feat(security): 更新安全配置并升级框架版本

- 将父项目版本从 1.5.7 升级到 1.5.8 - 在 WebSecurityConfig 中注入 SecurityProps 配置 - 修改 CustomAuthenticationEntryPoint 构造函数以接受 securityProps 参数 - 将硬编码的访问令牌持续时间替换为 securityProps 配置值 - 将认证失败响应状态码从 401 更改为 40 - 为 zkh-web 模块添加 spring-boot-starter-aop 依赖
feat(security): 配置安全过滤器链支持异步请求
2026-02-04 09:48:51 +08:00 · 2026-02-04 01:15:08 +08:00 · 2026-01-21 12:04:00 +08:00 · 2026-01-17 12:25:28 +08:00
8 changed files with 181 additions and 174 deletions
--- a/pom.xml
+++ b/pom.xml
@ -6,7 +6,7 @@

    <groupId>vip.jcfd</groupId>
    <artifactId>zkh-framework</artifactId>
-    <version>1.5.7</version>
+    <version>1.5.9</version>
    <packaging>pom</packaging>
    <name>ZKH Framework</name>
    <description>A Java framework for ZKH applications</description>
--- a/zkh-common/pom.xml
+++ b/zkh-common/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.9</version>
    </parent>

    <artifactId>zkh-common</artifactId>
--- a/zkh-data/pom.xml
+++ b/zkh-data/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.9</version>
    </parent>

    <artifactId>zkh-data</artifactId>
--- a/zkh-file/pom.xml
+++ b/zkh-file/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.9</version>
    </parent>

    <artifactId>zkh-file</artifactId>
--- a/zkh-log/pom.xml
+++ b/zkh-log/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.9</version>
    </parent>

    <artifactId>zkh-log</artifactId>
--- a/zkh-web/pom.xml
+++ b/zkh-web/pom.xml
@ -7,7 +7,7 @@
    <parent>
        <groupId>vip.jcfd</groupId>
        <artifactId>zkh-framework</artifactId>
-        <version>1.5.7</version>
+        <version>1.5.9</version>
    </parent>

    <artifactId>zkh-web</artifactId>
@ -23,6 +23,10 @@
            <groupId>vip.jcfd</groupId>
            <artifactId>zkh-log</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-aop</artifactId>
+        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
--- a/zkh-web/src/main/java/vip/jcfd/web/config/GlobalExceptionHandler.java
+++ b/zkh-web/src/main/java/vip/jcfd/web/config/GlobalExceptionHandler.java
@ -64,7 +64,6 @@ public class GlobalExceptionHandler {
 	 * 处理 @RequestBody + @Valid 校验失败
 	 */
 	@ExceptionHandler(MethodArgumentNotValidException.class)
-	@ResponseStatus(HttpStatus.BAD_REQUEST)
 	public R<?> handleMethodArgumentNotValid(MethodArgumentNotValidException ex) {
 		log.error("接口入参校验失败", ex);
 		BindingResult bindingResult = ex.getBindingResult();
@ -82,7 +81,6 @@ public class GlobalExceptionHandler {
 	 * 处理 @RequestParam / @PathVariable 校验失败
 	 */
 	@ExceptionHandler(ConstraintViolationException.class)
-	@ResponseStatus(HttpStatus.BAD_REQUEST)
 	public R<?> handleConstraintViolation(ConstraintViolationException ex) {
 		log.error("接口入参校验失败", ex);
 		String msg = ex.getConstraintViolations()
--- a/zkh-web/src/main/java/vip/jcfd/web/config/WebSecurityConfig.java
+++ b/zkh-web/src/main/java/vip/jcfd/web/config/WebSecurityConfig.java
@ -1,6 +1,7 @@
 package vip.jcfd.web.config;

 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.DispatcherType;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@ -10,6 +11,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.data.domain.AuditorAware;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.http.HttpHeaders;
@ -60,191 +62,194 @@ import java.util.UUID;
@EnableScheduling
 public class WebSecurityConfig {

-	private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
-	private final SecurityProps securityProps;
-	private final ObjectMapper objectMapper;
-	private final TokenRedisStorage tokenRedisStorage;
+    private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
+    private final SecurityProps securityProps;
+    private final ObjectMapper objectMapper;
+    private final TokenRedisStorage tokenRedisStorage;

