package com.xly.erp.common.config; import com.xly.erp.common.security.JwtAuthenticationFilter; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; /** * Spring Security 配置(docs/04 § 1.7)。 * *

REQ-USR-001 T3:无状态 JWT 认证;放行 /api/usr/login、swagger、actuator/health, * 其余需认证;注册 BCryptPasswordEncoder Bean;JwtAuthenticationFilter 挂在 * UsernamePasswordAuthenticationFilter 之前。

*/ @Configuration public class SecurityConfig { /** * 密码哈希编码器(BCrypt),禁止明文存储 / 比对。 */ @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http, JwtAuthenticationFilter jwtAuthenticationFilter) throws Exception { http .csrf(AbstractHttpConfigurer::disable) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authorizeHttpRequests(auth -> auth .requestMatchers( "/api/usr/login", "/swagger-ui/**", "/swagger-ui.html", "/v3/api-docs/**", "/actuator/health") .permitAll() .anyRequest().authenticated()) .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); return http.build(); } }