3bc8a39d0f
Spring Security's default Http403ForbiddenEntryPoint was returning 403 for all auth failures. Frontend clients treat 403 as a permission error (not an auth error), so silent loops occurred instead of proper re-login. Adding a custom AuthenticationEntryPoint that returns 401 makes clients handle auth failures correctly (show login page on 401). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
79 行
3.3 KiB
Java
79 行
3.3 KiB
Java
package com.xuqm.update.config;
|
|
|
|
import com.xuqm.common.security.JwtAuthFilter;
|
|
import com.xuqm.common.security.JwtUtil;
|
|
import org.springframework.context.annotation.Bean;
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.http.HttpMethod;
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
|
import jakarta.servlet.http.HttpServletResponse;
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
|
import org.springframework.web.cors.CorsConfiguration;
|
|
import org.springframework.web.cors.CorsConfigurationSource;
|
|
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
|
|
|
import java.util.List;
|
|
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class SecurityConfig {
|
|
|
|
private final JwtUtil jwtUtil;
|
|
|
|
public SecurityConfig(JwtUtil jwtUtil) {
|
|
this.jwtUtil = jwtUtil;
|
|
}
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
.csrf(AbstractHttpConfigurer::disable)
|
|
.cors(cors -> {})
|
|
.sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
|
.authorizeHttpRequests(auth -> auth
|
|
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
|
|
.requestMatchers(
|
|
"/actuator/**",
|
|
"/api/v1/updates/app/check",
|
|
"/api/v1/updates/app/inspect",
|
|
"/api/v1/rn/update/check",
|
|
"/api/v1/rn/inspect",
|
|
"/api/v1/rn/files/**",
|
|
"/files/apk/**"
|
|
).permitAll()
|
|
.anyRequest().authenticated()
|
|
)
|
|
.exceptionHandling(ex -> ex
|
|
.authenticationEntryPoint((req, res, e) -> res.sendError(HttpServletResponse.SC_UNAUTHORIZED))
|
|
)
|
|
.addFilterBefore(new JwtAuthFilter(jwtUtil), UsernamePasswordAuthenticationFilter.class)
|
|
.httpBasic(AbstractHttpConfigurer::disable)
|
|
.formLogin(AbstractHttpConfigurer::disable);
|
|
return http.build();
|
|
}
|
|
|
|
@Bean
|
|
public CorsConfigurationSource corsConfigurationSource() {
|
|
CorsConfiguration config = new CorsConfiguration();
|
|
config.setAllowCredentials(true);
|
|
config.setAllowedOriginPatterns(List.of(
|
|
"http://localhost:*",
|
|
"http://127.0.0.1:*",
|
|
"http://*.xuqinmin.com",
|
|
"https://*.xuqinmin.com"
|
|
));
|
|
config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
|
|
config.setAllowedHeaders(List.of("*"));
|
|
config.setExposedHeaders(List.of("Location"));
|
|
config.setMaxAge(3600L);
|
|
|
|
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
|
source.registerCorsConfiguration("/**", config);
|
|
return source;
|
|
}
|
|
}
|
