

    @Bean
    public InvalidSessionStrategy invalidSessionStrategy(){
        FebsInvalidSessionStrategy febsInvalidSessionStrategy = new FebsInvalidSessionStrategy();
        febsInvalidSessionStrategy.setSecurityProperties(febsSecurityProperties);
        return febsInvalidSessionStrategy;
    }

    @Bean
    public AccessDeniedHandler accessDeniedHandler() {
        return new FebsAuthenticationAccessDeniedHandler();
    }

    /**
     * XssFilter Bean
     */
    @Bean
    @SuppressWarnings({ "unchecked", "rawtypes" })
    public FilterRegistrationBean xssFilterRegistrationBean() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(new XssFilter());
        filterRegistrationBean.setOrder(1);
        filterRegistrationBean.setEnabled(true);
        filterRegistrationBean.addUrlPatterns("/*");
        Map<String, String> initParameters = new HashMap<>();
        initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
        initParameters.put("isIncludeRichText", "true");
        filterRegistrationBean.setInitParameters(initParameters);
        return filterRegistrationBean;
    }

}