diff --git a/src/main/java/com/ai/da/common/security/config/SecurityConfig.java b/src/main/java/com/ai/da/common/security/config/SecurityConfig.java
index f7284dc6..e10500e8 100644
--- a/src/main/java/com/ai/da/common/security/config/SecurityConfig.java
+++ b/src/main/java/com/ai/da/common/security/config/SecurityConfig.java
@@ -3,7 +3,6 @@ package com.ai.da.common.security.config;
 import com.ai.da.common.security.*;
 import com.ai.da.common.security.filter.AuthenticationFilter;
 import com.ai.da.common.security.filter.UserAuthenticationProcessingFilter;
-import com.ai.da.mapper.AccountMapper;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -20,7 +19,6 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
 import javax.annotation.Resource;
-import java.util.ArrayList;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
@@ -49,8 +47,6 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     private AuthenticationFilter authenticationFilter;
     @Resource
     private UserPermissionEvaluator userPermissionEvaluator;
-    @Resource
-    private AccountMapper accountMapper;
 
 
     @Override
@@ -59,32 +55,27 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     }
 
     @Override
-    protected void configure(HttpSecurity httpSecurity) throws Exception {
-        httpSecurity.cors().disable() // 禁用 CSRF
-                .authorizeRequests()
-                .antMatchers(securityProperties.getIgnorePaths()).permitAll()
-//                .antMatchers("/api/third/party/your-secured-endpoint").authenticated() // 需要验证的接口
-                .anyRequest().permitAll()
-                .and()
-                .x509()
-                .subjectPrincipalRegex("CN=(.*?)(?:,|$)")
-                .userDetailsService(userDetailsService())
-                .and()
-                .exceptionHandling()
-                .authenticationEntryPoint(userAuthenticationEntryPointHandler)
-                .accessDeniedHandler(userAuthAccessDeniedHandler)
-                .and()
-                .formLogin()
-                .loginProcessingUrl(securityProperties.getAuthApi())
-                .successHandler(userLoginSuccessHandler)
-                .failureHandler(userLoginFailureHandler)
-                .and()
-                .addFilterAt(userAuthenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
-                .addFilterBefore(authenticationFilter, BasicAuthenticationFilter.class)
-                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-                .and()
-                .headers().cacheControl()
-                ;
+    protected void configure(HttpSecurity httpSecurity/*, WebSecurity web*/) throws Exception {
+//        web.ignoring().antMatchers("/test/**");//禁止所有过滤器
+        httpSecurity.cors().disable()//禁用 CSRF
+                .authorizeRequests()//认证请求
+                .antMatchers(securityProperties.getIgnorePaths()).permitAll()//忽略的请求
+                .anyRequest().authenticated()//其余所有的请求都需要认证
+                .and().headers().frameOptions().disable()// 防止iframe 造成跨域
+                .and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService())
+                .and().exceptionHandling().authenticationEntryPoint(userAuthenticationEntryPointHandler)//未登录请求处理
+                .accessDeniedHandler(userAuthAccessDeniedHandler)//无权限访问处理类 (此配置可以忽略，全局异常会先于Security框架处理异常，全局异常已特殊处理)
+                .and().formLogin().loginProcessingUrl(securityProperties.getAuthApi())//指定认证接口
+                .successHandler(userLoginSuccessHandler)//登录成功处理器
+                .failureHandler(userLoginFailureHandler)//登录失败处理器
+                .and().cors().and().csrf().disable();//允许跨域
+        //自定义过滤器在登录时认证用户名、密码
+        httpSecurity.addFilterAt(userAuthenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(authenticationFilter, BasicAuthenticationFilter.class);
+        //不创建session会话
+        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+        //取消头缓存控制
+        httpSecurity.headers().cacheControl();
     }
 
     @Bean
@@ -93,9 +84,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
         handler.setPermissionEvaluator(userPermissionEvaluator);
         return handler;
     }
+
     @Bean
     public UserDetailsService userDetailsService() {
-//        return (UserDetailsService) accountMapper.selectById(88L);
         return username -> {
             // 这里可以根据用户名查找用户信息，例如从数据库中查询
             // 返回 UserDetails 对象