update

imooc-security-authorize/src/main/java/com/imooc/security/rbac/authentication/RbacUserDetailsService.java

@@ -0,0 +1,45 @@
+/**
+ * 
+ */
+package com.imooc.security.rbac.authentication;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.imooc.security.rbac.domain.Admin;
+import com.imooc.security.rbac.repository.AdminRepository;
+
+/**
+ * @author zhailiang
+ *
+ */
+@Component
+@Transactional
+public class RbacUserDetailsService implements UserDetailsService {
+
+	private Logger logger = LoggerFactory.getLogger(getClass());
+
+	@Autowired
+	private AdminRepository adminRepository;
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.springframework.security.core.userdetails.UserDetailsService#
+	 * loadUserByUsername(java.lang.String)
+	 */
+	@Override
+	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+		logger.info("表单登录用户名:" + username);
+		Admin admin = adminRepository.findByUsername(username);
+		admin.getUrls();
+		return admin;
+	}
+
+}

imooc-security-authorize/src/main/java/com/imooc/security/rbac/authentication/package-info.java

@@ -0,0 +1,8 @@
+/**
+ * 
+ */
+/**
+ * @author zhailiang
+ *
+ */
+package com.imooc.security.rbac.authentication;

imooc-security-authorize/src/main/java/com/imooc/security/rbac/authorize/RbacAuthorizeConfigProvider.java

@@ -13,7 +13,6 @@
 
 /**
  * @author zhailiang
- *
  */
 @Component
 @Order(Integer.MAX_VALUE)
@@ -23,15 +22,16 @@ public class RbacAuthorizeConfigProvider implements AuthorizeConfigProvider {
 	 * @see com.imooc.security.core.authorize.AuthorizeConfigProvider#config(org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry)
 	 */
 	@Override
-	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+	public boolean config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
 		config
-		.antMatchers(HttpMethod.GET, "/fonts/**").permitAll()
-		.antMatchers(HttpMethod.GET, 
-				"**/*.html",
-				"/admin/me",
-				"/resource").authenticated()
-		.anyRequest()
-			.access("@rbacService.hasPermission(request, authentication)");
+			.antMatchers(HttpMethod.GET, "/fonts/**").permitAll()
+			.antMatchers(HttpMethod.GET, 
+					"/**/*.html",
+					"/admin/me",
+					"/resource").authenticated()
+			.anyRequest()
+				.access("@rbacService.hasPermission(request, authentication)");
+		return true;
 	}
 
 }

imooc-security-authorize/src/main/java/com/imooc/security/rbac/RbacService.java → imooc-security-authorize/src/main/java/com/imooc/security/rbac/service/RbacService.java

@@ -1,7 +1,7 @@
 /**
  * 
  */
-package com.imooc.security.rbac;
+package com.imooc.security.rbac.service;
 
 import javax.servlet.http.HttpServletRequest;
 

imooc-security-authorize/src/main/java/com/imooc/security/rbac/RbacServiceImpl.java → imooc-security-authorize/src/main/java/com/imooc/security/rbac/service/impl/RbacServiceImpl.java

@@ -1,7 +1,7 @@
 /**
  * 
  */
-package com.imooc.security.rbac;
+package com.imooc.security.rbac.service.impl;
 
 import java.util.Set;
 
@@ -13,6 +13,7 @@
 import org.springframework.util.AntPathMatcher;
 
 import com.imooc.security.rbac.domain.Admin;
+import com.imooc.security.rbac.service.RbacService;
 
 /**
  * @author zhailiang

imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityBeanConfig.java

@@ -36,7 +36,7 @@ public class BrowserSecurityBeanConfig {
 	@Bean
 	@ConditionalOnMissingBean(InvalidSessionStrategy.class)
 	public InvalidSessionStrategy invalidSessionStrategy(){
-		return new ImoocInvalidSessionStrategy(securityProperties.getBrowser().getSession().getSessionInvalidUrl());
+		return new ImoocInvalidSessionStrategy(securityProperties);
 	}
 
