Commit 5c070b81819880ccadae4dde8fd17425ba5aed79
1 parent
c218a720
feat(config): permitAll security skeleton REQ-MOD-001
Showing
2 changed files
with
68 additions
and
0 deletions
backend/src/main/java/com/xly/erp/config/SecurityConfig.java
0 → 100644
| 1 | +package com.xly.erp.config; | |
| 2 | + | |
| 3 | +import org.springframework.context.annotation.Bean; | |
| 4 | +import org.springframework.context.annotation.Configuration; | |
| 5 | +import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| 6 | +import org.springframework.security.web.SecurityFilterChain; | |
| 7 | + | |
| 8 | +@Configuration | |
| 9 | +public class SecurityConfig { | |
| 10 | + | |
| 11 | + /** | |
| 12 | + * REQ-MOD-001 临时配置:所有 /api/** 一律 permitAll,禁用 CSRF / 表单登录。 | |
| 13 | + * REQ-USR-004 完成时改为 .authenticated() + JWT filter。 | |
| 14 | + */ | |
| 15 | + @Bean | |
| 16 | + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { | |
| 17 | + http | |
| 18 | + .csrf(csrf -> csrf.disable()) | |
| 19 | + .formLogin(form -> form.disable()) | |
| 20 | + .httpBasic(basic -> basic.disable()) | |
| 21 | + .authorizeHttpRequests(auth -> auth.anyRequest().permitAll()); | |
| 22 | + return http.build(); | |
| 23 | + } | |
| 24 | +} | ... | ... |
backend/src/test/java/com/xly/erp/config/SecurityConfigTest.java
0 → 100644
| 1 | +package com.xly.erp.config; | |
| 2 | + | |
| 3 | +import org.junit.jupiter.api.Test; | |
| 4 | +import org.springframework.beans.factory.annotation.Autowired; | |
| 5 | +import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; | |
| 6 | +import org.springframework.boot.test.context.SpringBootTest; | |
| 7 | +import org.springframework.context.annotation.Bean; | |
| 8 | +import org.springframework.boot.test.context.TestConfiguration; | |
| 9 | +import org.springframework.test.context.ActiveProfiles; | |
| 10 | +import org.springframework.test.web.servlet.MockMvc; | |
| 11 | +import org.springframework.web.bind.annotation.GetMapping; | |
| 12 | +import org.springframework.web.bind.annotation.RequestMapping; | |
| 13 | +import org.springframework.web.bind.annotation.RestController; | |
| 14 | + | |
| 15 | +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; | |
| 16 | +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; | |
| 17 | +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | |
| 18 | + | |
| 19 | +@SpringBootTest | |
| 20 | +@AutoConfigureMockMvc | |
| 21 | +@ActiveProfiles("test") | |
| 22 | +class SecurityConfigTest { | |
| 23 | + | |
| 24 | + @Autowired MockMvc mockMvc; | |
| 25 | + | |
| 26 | + @TestConfiguration | |
| 27 | + static class PingConfig { | |
| 28 | + @Bean PingController pingController() { return new PingController(); } | |
| 29 | + } | |
| 30 | + | |
| 31 | + @RestController | |
| 32 | + @RequestMapping("/api/__ping") | |
| 33 | + static class PingController { | |
| 34 | + @GetMapping | |
| 35 | + public String ping() { return "pong"; } | |
| 36 | + } | |
| 37 | + | |
| 38 | + @Test | |
| 39 | + void anyApiEndpoint_isPermittedWithoutAuth() throws Exception { | |
| 40 | + mockMvc.perform(get("/api/__ping")) | |
| 41 | + .andExpect(status().isOk()) | |
| 42 | + .andExpect(content().string("pong")); | |
| 43 | + } | |
| 44 | +} | ... | ... |