-	public WebSecurityConfig(SecurityProps securityProps,
-	                         ObjectMapper objectMapper,
-	                         TokenRedisStorage tokenRedisStorage,
-	                         AuthenticationManagerBuilder builder,
-	                         UserDetailsService userDetailsService) {
-		this.securityProps = securityProps;
-		this.objectMapper = objectMapper;
-		this.tokenRedisStorage = tokenRedisStorage;
-		builder.authenticationProvider(new RefreshTokenAuthProvider(userDetailsService));
-		DaoAuthenticationProvider authenticationProvider = new CustomDaoAuthenticationProvider(userDetailsService);
-		authenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
-		builder.authenticationProvider(authenticationProvider);
-	}
+    public WebSecurityConfig(SecurityProps securityProps,
+                             ObjectMapper objectMapper,
+                             TokenRedisStorage tokenRedisStorage,
+                             AuthenticationManagerBuilder builder,
+                             UserDetailsService userDetailsService) {
+        this.securityProps = securityProps;
+        this.objectMapper = objectMapper;
+        this.tokenRedisStorage = tokenRedisStorage;
+        builder.authenticationProvider(new RefreshTokenAuthProvider(userDetailsService));
+        DaoAuthenticationProvider authenticationProvider = new CustomDaoAuthenticationProvider(userDetailsService);
+        authenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
+        builder.authenticationProvider(authenticationProvider);
+    }

-	@Scheduled(cron = "0 */30 * * * *")
-	@Async
-	public void scheduleClearExpiredTokens() {
-		tokenRedisStorage.clearExpiredTokens();
-	}
+    @Scheduled(cron = "0 */30 * * * *")
+    @Async
+    public void scheduleClearExpiredTokens() {
+        tokenRedisStorage.clearExpiredTokens();
+    }

-	@Bean
-	public AuditorAware<String> auditorAware() {
-		return () -> Optional.ofNullable(SecurityContextHolder.getContext())
-				.map(SecurityContext::getAuthentication)
-				.map(Authentication::getName)
-				.or(() -> Optional.of("system"));
-	}
+    @Bean
+    public AuditorAware<String> auditorAware() {
+        return () -> Optional.ofNullable(SecurityContextHolder.getContext())
+                .map(SecurityContext::getAuthentication)
+                .map(Authentication::getName)
+                .or(() -> Optional.of("system"));
+    }

-	@Bean
-	public PasswordEncoder passwordEncoder() {
-		return new BCryptPasswordEncoder();
-	}
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }

-	@Bean
-	@ConditionalOnMissingBean
-	public TokenFilter tokenFilter() {
-		return new TokenFilter(tokenRedisStorage);
-	}
+    @Bean
+    @ConditionalOnMissingBean
+    public TokenFilter tokenFilter() {
+        return new TokenFilter(tokenRedisStorage);
+    }

-	@Bean
-	public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
-		return configuration.getAuthenticationManager();
-	}
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
+        return configuration.getAuthenticationManager();
+    }

-	@Bean
-	public SecurityFilterChain security(HttpSecurity http, TokenFilter tokenFilter, AuthenticationManager authenticationManager) throws Exception {
-		http.authorizeHttpRequests(config -> {
-			config.requestMatchers(securityProps.getIgnoreUrls()).permitAll();
-			config.anyRequest().authenticated();
-		});
-		CustomAuthenticationEntryPoint authenticationEntryPoint = new CustomAuthenticationEntryPoint(objectMapper, tokenRedisStorage);
-		http.formLogin(config -> {
-			config.loginProcessingUrl("/login");
-		});
-		http.csrf(AbstractHttpConfigurer::disable);
-		http.logout(config -> {
-			config.addLogoutHandler(new CustomLogoutSuccessHandler(objectMapper, tokenRedisStorage));
-		});
-		http.rememberMe(AbstractHttpConfigurer::disable);
-		http.sessionManagement(AbstractHttpConfigurer::disable);
-		http.exceptionHandling(config -> {
-			config.authenticationEntryPoint(authenticationEntryPoint);
-			config.accessDeniedHandler(new CustomAccessDeniedHandler(objectMapper));
-		});
+    @Bean
+    @Order
+    public SecurityFilterChain security(HttpSecurity http, TokenFilter tokenFilter, AuthenticationManager authenticationManager) throws Exception {
+        http.authorizeHttpRequests(config -> {
+            config.dispatcherTypeMatchers(DispatcherType.ASYNC).permitAll();
+            config.requestMatchers(securityProps.getIgnoreUrls()).permitAll();
+            config.anyRequest().authenticated();
+        });
+        CustomAuthenticationEntryPoint authenticationEntryPoint = new CustomAuthenticationEntryPoint(objectMapper, tokenRedisStorage, securityProps);
+        http.formLogin(config -> {
+            config.loginProcessingUrl("/login");
+        });
+        http.csrf(AbstractHttpConfigurer::disable);
+        http.logout(config -> {
+            config.addLogoutHandler(new CustomLogoutSuccessHandler(objectMapper, tokenRedisStorage));
+        });
+        http.rememberMe(AbstractHttpConfigurer::disable);
+        http.sessionManagement(AbstractHttpConfigurer::disable);
+        http.exceptionHandling(config -> {
+            config.authenticationEntryPoint(authenticationEntryPoint);
+            config.accessDeniedHandler(new CustomAccessDeniedHandler(objectMapper));
+        });

