6 months ago · eae97e1b33
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/AuthorizeRequestsCustomizer.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/AuthorizeRequestsCustomizer.java
@@ -4,7 +4,7 @@ import cn.iocoder.yudao.framework.web.config.WebProperties;
 
				 import org.springframework.core.Ordered;
			
 
				 import org.springframework.security.config.Customizer;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
			
 
				+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
			
 
				 
			
 
				 import javax.annotation.Resource;
			
 
				 
			
@@ -15,7 +15,7 @@ import javax.annotation.Resource;
 
				  * @author 芋道源码
			
 
				  */
			
 
				 public abstract class AuthorizeRequestsCustomizer
			
 
				-        implements Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>, Ordered {
			
 
				+        implements Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry>, Ordered {
			
 
				 
			
 
				     @Resource
			
 
				     private WebProperties webProperties;
			
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java
@@ -126,22 +126,23 @@ public class YudaoWebSecurityConfigurerAdapter {
 
				         // 设置每个请求的权限
			
 
				         httpSecurity
			
 
				                 // ①：全局共享规则
			
 
				-                .authorizeRequests()
			
 
				-                // 1.1 静态资源，可匿名访问
			
 
				-                .antMatchers(HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js").permitAll()
			
 
				-                // 1.2 设置 @PermitAll 无需认证
			
 
				-                .antMatchers(HttpMethod.GET, permitAllUrls.get(HttpMethod.GET).toArray(new String[0])).permitAll()
			
 
				-                .antMatchers(HttpMethod.POST, permitAllUrls.get(HttpMethod.POST).toArray(new String[0])).permitAll()
			
 
				-                .antMatchers(HttpMethod.PUT, permitAllUrls.get(HttpMethod.PUT).toArray(new String[0])).permitAll()
			
 
				-                .antMatchers(HttpMethod.DELETE, permitAllUrls.get(HttpMethod.DELETE).toArray(new String[0])).permitAll()
			
 
				-                // 1.3 基于 yudao.security.permit-all-urls 无需认证
			
 
				-                .antMatchers(securityProperties.getPermitAllUrls().toArray(new String[0])).permitAll()
			
 
				+                .authorizeHttpRequests(c -> c
			
 
				+                    // 1.1 静态资源，可匿名访问
			
 
				+                    .requestMatchers(HttpMethod.GET, "/*.html", "/*.html", "/*.css", "/*.js").permitAll()
			
 
				+                    // 1.2 设置 @PermitAll 无需认证
			
 
				+                    .requestMatchers(HttpMethod.GET, permitAllUrls.get(HttpMethod.GET).toArray(new String[0])).permitAll()
			
 
				+                    .requestMatchers(HttpMethod.POST, permitAllUrls.get(HttpMethod.POST).toArray(new String[0])).permitAll()
			
 
				+                    .requestMatchers(HttpMethod.PUT, permitAllUrls.get(HttpMethod.PUT).toArray(new String[0])).permitAll()
			
 
				+                    .requestMatchers(HttpMethod.DELETE, permitAllUrls.get(HttpMethod.DELETE).toArray(new String[0])).permitAll()
			
 
				+                    .requestMatchers(HttpMethod.HEAD, permitAllUrls.get(HttpMethod.HEAD).toArray(new String[0])).permitAll()
			
 
				+                    .requestMatchers(HttpMethod.PATCH, permitAllUrls.get(HttpMethod.PATCH).toArray(new String[0])).permitAll()
			
 
				+                    // 1.3 基于 yudao.security.permit-all-urls 无需认证
			
 
				+                    .requestMatchers(securityProperties.getPermitAllUrls().toArray(new String[0])).permitAll()
			
 
				+                )
			
 
				                 // ②：每个项目的自定义规则
			
 
				-                .and().authorizeRequests(registry -> // 下面，循环设置自定义规则
			
 
				-                        authorizeRequestsCustomizers.forEach(customizer -> customizer.customize(registry)))
			
 
				+                .authorizeHttpRequests(c -> authorizeRequestsCustomizers.forEach(customizer -> customizer.customize(c)))
			
 
				                 // ③：兜底规则，必须认证
			
 
				-                .authorizeRequests()
			
 
				-                .anyRequest().authenticated();
			
 
				+                .authorizeHttpRequests(c -> c.anyRequest().authenticated());
			
 
				 
			
 
