From 7d4328cd5bbdfdb3f7eb6450816b38440fcbe6a9 Mon Sep 17 00:00:00 2001
From: vran <vran_dev@foxmail.com>
Date: Sat, 5 Mar 2022 11:04:29 +0800
Subject: [PATCH] feat: update url auth pattern

---
 .../main/java/com/databasir/api/Routes.java    |  2 +-
 .../databasir/api/config/SecurityConfig.java   | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/api/src/main/java/com/databasir/api/Routes.java b/api/src/main/java/com/databasir/api/Routes.java
index ea7047e..84ec980 100644
--- a/api/src/main/java/com/databasir/api/Routes.java
+++ b/api/src/main/java/com/databasir/api/Routes.java
@@ -105,7 +105,7 @@ public interface Routes {
 
         String REFRESH_ACCESS_TOKEN = "/access_tokens";
 
-        String LOGIN_INFO = "/login_info";
+        String LOGIN_INFO = BASE + "/login_info";
 
     }
 
diff --git a/api/src/main/java/com/databasir/api/config/SecurityConfig.java b/api/src/main/java/com/databasir/api/config/SecurityConfig.java
index 04b092e..839ccf8 100644
--- a/api/src/main/java/com/databasir/api/config/SecurityConfig.java
+++ b/api/src/main/java/com/databasir/api/config/SecurityConfig.java
@@ -44,14 +44,20 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
                 .successHandler(databasirAuthenticationSuccessHandler)
                 .and()
                 .authorizeRequests()
-                .antMatchers("/login", Routes.Login.REFRESH_ACCESS_TOKEN).permitAll()
-                .antMatchers("/oauth2/apps", "/oauth2/failure", "/oauth2/authorization/*",
-                        "/oauth2/login/*", "/login/oauth2/*")
+                // 登录和 Token 刷新无需授权
+                .antMatchers("/login", Routes.Login.REFRESH_ACCESS_TOKEN)
                 .permitAll()
-                .antMatchers("/", "/*.html", "/js/**", "/css/**", "/img/**", "/*.ico").permitAll()
-                .anyRequest().authenticated()
+                // oauth 回调地址无需鉴权
+                .antMatchers("/oauth2/apps", "/oauth2/authorization/*", "/oauth2/login/*")
+                .permitAll()
+                // 静态资源无需鉴权
+                .antMatchers("/", "/*.html", "/js/**", "/css/**", "/img/**", "/*.ico")
+                .permitAll()
+                // api 请求需要授权
+                .antMatchers("/api/**").authenticated()
                 .and()
-                .exceptionHandling().authenticationEntryPoint(databasirAuthenticationEntryPoint);
+                .exceptionHandling()
+                .authenticationEntryPoint(databasirAuthenticationEntryPoint);
 
         http.addFilterBefore(
                 databasirJwtTokenFilter,