From f3f92b52b856f073c5aa8c4274269543204aaef0 Mon Sep 17 00:00:00 2001
From: Chaos <chaos@nopj.cn>
Date: Wed, 19 Nov 2025 17:18:04 +0800
Subject: [PATCH] =?UTF-8?q?fix(security):=20=E4=BC=98=E5=8C=96=E5=AE=89?=
 =?UTF-8?q?=E5=85=A8=E9=85=8D=E7=BD=AE=E5=8F=8A=E5=A2=9E=E5=8A=A0=E6=9D=83?=
 =?UTF-8?q?=E9=99=90=E5=BC=82=E5=B8=B8=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 在全局异常处理器中添加权限不足异常的处理方法
- 允许对 /api/public/* 路径的匿名访问，完善安全过滤链配置
- 确保其他请求需要认证，提升安全防护能力
- 维持无状态会话管理，禁用 CSRF 以适应前后端分离架构
---
 .../main/java/cn/nopj/chaos_api/config/SecurityConfig.java    | 4 ++--
 .../cn/nopj/chaos_api/exception/GlobalExceptionHandler.java   | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/chaos_api_web/src/main/java/cn/nopj/chaos_api/config/SecurityConfig.java b/chaos_api_web/src/main/java/cn/nopj/chaos_api/config/SecurityConfig.java
index fc54807..7b1fbb2 100644
--- a/chaos_api_web/src/main/java/cn/nopj/chaos_api/config/SecurityConfig.java
+++ b/chaos_api_web/src/main/java/cn/nopj/chaos_api/config/SecurityConfig.java
@@ -47,13 +47,13 @@ public class SecurityConfig {
         return authenticationConfiguration.getAuthenticationManager();
     }
 
+
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth -> auth
-                        // 允许所有对 /api/public/** 的匿名访问
-                        .requestMatchers("/api/auth/login","/api/auth/register").permitAll()
+                        .requestMatchers("/api/public/*","/api/auth/login","/api/auth/register").permitAll()
                         .anyRequest().authenticated()
                 )
                 // 禁用 CSRF，因为现代前后端分离项目通常使用 Token
diff --git a/chaos_api_web/src/main/java/cn/nopj/chaos_api/exception/GlobalExceptionHandler.java b/chaos_api_web/src/main/java/cn/nopj/chaos_api/exception/GlobalExceptionHandler.java
index ba9ab95..1fd473f 100644
--- a/chaos_api_web/src/main/java/cn/nopj/chaos_api/exception/GlobalExceptionHandler.java
+++ b/chaos_api_web/src/main/java/cn/nopj/chaos_api/exception/GlobalExceptionHandler.java
@@ -42,6 +42,9 @@ public class GlobalExceptionHandler {
         return ApiResult.failed("服务器内部错误，请联系管理员");
     }
 
+    /**
+     * 处理权限不足异常
+     */
     @ExceptionHandler(AuthorizationDeniedException.class)
     public ApiResult<?> handleAuthorizationDeniedException(AuthorizationDeniedException ex) {