补充security工程的注释信息

2021-05-11 13:59:02 +08:00
parent c299561cad
commit f0ce57f681
1 changed files with 3 additions and 0 deletions
--- a/mall-ebtp-cloud-security-starter/src/main/java/com/chinaunicom/mall/ebtp/cloud/security/starter/config/BrowserSecurityConfig.java
+++ b/mall-ebtp-cloud-security-starter/src/main/java/com/chinaunicom/mall/ebtp/cloud/security/starter/config/BrowserSecurityConfig.java
@ -40,8 +40,11 @@ public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()).and().sessionManagement()
+				// Spring security 默认是使用 HttpSessionSecurityContextRepository 来存储SecurityContext
+				// 的, 因我们的应用系统不是基于 login 认证模式， 如果开启session 则会产生 token 缓存问题(即新的请求可能使用的是过期token)
 				.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
 				.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class)
+				// 只对业务节点请求做认证处理
 				.authorizeRequests().antMatchers("/v1/**").authenticated().and().httpBasic().and().csrf().disable();
 	}