From f0ce57f6816333c9cc31947317d749630adae043 Mon Sep 17 00:00:00 2001
From: ajaxfan <909938737@qq.com>
Date: Tue, 11 May 2021 13:59:02 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E5=85=85security=E5=B7=A5=E7=A8=8B?=
 =?UTF-8?q?=E7=9A=84=E6=B3=A8=E9=87=8A=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../cloud/security/starter/config/BrowserSecurityConfig.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mall-ebtp-cloud-security-starter/src/main/java/com/chinaunicom/mall/ebtp/cloud/security/starter/config/BrowserSecurityConfig.java b/mall-ebtp-cloud-security-starter/src/main/java/com/chinaunicom/mall/ebtp/cloud/security/starter/config/BrowserSecurityConfig.java
index 7f0ee85..e0c4a73 100644
--- a/mall-ebtp-cloud-security-starter/src/main/java/com/chinaunicom/mall/ebtp/cloud/security/starter/config/BrowserSecurityConfig.java
+++ b/mall-ebtp-cloud-security-starter/src/main/java/com/chinaunicom/mall/ebtp/cloud/security/starter/config/BrowserSecurityConfig.java
@@ -40,8 +40,11 @@ public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()).and().sessionManagement()
+				// Spring security 默认是使用 HttpSessionSecurityContextRepository 来存储SecurityContext
+				// 的, 因我们的应用系统不是基于 login 认证模式， 如果开启session 则会产生 token 缓存问题(即新的请求可能使用的是过期token)
 				.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
 				.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class)
+				// 只对业务节点请求做认证处理
 				.authorizeRequests().antMatchers("/v1/**").authenticated().and().httpBasic().and().csrf().disable();
 	}