Commit 5c070b81819880ccadae4dde8fd17425ba5aed79
1 parent
c218a720
feat(config): permitAll security skeleton REQ-MOD-001
Showing
2 changed files
with
68 additions
and
0 deletions
backend/src/main/java/com/xly/erp/config/SecurityConfig.java
0 → 100644
| 1 | +package com.xly.erp.config; | ||
| 2 | + | ||
| 3 | +import org.springframework.context.annotation.Bean; | ||
| 4 | +import org.springframework.context.annotation.Configuration; | ||
| 5 | +import org.springframework.security.config.annotation.web.builders.HttpSecurity; | ||
| 6 | +import org.springframework.security.web.SecurityFilterChain; | ||
| 7 | + | ||
| 8 | +@Configuration | ||
| 9 | +public class SecurityConfig { | ||
| 10 | + | ||
| 11 | + /** | ||
| 12 | + * REQ-MOD-001 临时配置:所有 /api/** 一律 permitAll,禁用 CSRF / 表单登录。 | ||
| 13 | + * REQ-USR-004 完成时改为 .authenticated() + JWT filter。 | ||
| 14 | + */ | ||
| 15 | + @Bean | ||
| 16 | + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { | ||
| 17 | + http | ||
| 18 | + .csrf(csrf -> csrf.disable()) | ||
| 19 | + .formLogin(form -> form.disable()) | ||
| 20 | + .httpBasic(basic -> basic.disable()) | ||
| 21 | + .authorizeHttpRequests(auth -> auth.anyRequest().permitAll()); | ||
| 22 | + return http.build(); | ||
| 23 | + } | ||
| 24 | +} |
backend/src/test/java/com/xly/erp/config/SecurityConfigTest.java
0 → 100644
| 1 | +package com.xly.erp.config; | ||
| 2 | + | ||
| 3 | +import org.junit.jupiter.api.Test; | ||
| 4 | +import org.springframework.beans.factory.annotation.Autowired; | ||
| 5 | +import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; | ||
| 6 | +import org.springframework.boot.test.context.SpringBootTest; | ||
| 7 | +import org.springframework.context.annotation.Bean; | ||
| 8 | +import org.springframework.boot.test.context.TestConfiguration; | ||
| 9 | +import org.springframework.test.context.ActiveProfiles; | ||
| 10 | +import org.springframework.test.web.servlet.MockMvc; | ||
| 11 | +import org.springframework.web.bind.annotation.GetMapping; | ||
| 12 | +import org.springframework.web.bind.annotation.RequestMapping; | ||
| 13 | +import org.springframework.web.bind.annotation.RestController; | ||
| 14 | + | ||
| 15 | +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; | ||
| 16 | +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; | ||
| 17 | +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | ||
| 18 | + | ||
| 19 | +@SpringBootTest | ||
| 20 | +@AutoConfigureMockMvc | ||
| 21 | +@ActiveProfiles("test") | ||
| 22 | +class SecurityConfigTest { | ||
| 23 | + | ||
| 24 | + @Autowired MockMvc mockMvc; | ||
| 25 | + | ||
| 26 | + @TestConfiguration | ||
| 27 | + static class PingConfig { | ||
| 28 | + @Bean PingController pingController() { return new PingController(); } | ||
| 29 | + } | ||
| 30 | + | ||
| 31 | + @RestController | ||
| 32 | + @RequestMapping("/api/__ping") | ||
| 33 | + static class PingController { | ||
| 34 | + @GetMapping | ||
| 35 | + public String ping() { return "pong"; } | ||
| 36 | + } | ||
| 37 | + | ||
| 38 | + @Test | ||
| 39 | + void anyApiEndpoint_isPermittedWithoutAuth() throws Exception { | ||
| 40 | + mockMvc.perform(get("/api/__ping")) | ||
| 41 | + .andExpect(status().isOk()) | ||
| 42 | + .andExpect(content().string("pong")); | ||
| 43 | + } | ||
| 44 | +} |