From b49b67bb1e49dac78b30fba11874702dad4a60ff Mon Sep 17 00:00:00 2001
From: XuqmGroup <noreply@xuqm.com>
Date: Mon, 18 May 2026 15:11:13 +0800
Subject: [PATCH] fix(file-service): use explicit HttpMethod on all
 requestMatchers to force AntRequestMatcher

Spring Security 6 MvcRequestMatcher (used when no HttpMethod is specified
and Spring MVC is on the classpath) fails to match the upload endpoint,
falling through to anyRequest().authenticated() and returning 401.
Specifying HttpMethod forces AntRequestMatcher which matches reliably.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../main/java/com/xuqm/file/config/SecurityConfig.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
index e92ea85..a402a09 100644
--- a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
+++ b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
@@ -36,12 +36,12 @@ public class SecurityConfig {
             .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .authorizeHttpRequests(auth -> auth
                 .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                // Public: file upload and serving by hash (upload is intentionally public)
-                .requestMatchers("/api/file/upload").permitAll()
-                .requestMatchers("/api/file/*/thumbnail").permitAll()
-                .requestMatchers("/api/file/*").permitAll()
+                // Public: file upload and serving (AntRequestMatcher via explicit method)
+                .requestMatchers(HttpMethod.POST, "/api/file/upload").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*/thumbnail").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*").permitAll()
                 // Actuator health & info
-                .requestMatchers("/actuator/**").permitAll()
+                .requestMatchers(HttpMethod.GET, "/actuator/**").permitAll()
                 .anyRequest().authenticated()
             )
             .exceptionHandling(ex -> ex