build(biji-houdaun): 优化生产环境配置并调整安全设置

- 修改 pom.xml，使用 spring-boot-maven-plugin 排除生产环境依赖 - 重构 SecurityConfig，简化公共端点配置并移除环境判断逻辑
2025-08-02 19:40:44 +08:00
parent 1e7285cb68
commit 2508f07b7b
2 changed files with 28 additions and 37 deletions
--- a/biji-houdaun/pom.xml
+++ b/biji-houdaun/pom.xml
@@ -189,21 +189,26 @@
        <!-- 生产环境排除Knife4j和springdoc -->
        <profile>
            <id>prod</id>
-            <dependencies>
+            <build>
-                <!-- 排除Knife4j API 文档 -->
+                <plugins>
-                <dependency>
+                    <plugin>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-maven-plugin</artifactId>
                        <configuration>
                            <excludes>
                                <exclude>
                                    <groupId>com.github.xiaoymin</groupId>
                                    <artifactId>knife4j-openapi3-jakarta-spring-boot-starter</artifactId>
-                    <version>${knife4j.version}</version>
+                                </exclude>
-                    <scope>provided</scope>
+                                <exclude>
                </dependency>
                <dependency>
                                    <groupId>org.springdoc</groupId>
                                    <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-                    <version>2.7.0</version>
+                                </exclude>
-                    <scope>provided</scope>
+                            </excludes>
-                </dependency>
+                        </configuration>
-            </dependencies>
+                    </plugin>
                </plugins>
            </build>
        </profile>
    </profiles>
--- a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
+++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
@@ -8,7 +8,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -18,8 +17,6 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import java.util.Arrays;
@Configuration
@EnableWebSecurity
 public class SecurityConfig {
@@ -36,9 +33,6 @@ public class SecurityConfig {
    @Autowired
    private JwtAccessDeniedHandler jwtAccessDeniedHandler;
    @Autowired
    private Environment environment;
    @Value("${jwt.header}")
    private String tokenHeader;
@@ -54,26 +48,18 @@ public class SecurityConfig {
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter = new JwtAuthenticationTokenFilter(userDetailsService, jwtTokenUtil, tokenHeader, tokenHead);
-        // 检查当前激活的profile中是否包含 "prod"
+        http
-        boolean isProd = Arrays.asList(environment.getActiveProfiles()).contains("prod");
+                .csrf(csrf -> csrf.disable())
-
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-        // 根据环境动态设置白名单
+                .authorizeHttpRequests(authz -> authz
-        String[] publicEndpoints = isProd ?
+                        // 1. 始终允许的核心公共端点 (登录、注册、API文档)
-                new String[]{"/api/user/login", "/api/user/register"} :
+                        .requestMatchers(
                new String[]{
                                "/doc.html",
                                "/webjars/**",
                                "/v3/api-docs/**",
                                "/api/user/login",
                                "/api/user/register"
-                };
+                        ).permitAll()
        http
                .csrf(csrf -> csrf.disable())
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(authz -> authz
                        // 1. 动态允许公共端点
                        .requestMatchers(publicEndpoints).permitAll()
                        // 2. 精确允许用于“公开阅读”的 GET 请求
                        .requestMatchers(org.springframework.http.HttpMethod.GET,