-		http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
-		JsonUsernamePasswordAuthenticationFilter filter = new JsonUsernamePasswordAuthenticationFilter(objectMapper, authenticationManager);
-		filter.setAuthenticationSuccessHandler(authenticationEntryPoint);
-		filter.setAuthenticationFailureHandler(authenticationEntryPoint);
-		http.addFilterAt(filter, UsernamePasswordAuthenticationFilter.class);
-		return http.build();
-	}
+        http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
+        JsonUsernamePasswordAuthenticationFilter filter = new JsonUsernamePasswordAuthenticationFilter(objectMapper, authenticationManager);
+        filter.setAuthenticationSuccessHandler(authenticationEntryPoint);
+        filter.setAuthenticationFailureHandler(authenticationEntryPoint);
+        http.addFilterAt(filter, UsernamePasswordAuthenticationFilter.class);
+        return http.build();
+    }

-	private record CustomAuthenticationEntryPoint(
-			ObjectMapper objectMapper,
-			TokenRedisStorage tokenRedisStorage) implements AuthenticationEntryPoint, AuthenticationFailureHandler, AuthenticationSuccessHandler {
-		@Override
-		public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
-			log.warn("访问 {} ,但是认证失败", request.getRequestURI(), authException);
-			R<Object> data = new R<>(HttpServletResponse.SC_UNAUTHORIZED, "未登录", false, null);
-			response.setContentType("application/json;charset=UTF-8");
-			objectMapper.writeValue(response.getWriter(), data);
-		}
+    private record CustomAuthenticationEntryPoint(
+            ObjectMapper objectMapper,
+            TokenRedisStorage tokenRedisStorage,
+            SecurityProps securityProps) implements AuthenticationEntryPoint, AuthenticationFailureHandler, AuthenticationSuccessHandler {
+        @Override
+        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
+            log.warn("访问 {} ,但是认证失败", request.getRequestURI(), authException);
+            R<Object> data = new R<>(HttpServletResponse.SC_UNAUTHORIZED, "未登录", false, null);
+            response.setContentType("application/json;charset=UTF-8");
+            objectMapper.writeValue(response.getWriter(), data);
+        }

-		@Override
-		public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
-			log.warn("登录失败", exception);
-			R<Object> data = new R<>(HttpServletResponse.SC_UNAUTHORIZED, "用户名或密码错误", false, null);
-			response.setContentType("application/json;charset=UTF-8");
-			objectMapper.writeValue(response.getWriter(), data);
-		}
+        @Override
+        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
+            log.warn("登录失败", exception);
+            R<Object> data = new R<>(HttpServletResponse.SC_BAD_REQUEST, "用户名或密码错误", false, null);
+            response.setContentType("application/json;charset=UTF-8");
+            objectMapper.writeValue(response.getWriter(), data);
+        }

-		@Override
-		public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
-			log.info("用户「{}」登录成功", authentication.getName());
+        @Override
+        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
+            log.info("用户「{}」登录成功", authentication.getName());

-			// 生成双重Token
-			String accessToken = UUID.randomUUID().toString();
-			String refreshToken = UUID.randomUUID().toString();
+            // 生成双重Token
+            String accessToken = UUID.randomUUID().toString();
+            String refreshToken = UUID.randomUUID().toString();