 	/**
@@ -46,7 +46,7 @@ public InvalidSessionStrategy invalidSessionStrategy(){
 	@Bean
 	@ConditionalOnMissingBean(SessionInformationExpiredStrategy.class)
 	public SessionInformationExpiredStrategy sessionInformationExpiredStrategy(){
-		return new ImoocExpiredSessionStrategy(securityProperties.getBrowser().getSession().getSessionInvalidUrl());
+		return new ImoocExpiredSessionStrategy(securityProperties);
 	}
 
 	/**

imooc-security-browser/src/main/java/com/imooc/security/browser/authorize/BrowserAuthorizeConfigProvider.java

@@ -25,13 +25,14 @@ public class BrowserAuthorizeConfigProvider implements AuthorizeConfigProvider {
 	 * @see com.imooc.security.core.authorize.AuthorizeConfigProvider#config(org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry)
 	 */
 	@Override
-	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+	public boolean config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
 		config.antMatchers(HttpMethod.GET, 
 			"/**/*.js",
 			"/**/*.css",
 			"/**/*.jpg",
 			"/**/*.png",
 			"/**/*.gif").permitAll();
+		return false;
 	}
 
 }

imooc-security-browser/src/main/java/com/imooc/security/browser/session/AbstractSessionStrategy.java

@@ -18,6 +18,7 @@
 import org.springframework.util.Assert;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.imooc.security.core.properties.SecurityProperties;
 import com.imooc.security.core.support.SimpleResponse;
 
 /**
@@ -33,6 +34,10 @@ public class AbstractSessionStrategy {
 	 * 跳转的url
 	 */
 	private String destinationUrl;
+	/**
+	 * 系统配置信息
+	 */
+	private SecurityProperties securityPropertie;
 	/**
 	 * 重定向策略
 	 */
@@ -48,10 +53,12 @@ public class AbstractSessionStrategy {
 	 * @param invalidSessionUrl
 	 * @param invalidSessionHtmlUrl
 	 */
-	public AbstractSessionStrategy(String invalidSessionUrl) {
+	public AbstractSessionStrategy(SecurityProperties securityPropertie) {
+		String invalidSessionUrl = securityPropertie.getBrowser().getSession().getSessionInvalidUrl();
 		Assert.isTrue(UrlUtils.isValidRedirectUrl(invalidSessionUrl), "url must start with '/' or with 'http(s)'");
 		Assert.isTrue(StringUtils.endsWithIgnoreCase(invalidSessionUrl, ".html"), "url must end with '.html'");
 		this.destinationUrl = invalidSessionUrl;
+		this.securityPropertie = securityPropertie;
 	}
 
 	/*
@@ -73,7 +80,12 @@ protected void onSessionInvalid(HttpServletRequest request, HttpServletResponse
 		String targetUrl;
 
 		if (StringUtils.endsWithIgnoreCase(sourceUrl, ".html")) {
-			targetUrl = destinationUrl;
+			if(StringUtils.equals(sourceUrl, securityPropertie.getBrowser().getSignInPage())
+					|| StringUtils.equals(sourceUrl, securityPropertie.getBrowser().getSignOutUrl())){
+				targetUrl = sourceUrl;
+			}else{
+				targetUrl = destinationUrl;
+			}
 			logger.info("跳转到:"+targetUrl);
 			redirectStrategy.sendRedirect(request, response, targetUrl);
 		} else {

imooc-security-browser/src/main/java/com/imooc/security/browser/session/ImoocExpiredSessionStrategy.java

@@ -10,6 +10,8 @@
 import org.springframework.security.web.session.SessionInformationExpiredEvent;
 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
 
+import com.imooc.security.core.properties.SecurityProperties;
+
 /**
  * 并发登录导致session失效时，默认的处理策略
  * 
@@ -18,8 +20,8 @@
  */
 public class ImoocExpiredSessionStrategy extends AbstractSessionStrategy implements SessionInformationExpiredStrategy {
 
