feat(jwt): implement JWT-based authentication system

weblog-module-admin/build.gradle.kts

@@ -3,8 +3,13 @@ plugins {
 }
 
 dependencies {
+    // Spring Security
+    implementation("org.springframework.boot:spring-boot-starter-security")
     // Test
     testImplementation("org.springframework.boot:spring-boot-starter-test")
 
     implementation(project(":weblog-module-common"))
+
+    implementation(project(":weblog-module-jwt"))
+    testImplementation("org.springframework.security:spring-security-test")
 }

weblog-module-admin/src/main/java/com/hanserwei/admin/config/WebSecurityConfig.java

@@ -0,0 +1,61 @@
+package com.hanserwei.admin.config;
+
+import com.hanserwei.jwt.config.JwtAuthenticationSecurityConfig;
+import jakarta.annotation.Resource;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig {
+
+    @Resource
+    private JwtAuthenticationSecurityConfig jwtAuthenticationSecurityConfig;
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http
+                // 1. 禁用 CSRF
+                .csrf(AbstractHttpConfigurer::disable)
+                // 2. 禁用表单登录
+                .formLogin(AbstractHttpConfigurer::disable)
+                // 3. 授权规则配置
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/admin/**").authenticated() // 保护 /admin/**
+                        .anyRequest().permitAll() // 其他放行
+                )
+                // 4. 会话管理：无状态
+                .sessionManagement(session -> session
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                )
+                // 5. 应用自定义配置 (核心变化)
+                .with(jwtAuthenticationSecurityConfig, Customizer.withDefaults());
+        return http.build();
+    }
+
+    /**
+     * 定义 AuthenticationProvider Bean。
+     * Spring Security 会自动将此 Provider 注入到 AuthenticationManager 中。
+     */
+    @Bean
+    public AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService,
+                                                         PasswordEncoder passwordEncoder) {
+        // 修正点：直接在构造函数中传入 userDetailsService
+        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(userDetailsService);
+
+        // 设置密码编码器 (PasswordEncoder 依然使用 setter 设置)
+        authProvider.setPasswordEncoder(passwordEncoder);
+
+        return authProvider;
+    }
+}