微服务改造

2026-04-22 15:54:42 +08:00
parent d0b8b8d674
commit 23716984cc
2 changed files with 22 additions and 19 deletions
--- a/src/main/java/com/ai/da/common/config/SecurityConfig.java
+++ b/src/main/java/com/ai/da/common/config/SecurityConfig.java
@@ -7,6 +7,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;

+/**
+ * Spring Security 配置。
+ * 由于鉴权逻辑已迁移至 Gateway（GlobalAuthWebFilter），
+ * 后端服务 (aida-back) 默认放行所有请求，仅依赖网关传递的用户信息。
+ */
@Configuration
@EnableWebSecurity
 public class SecurityConfig {
@@ -14,18 +19,16 @@ public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
+                // 禁用 CSRF（微服务通常不需要）
                .csrf(AbstractHttpConfigurer::disable)
+                // 允许所有请求，具体鉴权在网关层完成
                .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(
-                                "/doc.html",
-                                "/swagger-ui/**",
-                                "/swagger-resources/**",
-                                "/v2/api-docs/**",
-                                "/v3/api-docs/**",
-                                "/webjars/**"
-                        ).permitAll()
-                        .anyRequest().permitAll() // 先全部允许，后续根据业务需要收紧
-                );
+                        .anyRequest().permitAll()
+                )
+                // 禁用默认的表单登录和 HTTP Basic 认证，防止 302 重定向
+                .formLogin(AbstractHttpConfigurer::disable)
+                .httpBasic(AbstractHttpConfigurer::disable);
+
        return http.build();
    }
 }