-	public ImoocExpiredSessionStrategy(String invalidSessionUrl) {
-		super(invalidSessionUrl);
+	public ImoocExpiredSessionStrategy(SecurityProperties securityPropertie) {
+		super(securityPropertie);
 	}
 
 	/* (non-Javadoc)

imooc-security-browser/src/main/java/com/imooc/security/browser/session/ImoocInvalidSessionStrategy.java

@@ -11,6 +11,8 @@
 
 import org.springframework.security.web.session.InvalidSessionStrategy;
 
+import com.imooc.security.core.properties.SecurityProperties;
+
 /**
  * 默认的session失效处理策略
  * 
@@ -19,8 +21,8 @@
  */
 public class ImoocInvalidSessionStrategy extends AbstractSessionStrategy implements InvalidSessionStrategy {
 
-	public ImoocInvalidSessionStrategy(String invalidSessionUrl) {
-		super(invalidSessionUrl);
+	public ImoocInvalidSessionStrategy(SecurityProperties securityProperties) {
+		super(securityProperties);
 	}
 
 	@Override

imooc-security-browser/src/main/resources/resources/imooc-session-invalid.html

@@ -7,9 +7,9 @@
 <body>
 	<h2>安全模块默认的session失效提示页面</h2>
 	<h3>请通过imooc.security.browser.session.sessionInvalidUrl配置自己的页面URL</h3>
-	<h3>此页面将在5秒后跳转到登录页</h3>
+	<h3>此页面将在3秒后跳转到登录页</h3>
 	<script type="text/javascript">
-		setInterval(function(){window.location.href = "/imooc-signIn.html"}, 5000);
+		setInterval(function(){window.location.href = "/imooc-signIn.html"}, 3000);
 	</script>
 </body>
 </html>

imooc-security-browser/src/main/resources/resources/imooc-signIn.html

@@ -54,8 +54,8 @@ <h3>短信登录</h3>
 	</form>
 	<br>
 	<h3>社交登录</h3>
-	<a href="/qqLogin/callback.do">QQ登录</a>
+	<a href="/auth/qq">QQ登录</a>
 	&nbsp;&nbsp;&nbsp;&nbsp;
-	<a href="/qqLogin/weixin">微信登录</a>
+	<a href="/auth/weixin">微信登录</a>
 </body>
 </html>

imooc-security-core/src/main/java/com/imooc/security/core/authentication/DefaultSocialUserDetailsService.java

@@ -23,7 +23,7 @@ public class DefaultSocialUserDetailsService implements SocialUserDetailsService
 
 	@Override
 	public SocialUserDetails loadUserByUserId(String userId) throws UsernameNotFoundException {
-		logger.error("请配置 SocialUserDetailsService 接口的实现.");
+		logger.warn("请配置 SocialUserDetailsService 接口的实现.");
 		throw new UsernameNotFoundException(userId);
 	}
 

imooc-security-core/src/main/java/com/imooc/security/core/authentication/DefaultUserDetailsService.java

@@ -30,7 +30,7 @@ public class DefaultUserDetailsService implements UserDetailsService {
 	 */
 	@Override
 	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
-		logger.error("请配置 UserDetailsService 接口的实现.");
+		logger.warn("请配置 UserDetailsService 接口的实现.");
 		throw new UsernameNotFoundException(username);
 	}
 

imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigProvider.java

@@ -14,6 +14,13 @@
  */
 public interface AuthorizeConfigProvider {
 
-	void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config);
+	/**
+	 * @param config
+	 * @return 返回的boolean表示配置中是否有针对anyRequest的配置。在整个授权配置中，
+	 * 应该有且仅有一个针对anyRequest的配置，如果所有的实现都没有针对anyRequest的配置，
+	 * 系统会自动增加一个anyRequest().authenticated()的配置。如果有多个针对anyRequest
+	 * 的配置，则会抛出异常。
+	 */
+	boolean config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config);
 
