diff --git a/src/main/java/hxy/dragon/config/security/SecurityConfig.java b/src/main/java/hxy/dragon/config/security/SecurityConfig.java
index 9eff082dd212ede37ab648f51dad1cebf99080ed..91db772e75e8895d3c2d8f0eac3332a92fbeecc1 100644
--- a/src/main/java/hxy/dragon/config/security/SecurityConfig.java
+++ b/src/main/java/hxy/dragon/config/security/SecurityConfig.java
@@ -4,6 +4,9 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Lazy;
+import org.springframework.http.HttpStatus;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
@@ -14,14 +17,11 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.http.HttpMethod;
+import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 /**
  * Security configuration
@@ -60,17 +60,61 @@ public class SecurityConfig {
     @Bean
     public AuthenticationEntryPoint authenticationEntryPoint() {
         return (request, response, authException) -> {
-            // For template pages (like /files), redirect to login
-            response.sendRedirect("/login");
+            if (isApiRequest((HttpServletRequest) request)) {
+                response.setStatus(HttpStatus.UNAUTHORIZED.value());
+                response.setContentType("application/json;charset=UTF-8");
+                response.getWriter().write("{\"code\":401,\"msg\":\"Unauthorized\"}");
+            } else {
+                response.sendRedirect("/login");
+            }
+        };
+    }
+
+    private boolean isApiRequest(HttpServletRequest request) {
+        String uri = request.getRequestURI();
+        String accept = request.getHeader("Accept");
+        String contentType = request.getHeader("Content-Type");
+        String xrw = request.getHeader("X-Requested-With");
+        if (uri != null && uri.startsWith("/file/")) {
+            return true;
+        }
+        if (xrw != null && "XMLHttpRequest".equalsIgnoreCase(xrw)) {
+            return true;
+        }
+        if (accept != null && accept.toLowerCase().contains("application/json")) {
+            return true;
+        }
+        if (contentType != null && contentType.toLowerCase().contains("application/json")) {
+            return true;
+        }
+        return false;
+    }
+
+    @Bean
+    public AuthenticationEntryPoint loginRedirectEntryPoint() {
+        return new LoginUrlAuthenticationEntryPoint("/login");
+    }
+
+    @Bean
+    public AccessDeniedHandler restAccessDeniedHandler() {
+        return (request, response, ex) -> {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.setContentType("application/json;charset=UTF-8");
+            response.getWriter().write("{\"code\":403,\"msg\":\"Forbidden\"}");
         };
     }
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
+                .formLogin(form -> form.disable())
+                .httpBasic(httpBasic -> httpBasic.disable())
                 .csrf(AbstractHttpConfigurer::disable)
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED))
-                .exceptionHandling(ex -> ex.authenticationEntryPoint(authenticationEntryPoint()))
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .exceptionHandling(ex -> ex
+                        .authenticationEntryPoint(authenticationEntryPoint())
+                        .accessDeniedHandler(restAccessDeniedHandler())
+                )
                 .authorizeHttpRequests(authz -> authz
                         // Public endpoints
                         .requestMatchers("/auth/**").permitAll()
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index d68f30412af6c6d7940260bab91fea34dc4fa88e..453406986c553758a064c50008e6324997553183 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -36,8 +36,14 @@ logging:
     
 server:
   port: 8888
-#  address: 0.0.0.0 # 这里不会影响局域网访问
-
+  #  address: 0.0.0.0 # 这里不会影响局域网访问
+  servlet:
+    multipart:
+      enabled: true
+      max-file-size: 3MB
+      max-request-size: 3MB
+      file-size-threshold: 0  # 所有文件先存内存，不写临时文件
+#      location: /tmp/tomcat  # 如需自定义临时目录
 # JWT configuration
 jwt:
   accessExpiration: 7200000 # 2 hours in milliseconds