feat: 登录失败时返回401状态码

common/core/src/main/java/org/funcode/portal/server/common/core/config/security/DefaultSecurityConfig.java

@@ -20,6 +20,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
@@ -30,7 +31,9 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
 import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
@@ -82,10 +85,18 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http,
                                 "/v3/api-docs",
                                 "/v3/api-docs/**",
                                 "/webjars/**",
-                                "favicon.ico",
                                 "/doc.html",
                                 defaultLoginPage
                         ).permitAll()
+                        .requestMatchers(
+                                "/**.js",
+                                "/**.css",
+                                "/**.html",
+                                "/**.png",
+                                "/**.txt",
+                                "/**.ico",
+                                "/_next/**"
+                        ).permitAll()
                         .requestMatchers(HttpMethod.POST, WECHAT_LOGIN_PATH).permitAll()
                         .requestMatchers(HttpMethod.OPTIONS).permitAll()
                         .requestMatchers(antMatcher("/**/anonymous")).permitAll()
@@ -94,7 +105,6 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http,
                 .formLogin(login -> login
                         .usernameParameter("username")
                         .passwordParameter("password")
-                        .loginPage(defaultLoginPage)
                         .loginProcessingUrl("/api/v1/auth/login")
                         .successHandler(customAuthenticationSuccessHandler)
                         .failureHandler(customAuthenticationFailureHandler)
@@ -105,6 +115,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http,
                         .logoutSuccessUrl(
                                 StringUtils.isBlank(applicationConfig.getSecurity().logoutSuccessUrl()) ? "/login?logout" : applicationConfig.getSecurity().logoutSuccessUrl())
                 )
+                .exceptionHandling(exceptionHandling -> exceptionHandling
+                        .authenticationEntryPoint(unauthorizedEntryPoint())  // 未登录处理
+                )
                 .authenticationProvider(weChatAuthenticationProvider)
                 .authenticationProvider(daoAuthenticationProvider())
                 .addFilterBefore(
@@ -114,6 +127,12 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http,
         return http.build();
     }
 
+    @Bean
+    public AuthenticationEntryPoint unauthorizedEntryPoint() {
+        // 返回401 Unauthorized，而不是重定向
+        return new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
+    }
+
     @Bean
     public DaoAuthenticationProvider daoAuthenticationProvider() {
         DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();

common/core/src/main/java/org/funcode/portal/server/common/core/security/service/impl/JwtServiceImpl.java

@@ -85,9 +85,9 @@ public void filterVerifyAccessToken(@NonNull String accessToken,
                                         @NonNull HttpServletRequest request,
                                         @NonNull HttpServletResponse response) throws IOException {
         SecurityContext context = SecurityContextHolder.createEmptyContext();
-        try {
-            String username = this.extractUserName(accessToken);
-            if (StringUtils.isNotEmpty(username)
+            try {
+                String username = this.extractUserName(accessToken);
+                if (StringUtils.isNotEmpty(username)
                     && SecurityContextHolder.getContext().getAuthentication() == null) {
                 User userDetails = (User) userDetailsService
                         .loadUserByUsername(username);

starter/src/main/resources/application.yml

@@ -19,7 +19,7 @@ application:
       # 签名密钥
       signing-key: portalserver8fas8hage9SHVfsd847GD8475fd8880ejf
       # access-token过期时间，单位：分钟
-      expiration: 30
+      expiration: 10080
       # refresh-token的过期时间，单位：分钟
       refresh-expiration: 10080
     cors-allowed-origin-patterns: