Merge remote-tracking branch 'origin/master'

# Conflicts:
#	jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
#	jeecg-boot/jeecg-boot-module/jeecg-module-zjrs/src/main/java/org/jeecg/modules/zjrs/sso/service/impl/LoginSSOServiceImpl.java

jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroRealm.java

@@ -74,18 +74,23 @@ public class ShiroRealm extends AuthorizingRealm {
         }
         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
 
-        // 设置用户拥有的角色集合，比如"admin,test"
-        Set<String> roleSet = commonApi.queryUserRolesById(userId);
+		// 小程序/SSO用户（username以personal_或enterprise_开头）无需RBAC权限校验，授予通配权限
+		// 这类用户不是后台管理系统用户，只要能看到的页面，其背后接口都应允许调用
+		if (username != null && (username.startsWith("personal_") || username.startsWith("enterprise_"))) {
+			info.addStringPermission("*");
+			log.debug("===============小程序/SSO用户[{}]授予通配权限==============", username);
+			return info;
+		}
+
+		// 设置用户拥有的角色集合，比如"admin,test"
+		Set<String> roleSet = commonApi.queryUserRolesById(userId);
         //System.out.println(roleSet.toString());
         info.setRoles(roleSet);
 
-        // 设置用户拥有的权限集合，比如"sys:role:add,sys:user:add"
+        // 设置用户拥有的权限集合，比如“sys:role:add,sys:user:add”
         Set<String> permissionSet = commonApi.queryUserAuths(userId);
         info.addStringPermissions(permissionSet);
-        // 小程序用户（enterprise_/personal_开头）授予全部权限
-        if (username != null && (username.startsWith("enterprise_") || username.startsWith("personal_"))) {
-            info.addStringPermission("*");
-        }
+        //System.out.println(permissionSet);
         log.debug("===============Shiro权限认证成功==============");
         return info;
     }

jeecg-boot/jeecg-boot-module/jeecg-module-zjrs/src/main/java/org/jeecg/modules/zjrs/sso/service/impl/LoginSSOServiceImpl.java

@@ -392,7 +392,7 @@ public class LoginSSOServiceImpl implements ILoginSSOService {
         // TokenUtils.getLoginUser() → redisUtil.get(SYS_USERS_CACHE::username)
         // ShiroRealm.checkUserTokenIsEffect() → jwtTokenRefresh() 需要loginUser.getPassword()校验token签名
         LoginUser loginUser = new LoginUser();
-        loginUser.setId(username);       // 使用username作为id，避免PrincipalIdNullException
+        loginUser.setId(username);        // 必须设置id，Shiro RedisCache通过id字段构建权限缓存Key，否则会抛PrincipalIdNullException
         loginUser.setUsername(username);
         loginUser.setPassword(username);  // 与JwtUtil.sign(username, username)一致
         loginUser.setStatus(1);           // 正常状态