页面和权限规则调整

yudao-module-infra/yudao-module-infra-impl/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java

@@ -1,27 +1,61 @@
 package cn.iocoder.yudao.module.infra.framework.security.config;
 
 import cn.iocoder.yudao.framework.security.config.AuthorizeRequestsCustomizer;
+import cn.iocoder.yudao.framework.security.core.annotations.AuthCheck;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
+import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
+import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
+
+import javax.annotation.Resource;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
 
 /**
  * Infra 模块的 Security 配置
  */
 @Configuration("infraSecurityConfiguration")
+@Slf4j
 public class SecurityConfiguration {
 
     @Value("${spring.boot.admin.context-path:''}")
     private String adminSeverContextPath;
 
+    @Resource
+    private ApplicationContext applicationContext;
+
     @Bean("infraAuthorizeRequestsCustomizer")
     public AuthorizeRequestsCustomizer authorizeRequestsCustomizer() {
         return new AuthorizeRequestsCustomizer() {
 
             @Override
             public void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry) {
+
+                // 查找全部宝象购的链接
+                Map<RequestMappingInfo, HandlerMethod> handlerMethods = applicationContext.getBean(RequestMappingHandlerMapping.class).getHandlerMethods();
+                Set<String> anonymousUrls = new HashSet<>();
+
+                for (Map.Entry<RequestMappingInfo, HandlerMethod> infoEntry : handlerMethods.entrySet()) {
+                    HandlerMethod handlerMethod = infoEntry.getValue();
+                    // 宝象购app包下 并且没有登录标识 放行
+                    if (handlerMethod.getBeanType().getPackage().getName().startsWith("co.yixiang.app")
+                        && !handlerMethod.hasMethodAnnotation(AuthCheck.class)){
+                        PatternsRequestCondition requestCondition = infoEntry.getKey().getPatternsCondition();
+                        Optional.ofNullable(requestCondition).orElseThrow(RuntimeException::new);
+                        anonymousUrls.addAll(requestCondition.getPatterns());
+                    }
+                }
+                anonymousUrls.forEach(s -> log.warn("宝象购可以匿名访问的url：{}", s));
+                registry.antMatchers(anonymousUrls.toArray(new String[0])).anonymous();
                 // Swagger 接口文档
                 registry.antMatchers("/swagger-ui.html").anonymous()
                         .antMatchers("/swagger-resources/**").anonymous()