feat(security): 更新安全配置并升级框架版本

- 将父项目版本从 1.5.7 升级到 1.5.8 - 在 WebSecurityConfig 中注入 SecurityProps 配置 - 修改 CustomAuthenticationEntryPoint 构造函数以接受 securityProps 参数 - 将硬编码的访问令牌持续时间替换为 securityProps 配置值 - 将认证失败响应状态码从 401 更改为 40 - 为 zkh-web 模块添加 spring-boot-starter-aop 依赖
2026-01-21 12:04:00 +08:00
parent 06b5258824
commit 01d29e6ec3
7 changed files with 15 additions and 10 deletions
--- a/pom.xml
+++ b/pom.xml
@ -6,7 +6,7 @@

    <groupId>vip.jcfd</groupId>
    <artifactId>zkh-framework</artifactId>
-    <version>1.5.7</version>
+    <version>1.5.8</version>
    <packaging>pom</packaging>
    <name>ZKH Framework</name>
    <description>A Java framework for ZKH applications</description>
--- a/zkh-common/pom.xml
+++ b/zkh-common/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.8</version>
    </parent>

    <artifactId>zkh-common</artifactId>
--- a/zkh-data/pom.xml
+++ b/zkh-data/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.8</version>
    </parent>

    <artifactId>zkh-data</artifactId>
--- a/zkh-file/pom.xml
+++ b/zkh-file/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.8</version>
    </parent>

    <artifactId>zkh-file</artifactId>
--- a/zkh-log/pom.xml
+++ b/zkh-log/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.8</version>
    </parent>

    <artifactId>zkh-log</artifactId>
--- a/zkh-web/pom.xml
+++ b/zkh-web/pom.xml
@ -7,7 +7,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.8</version>
    </parent>

    <artifactId>zkh-web</artifactId>
@ -23,6 +23,10 @@
            <groupId>vip.jcfd</groupId>
            <artifactId>zkh-log</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-aop</artifactId>
+        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
--- a/zkh-web/src/main/java/vip/jcfd/web/config/WebSecurityConfig.java
+++ b/zkh-web/src/main/java/vip/jcfd/web/config/WebSecurityConfig.java
@ -115,7 +115,7 @@ public class WebSecurityConfig {
 			config.requestMatchers(securityProps.getIgnoreUrls()).permitAll();
 			config.anyRequest().authenticated();
 		});
-		CustomAuthenticationEntryPoint authenticationEntryPoint = new CustomAuthenticationEntryPoint(objectMapper, tokenRedisStorage);
+		CustomAuthenticationEntryPoint authenticationEntryPoint = new CustomAuthenticationEntryPoint(objectMapper, tokenRedisStorage, securityProps);
 		http.formLogin(config -> {
 			config.loginProcessingUrl("/login");
 		});
@ -140,7 +140,8 @@ public class WebSecurityConfig {

 	private record CustomAuthenticationEntryPoint(
 			ObjectMapper objectMapper,
-			TokenRedisStorage tokenRedisStorage) implements AuthenticationEntryPoint, AuthenticationFailureHandler, AuthenticationSuccessHandler {
+			TokenRedisStorage tokenRedisStorage,
+			SecurityProps securityProps) implements AuthenticationEntryPoint, AuthenticationFailureHandler, AuthenticationSuccessHandler {
 		@Override
 		public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
 			log.warn("访问 {} ,但是认证失败", request.getRequestURI(), authException);
@ -152,7 +153,7 @@ public class WebSecurityConfig {
 		@Override
 		public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
 			log.warn("登录失败", exception);
-			R<Object> data = new R<>(HttpServletResponse.SC_UNAUTHORIZED, "用户名或密码错误", false, null);
+			R<Object> data = new R<>(HttpServletResponse.SC_BAD_REQUEST, "用户名或密码错误", false, null);
 			response.setContentType("application/json;charset=UTF-8");
 			objectMapper.writeValue(response.getWriter(), data);
 		}
@ -177,7 +178,7 @@ public class WebSecurityConfig {
 					accessToken,
 					refreshToken,
 					"Bearer",
-					1800, // 30分钟，秒数
+					securityProps.getDuration().getSeconds(), // 30分钟，秒数
 					authentication.getName()
 			);