 }

imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigManager.java

@@ -18,18 +18,32 @@
  */
 @Component
 public class ImoocAuthorizeConfigManager implements AuthorizeConfigManager {
-	
+
 	@Autowired
 	private List<AuthorizeConfigProvider> authorizeConfigProviders;
 
+	/* (non-Javadoc)
+	 * @see com.imooc.security.core.authorize.AuthorizeConfigManager#config(org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry)
+	 */
 	@Override
 	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+		boolean existAnyRequestConfig = false;
+		String existAnyRequestConfigName = null;
+
 		for (AuthorizeConfigProvider authorizeConfigProvider : authorizeConfigProviders) {
-			authorizeConfigProvider.config(config);
+			boolean currentIsAnyRequestConfig = authorizeConfigProvider.config(config);
+			if (existAnyRequestConfig && currentIsAnyRequestConfig) {
+				throw new RuntimeException("重复的anyRequest配置:" + existAnyRequestConfigName + ","
+						+ authorizeConfigProvider.getClass().getSimpleName());
+			} else if (currentIsAnyRequestConfig) {
+				existAnyRequestConfig = true;
+				existAnyRequestConfigName = authorizeConfigProvider.getClass().getSimpleName();
+			}
+		}
+
+		if(!existAnyRequestConfig){
+			config.anyRequest().authenticated();
 		}
-//		config.anyRequest().authenticated();
 	}
-
-
 
 }

imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigProvider.java

@@ -3,6 +3,7 @@
  */
 package com.imooc.security.core.authorize;
 
+import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -24,20 +25,21 @@ public class ImoocAuthorizeConfigProvider implements AuthorizeConfigProvider {
 
 	@Autowired
 	private SecurityProperties securityProperties;
-	
+
 	@Override
-	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
-		config
-			.antMatchers(
-				SecurityConstants.DEFAULT_UNAUTHENTICATION_URL,
+	public boolean config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+		config.antMatchers(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL,
 				SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_MOBILE,
 				SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_OPENID,
-				SecurityConstants.DEFAULT_VALIDATE_CODE_URL_PREFIX+"/*",
-				securityProperties.getBrowser().getSignInPage(),
+				SecurityConstants.DEFAULT_VALIDATE_CODE_URL_PREFIX + "/*",
+				securityProperties.getBrowser().getSignInPage(), 
 				securityProperties.getBrowser().getSignUpUrl(),
-				securityProperties.getBrowser().getSession().getSessionInvalidUrl(),
-				securityProperties.getBrowser().getSignOutUrl())
-				.permitAll();
+				securityProperties.getBrowser().getSession().getSessionInvalidUrl()).permitAll();
+
+		if (StringUtils.isNotBlank(securityProperties.getBrowser().getSignOutUrl())) {
+			config.antMatchers(securityProperties.getBrowser().getSignOutUrl()).permitAll();
+		}
+		return false;
 	}
 
 }

imooc-security-core/src/main/java/com/imooc/security/core/validate/code/sms/DefaultSmsCodeSender.java

@@ -3,20 +3,26 @@
  */
 package com.imooc.security.core.validate.code.sms;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 /**
  * 默认的短信验证码发送器
  * 
  * @author zhailiang
  *
  */
 public class DefaultSmsCodeSender implements SmsCodeSender {
+
+	private Logger logger = LoggerFactory.getLogger(getClass());
 
 	/* (non-Javadoc)
 	 * @see com.imooc.security.core.validate.code.sms.SmsCodeSender#send(java.lang.String, java.lang.String)
 	 */
 	@Override
 	public void send(String mobile, String code) {
-		System.out.println("向手机"+mobile+"发送短信验证码"+code);
+		logger.warn("请配置真实的短信验证码发送器(SmsCodeSender)");
+		logger.info("向手机"+mobile+"发送短信验证码"+code);
 	}
 
 }