diff --git a/opsli-base-support/opsli-core/src/main/java/org/opsli/core/autoconfigure/conf/SecurityConfig.java b/opsli-base-support/opsli-core/src/main/java/org/opsli/core/autoconfigure/conf/SecurityConfig.java
index 5e4aa29f..1dc15a2b 100644
--- a/opsli-base-support/opsli-core/src/main/java/org/opsli/core/autoconfigure/conf/SecurityConfig.java
+++ b/opsli-base-support/opsli-core/src/main/java/org/opsli/core/autoconfigure/conf/SecurityConfig.java
@@ -67,13 +67,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
                 .frameOptions().disable()
             .and()
             // 关闭csrf token认证不需要csrf防护
-            .csrf().disable();
-
-        // 关闭Session会话管理器 JWT 不需要
-        http.sessionManagement().disable();
-
-        // 关闭记住我功能 JWT 不需要
-        http.rememberMe().disable();
+            .csrf().disable()
+            // 关闭Session会话管理器 JWT 不需要
+            .sessionManagement().disable()
+            // 关闭记住我功能 JWT 不需要
+            .rememberMe().disable();
 
         // 初始化 initAuthorizeRequests
         this.initAuthorizeRequests(http);
diff --git a/opsli-starter/src/main/resources/application.yaml b/opsli-starter/src/main/resources/application.yaml
index ad2db14e..4e1234f3 100644
--- a/opsli-starter/src/main/resources/application.yaml
+++ b/opsli-starter/src/main/resources/application.yaml
@@ -164,14 +164,11 @@ opsli:
     credentials-expired: -1
     # 排除过滤URL
     url-exclusion:
-      # 未登陆状态下可以访问
-      anonymous:
+      permit-all:
         - "/captcha"
         - "/system/slipCount"
         - "/system/login"
         - "/system/login-by-code"
-      # 无限制
-      permit-all:
         - "/api/*/common/public-key"
         - "/api/*/common/email/create-code"
         - "/api/*/common/mobile/create-code"