feat: add config option to allow disabling Basic authentication (#6689)

#### What type of PR is this?
/milestone 2.20.x
/area core
/kind improvement

#### What this PR does / why we need it:
允许通过 `halo.security.basic-auth.disabled=true` 配置来禁用 Basic Auth 认证

#### Which issue(s) this PR fixes:
Fixes #5408

#### Does this PR introduce a user-facing change?
```release-note
允许通过 `halo.security.basic-auth.disabled=true` 配置来禁用 Basic Auth 认证，在 2.20 版本生产环境下默认禁用了 Basic Auth
```

application/src/main/java/run/halo/app/infra/config/WebServerSecurityConfig.java

@@ -1,6 +1,5 @@
 package run.halo.app.infra.config;
 
-import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.web.server.authentication.ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.builder;
 import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
 
@@ -109,7 +108,11 @@ public class WebServerSecurityConfig {
                 spec.principal(AnonymousUserConst.PRINCIPAL);
             })
             .securityContextRepository(securityContextRepository)
-            .httpBasic(withDefaults())
+            .httpBasic(basic -> {
+                if (haloProperties.getSecurity().getBasicAuth().isDisabled()) {
+                    basic.disable();
+                }
+            })
             .oauth2ResourceServer(oauth2 -> {
                 var authManagerResolver = builder().add(
                         new PatServerWebExchangeMatcher(),

application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java

@@ -18,6 +18,16 @@ public class SecurityProperties {
 
     private final TwoFactorAuthOptions twoFactorAuth = new TwoFactorAuthOptions();
 
+    private final BasicAuthOptions basicAuth = new BasicAuthOptions();
+
+    @Data
+    public static class BasicAuthOptions {
+        /**
+         * Whether basic authentication is disabled.
+         */
+        private boolean disabled = true;
+    }
+
     @Data
     public static class TwoFactorAuthOptions {
 

application/src/main/resources/application-dev.yaml

@@ -15,6 +15,9 @@ spring:
         use-last-modified: false
 
 halo:
+  security:
+    basic-auth:
+      disabled: false
   console:
     proxy:
       endpoint: http://localhost:3000/