-			// 存储Access Token
-			tokenRedisStorage.putAccessToken(accessToken, authentication);
+            // 存储Access Token
+            tokenRedisStorage.putAccessToken(accessToken, authentication);

-			// 存储Refresh Token
-			String deviceId = extractDeviceId(request);
-			tokenRedisStorage.putRefreshToken(refreshToken, authentication.getName(), deviceId);
+            // 存储Refresh Token
+            String deviceId = extractDeviceId(request);
+            tokenRedisStorage.putRefreshToken(refreshToken, authentication.getName(), deviceId);

-			// 构造登录响应
-			LoginResponse loginResponse = new LoginResponse(
-					accessToken,
-					refreshToken,
-					"Bearer",
-					1800, // 30分钟，秒数
-					authentication.getName()
-			);
+            // 构造登录响应
+            LoginResponse loginResponse = new LoginResponse(
+                    accessToken,
+                    refreshToken,
+                    "Bearer",
+                    securityProps.getDuration().getSeconds(), // 30分钟，秒数
+                    authentication.getName()
+            );

-			response.setContentType("application/json;charset=UTF-8");
-			R<LoginResponse> data = new R<>(HttpServletResponse.SC_OK, "登录成功", true, loginResponse);
-			objectMapper.writeValue(response.getWriter(), data);
-		}
+            response.setContentType("application/json;charset=UTF-8");
+            R<LoginResponse> data = new R<>(HttpServletResponse.SC_OK, "登录成功", true, loginResponse);
+            objectMapper.writeValue(response.getWriter(), data);
+        }

-		private String extractDeviceId(HttpServletRequest request) {
-			// 尝试从User-Agent提取设备信息
-			String userAgent = request.getHeader("User-Agent");
-			if (userAgent != null) {
-				// 简单的设备识别逻辑，生产环境可以使用更复杂的识别算法
-				if (userAgent.contains("Mobile") || userAgent.contains("Android") || userAgent.contains("iPhone")) {
-					return "mobile-" + request.getRemoteAddr();
-				} else if (userAgent.contains("Tablet") || userAgent.contains("iPad")) {
-					return "tablet-" + request.getRemoteAddr();
-				} else {
-					return "desktop-" + request.getRemoteAddr();
-				}
-			}
-			return "unknown-" + request.getRemoteAddr();
-		}
-	}
+        private String extractDeviceId(HttpServletRequest request) {
+            // 尝试从User-Agent提取设备信息
+            String userAgent = request.getHeader("User-Agent");
+            if (userAgent != null) {
+                // 简单的设备识别逻辑，生产环境可以使用更复杂的识别算法
+                if (userAgent.contains("Mobile") || userAgent.contains("Android") || userAgent.contains("iPhone")) {
+                    return "mobile-" + request.getRemoteAddr();
+                } else if (userAgent.contains("Tablet") || userAgent.contains("iPad")) {
+                    return "tablet-" + request.getRemoteAddr();
+                } else {
+                    return "desktop-" + request.getRemoteAddr();
+                }
+            }
+            return "unknown-" + request.getRemoteAddr();
+        }
+    }

-	private record CustomAccessDeniedHandler(ObjectMapper objectMapper) implements AccessDeniedHandler {
+    private record CustomAccessDeniedHandler(ObjectMapper objectMapper) implements AccessDeniedHandler {

-		@Override
-		public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
-			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-			log.warn("访问被拒绝", accessDeniedException);
-			if (authentication.isAuthenticated()) {
-				log.warn("用户「{}」访问「{}」被拒绝，因为：{}", authentication.getPrincipal(), request.getRequestURI(), accessDeniedException.getMessage());
-			} else {
-				log.warn("匿名用户访问「{}」被拒绝，因为：{}", request.getRequestURI(), accessDeniedException.getMessage());
-			}
-			R<Object> data = new R<>(HttpServletResponse.SC_FORBIDDEN, "无权限", false, null);
-			response.setContentType("application/json;charset=UTF-8");
-			objectMapper.writeValue(response.getWriter(), data);
-		}
-	}
+        @Override
+        public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+            log.warn("访问被拒绝", accessDeniedException);
+            if (authentication.isAuthenticated()) {
+                log.warn("用户「{}」访问「{}」被拒绝，因为：{}", authentication.getPrincipal(), request.getRequestURI(), accessDeniedException.getMessage());
+            } else {
+                log.warn("匿名用户访问「{}」被拒绝，因为：{}", request.getRequestURI(), accessDeniedException.getMessage());
+            }
+            R<Object> data = new R<>(HttpServletResponse.SC_FORBIDDEN, "无权限", false, null);
+            response.setContentType("application/json;charset=UTF-8");
+            objectMapper.writeValue(response.getWriter(), data);
+        }
+    }

