From 7e77c1ca67b7069886d26e1d342d78cf14e44f7c Mon Sep 17 00:00:00 2001 From: b2baccline <23131013+b2baccline@users.noreply.github.com> Date: Mon, 10 Aug 2020 10:02:34 +0800 Subject: [PATCH] =?UTF-8?q?:sparkles:=20=E6=B7=BB=E5=8A=A0=E7=A6=81?= =?UTF-8?q?=E7=94=A8iframe=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../CustomResourceServerConfigurer.java | 23 +++++++++++-------- .../oauth/config/PermitAllUrlProperties.java | 9 ++++++-- .../DingTalkGlobalExceptionHandler.java | 3 ++- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/CustomResourceServerConfigurer.java b/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/CustomResourceServerConfigurer.java index c395326c..9f0f5db0 100644 --- a/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/CustomResourceServerConfigurer.java +++ b/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/CustomResourceServerConfigurer.java @@ -47,18 +47,23 @@ public class CustomResourceServerConfigurer extends ResourceServerConfigurerAdap public void configure(HttpSecurity httpSecurity) throws Exception { // @formatter:off httpSecurity - // 拦截 url 配置 - .authorizeRequests() - .antMatchers(ArrayUtil.toArray(permitAllUrlProperties.getIgnoreUrls(), String.class)) - .permitAll() - .anyRequest().authenticated() + // 拦截 url 配置 + .authorizeRequests() + .antMatchers(ArrayUtil.toArray(permitAllUrlProperties.getIgnoreUrls(), String.class)) + .permitAll() + .anyRequest().authenticated() - // 使用token鉴权时 关闭 session 缓存 - .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) + // 使用token鉴权时 关闭 session 缓存 + .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) - // 关闭 csrf 跨站攻击防护 - .and().csrf().disable(); + // 关闭 csrf 跨站攻击防护 + .and().csrf().disable(); // @formatter:on + + // 允许嵌入iframe + if (!permitAllUrlProperties.isIframeDeny()) { + httpSecurity.headers().frameOptions().disable(); + } } } diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/PermitAllUrlProperties.java b/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/PermitAllUrlProperties.java index a78bf29d..e7908664 100644 --- a/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/PermitAllUrlProperties.java +++ b/ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/PermitAllUrlProperties.java @@ -15,12 +15,17 @@ import java.util.List; * @date 2020/2/18 10:55 资源服务器忽略鉴权的url地址 */ @Slf4j +@Getter +@Setter @Configuration @ConfigurationProperties(prefix = "security.oauth2") public class PermitAllUrlProperties { - @Getter - @Setter private List ignoreUrls = new ArrayList<>(); + /** + * 是否禁止嵌入iframe + */ + private boolean iframeDeny = true; + } diff --git a/ballcat-common/ballcat-common-conf/src/main/java/com/hccake/ballcat/common/conf/exception/handler/DingTalkGlobalExceptionHandler.java b/ballcat-common/ballcat-common-conf/src/main/java/com/hccake/ballcat/common/conf/exception/handler/DingTalkGlobalExceptionHandler.java index df67e244..9f6c006d 100644 --- a/ballcat-common/ballcat-common-conf/src/main/java/com/hccake/ballcat/common/conf/exception/handler/DingTalkGlobalExceptionHandler.java +++ b/ballcat-common/ballcat-common-conf/src/main/java/com/hccake/ballcat/common/conf/exception/handler/DingTalkGlobalExceptionHandler.java @@ -25,7 +25,8 @@ public class DingTalkGlobalExceptionHandler extends AbstractNoticeGlobalExceptio @Override public ExceptionNoticeResponse send(ExceptionMessage sendMessage) { - DingTalkResponse response = sender.sendMessage(new DingTalkTextMessage().setContent(sendMessage.toString()).atAll()); + DingTalkResponse response = sender + .sendMessage(new DingTalkTextMessage().setContent(sendMessage.toString()).atAll()); return new ExceptionNoticeResponse().setErrMsg(response.getResponse()).setSuccess(response.isSuccess()); }