From 23158af648d32e2660fd1004d3163f8ec92fbfd3 Mon Sep 17 00:00:00 2001
From: JEECG <445654970@qq.com>
Date: Tue, 29 Oct 2024 17:57:28 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../config/ApiSecurityConfigFilter.java       | 35 +++++++++++++++++++
 .../jmreport/config/SpringSecurityConfig.java | 11 ++++++
 2 files changed, 46 insertions(+)
 create mode 100644 jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/ApiSecurityConfigFilter.java

diff --git a/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/ApiSecurityConfigFilter.java b/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/ApiSecurityConfigFilter.java
new file mode 100644
index 0000000..b80467b
--- /dev/null
+++ b/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/ApiSecurityConfigFilter.java
@@ -0,0 +1,35 @@
+package com.jeecg.modules.jmreport.config;
+
+import com.alibaba.fastjson.JSONObject;
+import org.jeecg.modules.jmreport.common.util.OkConvertUtils;
+import org.springframework.security.core.context.SecurityContextImpl;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+
+/**
+* @Description: api访问权限过滤器
+*
+* @author: wangshuai
+* @date: 2024/9/25 下午6:22
+*/
+public class ApiSecurityConfigFilter implements Filter {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest req = (HttpServletRequest) request;
+        String loginFrom = req.getHeader("jm_login_from");
+        if(OkConvertUtils.isNotEmpty(loginFrom)){
+            String springSecurityContext = req.getHeader("jm_spring_security_context");
+            if(OkConvertUtils.isNotEmpty(springSecurityContext)){
+                SecurityContextImpl securityContext = JSONObject.parseObject(springSecurityContext, SecurityContextImpl.class);
+                HttpSession session = req.getSession();
+                session.setAttribute("loginFrom", loginFrom);
+                session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
+            }
+        }
+        chain.doFilter(request, response);
+    }
+}
diff --git a/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/SpringSecurityConfig.java b/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/SpringSecurityConfig.java
index f9cb166..d920b63 100644
--- a/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/SpringSecurityConfig.java
+++ b/jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/SpringSecurityConfig.java
@@ -4,7 +4,9 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
 /**
  * spring security 配置
@@ -29,15 +31,19 @@ public class SpringSecurityConfig {
                         "/jmreport/desreport_/**/*.png").permitAll()
                 // 不需要登录的接口
                 .antMatchers("/jmreport/excelQueryByTemplate",
+                        "/jmreport/query/report/folder/template",
                         "/jmreport/img/**",
                         "/jmreport/download/image",
                         "/jmreport/verificationToken",
                         "/jmreport/link/queryByIds",
                         "/jmreport/test/getUserMsg",
                         "/jmreport/test/getOrder",
+                        "/jimureport/test/**",
                         "/jmreport/auto/export/download/**").permitAll()
                 // 分享页面
                 .antMatchers("/jmreport/shareView/**",
+                        "/jmreport/exportPdfStream",
+                        "/jmreport/exportAllExcelStream",
                         "/jmreport/checkParam/**",
                         "/jmreport/share/verification",
                         "/jmreport/getQueryInfo",
@@ -52,9 +58,14 @@ public class SpringSecurityConfig {
                 .loginProcessingUrl("/login")
                 .successHandler(new CustomLoginSuccessHandler())
                 .permitAll().and()
+                .addFilterBefore(new ApiSecurityConfigFilter(), BasicAuthenticationFilter.class)
                 .logout()
                 .invalidateHttpSession(true)
                 .clearAuthentication(true).permitAll();
+        // 开放iframe访问限制
+        http.headers().frameOptions().disable();
+        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
+        http.rememberMe().useSecureCookie(true);
 
         return http.build();
     }