diff --git a/ruoyi-admin/src/main/resources/application.yml b/ruoyi-admin/src/main/resources/application.yml
index fa95235a7..9f649edb0 100644
--- a/ruoyi-admin/src/main/resources/application.yml
+++ b/ruoyi-admin/src/main/resources/application.yml
@@ -106,6 +106,23 @@ token:
   # 令牌有效期（默认30分钟）
   expireTime: 30
 
+# security配置
+security:
+  anonymous:
+    - /login
+    - /register
+    - /captchaImage
+    # swagger 文档配置
+    - /doc.html
+    - /swagger-resources/**
+    - /webjars/**
+    - /*/api-docs
+    # druid 监控配置
+    - /druid/**
+    # actuator 监控配置
+    - /actuator
+    - /actuator/**
+
 # 重复提交
 repeat-submit:
   # 全局间隔时间(毫秒)
diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
index bd6ee8f36..855be657c 100644
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
@@ -1,5 +1,6 @@
 package com.ruoyi.framework.config;
 
+import com.ruoyi.framework.config.properties.SecurityProperties;
 import com.ruoyi.framework.security.filter.JwtAuthenticationTokenFilter;
 import com.ruoyi.framework.security.handle.AuthenticationEntryPointImpl;
 import com.ruoyi.framework.security.handle.LogoutSuccessHandlerImpl;
@@ -56,6 +57,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter
     @Autowired
     private CorsFilter corsFilter;
 
+    @Autowired
+    private SecurityProperties securityProperties;
+
     /**
      * 解决 无法直接注入 AuthenticationManager
      *
@@ -96,8 +100,6 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter
                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                 // 过滤请求
                 .authorizeRequests()
-                // 对于登录login 注册register 验证码captchaImage 允许匿名访问
-                .antMatchers("/login", "/register", "/captchaImage").anonymous()
                 .antMatchers(
                         HttpMethod.GET,
                         "/",
@@ -106,14 +108,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter
                         "/**/*.css",
                         "/**/*.js"
                 ).permitAll()
-                .antMatchers("/doc.html").anonymous()
-                .antMatchers("/swagger-resources/**").anonymous()
-                .antMatchers("/webjars/**").anonymous()
-                .antMatchers("/*/api-docs").anonymous()
-                .antMatchers("/druid/**").anonymous()
-                // Spring Boot Actuator 的安全配置
-                .antMatchers("/actuator").anonymous()
-                .antMatchers("/actuator/**").anonymous()
+                .antMatchers(securityProperties.getAnonymous()).anonymous()
                 // 除上面外的所有请求全部需要鉴权认证
                 .anyRequest().authenticated()
                 .and()