				         // 添加 Token Filter
			
 
				         httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
			
--- a/yudao-framework/yudao-spring-boot-starter-websocket/src/main/java/cn/iocoder/yudao/framework/websocket/core/security/WebSocketAuthorizeRequestsCustomizer.java
+++ b/yudao-framework/yudao-spring-boot-starter-websocket/src/main/java/cn/iocoder/yudao/framework/websocket/core/security/WebSocketAuthorizeRequestsCustomizer.java
@@ -4,6 +4,7 @@ import cn.iocoder.yudao.framework.security.config.AuthorizeRequestsCustomizer;
 
				 import cn.iocoder.yudao.framework.websocket.config.WebSocketProperties;
			
 
				 import lombok.RequiredArgsConstructor;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
			
 
				 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
			
 
				 
			
 
				 /**
			
@@ -17,8 +18,8 @@ public class WebSocketAuthorizeRequestsCustomizer extends AuthorizeRequestsCusto
 
				     private final WebSocketProperties webSocketProperties;
			
 
				 
			
 
				     @Override
			
 
				-    public void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry) {
			
 
				-        registry.antMatchers(webSocketProperties.getPath()).permitAll();
			
 
				+    public void customize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
			
 
				+        registry.requestMatchers(webSocketProperties.getPath()).permitAll();
			
 
				     }
			
 
				 
			
 
				 }
			
--- a/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java
+++ b/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java
@@ -5,7 +5,7 @@ import org.springframework.beans.factory.annotation.Value;
 
				 import org.springframework.context.annotation.Bean;
			
 
				 import org.springframework.context.annotation.Configuration;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
			
 
				+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
			
 
				 
			
 
				 /**
			
 
				  * Infra 模块的 Security 配置
			
@@ -21,22 +21,22 @@ public class SecurityConfiguration {
 
				         return new AuthorizeRequestsCustomizer() {
			
 
				 
			
 
				             @Override
			
 
				-            public void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry) {
			
 
				+            public void customize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
			
 
				                 // Swagger 接口文档
			
 
				-                registry.antMatchers("/v3/api-docs/**").permitAll()
			
 
				-                        .antMatchers("/webjars/**").permitAll()
			
 
				-                        .antMatchers("/swagger-ui.html").permitAll()
			
 
				-                        .antMatchers("/swagger-ui/**").permitAll();
			
 
				+                registry.requestMatchers("/v3/api-docs/**").permitAll()
			
 
				+                        .requestMatchers("/webjars/**").permitAll()
			
 
				+                        .requestMatchers("/swagger-ui.html").permitAll()
			
 
				+                        .requestMatchers("/swagger-ui/**").permitAll();
			
 
				                 // Spring Boot Actuator 的安全配置
			
 
				-                registry.antMatchers("/actuator").anonymous()
			
 
				-                        .antMatchers("/actuator/**").anonymous();
			
 
				+                registry.requestMatchers("/actuator").permitAll()
			
 
				+                        .requestMatchers("/actuator/**").permitAll();
			
 
				                 // Druid 监控
			
 
				-                registry.antMatchers("/druid/**").anonymous();
			
 
				+                registry.requestMatchers("/druid/**").permitAll();
			
 
				                 // Spring Boot Admin Server 的安全配置
			
 
				-                registry.antMatchers(adminSeverContextPath).anonymous()
			
 
				-                        .antMatchers(adminSeverContextPath + "/**").anonymous();
			
 
				+                registry.requestMatchers(adminSeverContextPath).permitAll()
			
 
				+                        .requestMatchers(adminSeverContextPath + "/**").permitAll();
			
 
				                 // 文件读取
			
 
				-                registry.antMatchers(buildAdminApi("/infra/file/*/get/**")).permitAll();
			
 
				+                registry.requestMatchers(buildAdminApi("/infra/file/*/get/**")).permitAll();
			
 
				             }
			
 
				 
			
 
				         };
			
--- a/yudao-module-report/yudao-module-report-biz/src/main/java/cn/iocoder/yudao/module/report/framework/security/config/SecurityConfiguration.java
+++ b/yudao-module-report/yudao-module-report-biz/src/main/java/cn/iocoder/yudao/module/report/framework/security/config/SecurityConfiguration.java
@@ -4,6 +4,7 @@ import cn.iocoder.yudao.framework.security.config.AuthorizeRequestsCustomizer;
 
				 import org.springframework.context.annotation.Bean;
			
 
				 import org.springframework.context.annotation.Configuration;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
			
 
				 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
			
 
				 
			
 
				 /**
			
@@ -17,8 +18,8 @@ public class SecurityConfiguration {
 
				         return new AuthorizeRequestsCustomizer() {
			
 
				 
			
 
				             @Override
			
 
				-            public void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry) {
			
 
				-                registry.antMatchers("/jmreport/**").permitAll(); // 积木报表
			
 
				+            public void customize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
			
 
				+                registry.requestMatchers("/jmreport/**").permitAll(); // 积木报表
			
 
				             }
			
 
				 
			
 
				         };