-	private record CustomLogoutSuccessHandler(ObjectMapper objectMapper,
-	                                          TokenRedisStorage tokenRedisStorage) implements LogoutHandler {
-		@Override
-		public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
-			String header = request.getHeader(HttpHeaders.AUTHORIZATION);
+    private record CustomLogoutSuccessHandler(ObjectMapper objectMapper,
+                                              TokenRedisStorage tokenRedisStorage) implements LogoutHandler {
+        @Override
+        public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+            String header = request.getHeader(HttpHeaders.AUTHORIZATION);

-			if (header != null && header.startsWith("Bearer ")) {
-				String token = header.substring(7);
-				authentication = tokenRedisStorage.get(token);
-				tokenRedisStorage.remove(token);
-			}
-			if (authentication != null) {
-				log.info("用户「{}」退出成功", authentication.getName());
-				String all = request.getParameter("all");
-				if ("true".equals(all)) {
-					tokenRedisStorage.removeByUserName(authentication.getName());
-				}
-			}
-			R<Object> data = new R<>(HttpServletResponse.SC_OK, "退出成功", true, null);
-			response.setContentType("application/json;charset=UTF-8");
-			try {
-				objectMapper.writeValue(response.getWriter(), data);
-			} catch (IOException e) {
-				throw new RuntimeException(e);
-			}
-		}
-	}
+            if (header != null && header.startsWith("Bearer ")) {
+                String token = header.substring(7);
+                authentication = tokenRedisStorage.get(token);
+                tokenRedisStorage.remove(token);
+            }
+            if (authentication != null) {
+                log.info("用户「{}」退出成功", authentication.getName());
+                String all = request.getParameter("all");
+                if ("true".equals(all)) {
+                    tokenRedisStorage.removeByUserName(authentication.getName());
+                }
+            }
+            R<Object> data = new R<>(HttpServletResponse.SC_OK, "退出成功", true, null);
+            response.setContentType("application/json;charset=UTF-8");
+            try {
+                objectMapper.writeValue(response.getWriter(), data);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+    }
 }
Author	SHA1	Message	Date
zkh	7b346802e0	feat(security): 更新安全配置并升级框架版本 - 将父项目版本从 1.5.7 升级到 1.5.8 - 在 WebSecurityConfig 中注入 SecurityProps 配置 - 修改 CustomAuthenticationEntryPoint 构造函数以接受 securityProps 参数 - 将硬编码的访问令牌持续时间替换为 securityProps 配置值 - 将认证失败响应状态码从 401 更改为 40 - 为 zkh-web 模块添加 spring-boot-starter-aop 依赖	2026-02-04 09:48:51 +08:00
zkh	f152b1e655	feat(security): 配置安全过滤器链支持异步请求 - 添加 DispatcherType.ASYNC 类型匹配以允许异步请求通过 - 添加 Order 注解确保安全过滤器链正确排序 - 导入必要的 jakarta.servlet.DispatcherType 和 org.springframework.core.annotation.Order 依赖	2026-02-04 01:15:08 +08:00
zkh	01d29e6ec3	feat(security): 更新安全配置并升级框架版本 - 将父项目版本从 1.5.7 升级到 1.5.8 - 在 WebSecurityConfig 中注入 SecurityProps 配置 - 修改 CustomAuthenticationEntryPoint 构造函数以接受 securityProps 参数 - 将硬编码的访问令牌持续时间替换为 securityProps 配置值 - 将认证失败响应状态码从 401 更改为 40 - 为 zkh-web 模块添加 spring-boot-starter-aop 依赖	2026-01-21 12:04:00 +08:00
zkh	06b5258824	refactor(error): 移除全局异常处理器中的重复状态码注解 - 移除 MethodArgumentNotValidException 处理器的 @ResponseStatus 注解 - 移除 ConstraintViolationException 处理器的 @ResponseStatus 注解 - 统一通过返回结果对象控制响应状态码 - 简化异常处理逻辑，提高代码一致性	2026-01-17 12:25:28 +08:00