Merge remote-tracking branch 'origin/dev_New_pro' into dev_New_pro

云

2026-04-23 a1b154bfd4c5e138d964e1bfdc5a2bcac1e25488

 src/main/java/com/ruoyi/framework/config/SecurityConfig.java

@@ -1,6 +1,10 @@
package com.ruoyi.framework.config;



import org.springframework.beans.factory.annotation.Autowired;

import com.ruoyi.framework.config.properties.PermitAllUrlProperties;

import com.ruoyi.framework.security.filter.JwtAuthenticationTokenFilter;

import com.ruoyi.framework.security.handle.AuthenticationEntryPointImpl;

import com.ruoyi.framework.security.handle.LogoutSuccessHandlerImpl;

import lombok.RequiredArgsConstructor;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.http.HttpMethod;

@@ -16,10 +20,6 @@
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import org.springframework.security.web.authentication.logout.LogoutFilter;

import org.springframework.web.filter.CorsFilter;

import com.ruoyi.framework.config.properties.PermitAllUrlProperties;

import com.ruoyi.framework.security.filter.JwtAuthenticationTokenFilter;

import com.ruoyi.framework.security.handle.AuthenticationEntryPointImpl;

import com.ruoyi.framework.security.handle.LogoutSuccessHandlerImpl;



/**

 * spring security配置

@@ -28,43 +28,38 @@
 */

@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)

@Configuration

@RequiredArgsConstructor

public class SecurityConfig

{

    /**

     * 自定义用户认证逻辑

     */

    @Autowired

    private UserDetailsService userDetailsService;

    private final UserDetailsService userDetailsService;

    

    /**

     * 认证失败处理类

     */

    @Autowired

    private AuthenticationEntryPointImpl unauthorizedHandler;

    private final AuthenticationEntryPointImpl unauthorizedHandler;



    /**

     * 退出处理类

     */

    @Autowired

    private LogoutSuccessHandlerImpl logoutSuccessHandler;

    private final LogoutSuccessHandlerImpl logoutSuccessHandler;



    /**

     * token认证过滤器

     */

    @Autowired

    private JwtAuthenticationTokenFilter authenticationTokenFilter;

    private final JwtAuthenticationTokenFilter authenticationTokenFilter;

    

    /**

     * 跨域过滤器

     */

    @Autowired

    private CorsFilter corsFilter;

    private final CorsFilter corsFilter;



    /**

     * 允许匿名访问的地址

     */

    @Autowired

    private PermitAllUrlProperties permitAllUrl;

    private final PermitAllUrlProperties permitAllUrl;



    /**

     * 身份验证实现

@@ -108,16 +103,48 @@
            // 基于token，所以不需要session

            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))

            // 注解标记允许匿名访问的url

            .authorizeHttpRequests((requests) -> {

                permitAllUrl.getUrls().forEach(url -> requests.antMatchers(url).permitAll());

                // 对于登录login 注册register 验证码captchaImage 允许匿名访问

                requests.antMatchers("/login", "/register", "/captchaImage","/loginCheck","/userLoginFacotryList/**","/loginCheckFactory").permitAll()

                    // 静态资源，可匿名访问

                    .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**","/javaWork/**","/**/*.pdf").permitAll()

                    .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll()

                    // 除上面外的所有请求全部需要鉴权认证

                    .anyRequest().authenticated();

            })

                // todo ai生成， 后期若有问题请自行优化

                .authorizeHttpRequests(requests -> {



                    // 1. 放行动态配置的 URL

                    permitAllUrl.getUrls().forEach(url ->

                            requests.requestMatchers(url).permitAll()

                    );



                    // 2. 登录 / 注册 / 验证码 / 等放行

                    requests.requestMatchers(

                            "/login",

                            "/register",

                            "/captchaImage",

                            "/loginCheck",

                            "/userLoginFacotryList/**",

                            "/loginCheckFactory"

                    ).permitAll();



                    // 3. 静态资源放行

                    requests.requestMatchers(HttpMethod.GET,

                            "/",

                            "/*.html",

                            "/**/*.html",

                            "/**/*.css",

                            "/**/*.js",

                            "/profile/**",

                            "/javaWork/**",

                            "/**/*.pdf"

                    ).permitAll();



                    // 4. swagger / druid 放行

                    requests.requestMatchers(

                            "/swagger-ui.html",

                            "/swagger-resources/**",

                            "/webjars/**",

                            "/*/api-docs",

                            "/druid/**"

                    ).permitAll();



                    // 5. 其他全部拦截

                    requests.anyRequest().authenticated();

                })

            // 添加Logout filter

            .logout(logout -> logout.logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler))

            // 添加JWT filter