fix(file-service): use explicit HttpMethod on all requestMatchers to force AntRequestMatcher

Spring Security 6 MvcRequestMatcher (used when no HttpMethod is specified and Spring MVC is on the classpath) fails to match the upload endpoint, falling through to anyRequest().authenticated() and returning 401. Specifying HttpMethod forces AntRequestMatcher which matches reliably. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 15:11:13 +08:00 · 2026-05-18 15:11:13 +08:00 · b49b67bb1e
--- a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
+++ b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
@ -36,12 +36,12 @@ public class SecurityConfig {
            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                // Public: file upload and serving by hash (upload is intentionally public)
+                // Public: file upload and serving (AntRequestMatcher via explicit method)
-                .requestMatchers("/api/file/upload").permitAll()
+                .requestMatchers(HttpMethod.POST, "/api/file/upload").permitAll()
-                .requestMatchers("/api/file/*/thumbnail").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*/thumbnail").permitAll()
-                .requestMatchers("/api/file/*").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*").permitAll()
                // Actuator health & info
-                .requestMatchers("/actuator/**").permitAll()
+                .requestMatchers(HttpMethod.GET, "/actuator/**").permitAll()
                .anyRequest().authenticated()
            )
            .exceptionHandling(ex -> ex