配置cors

2025-07-17 16:19:29 +08:00
parent 144fa79201
commit 6a5d7a6be4
2 changed files with 15 additions and 39 deletions
--- a/src/main/java/com/arrokoth/standalone/authorization/config/CorsConfig.java
+++ b/src/main/java/com/arrokoth/standalone/authorization/config/CorsConfig.java
@@ -1,15 +1,17 @@
 package com.arrokoth.standalone.authorization.config;

 import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.filter.CorsFilter;
+
+import java.util.List;

 /**
 * CorsConfig 是一个 Spring 配置类。
 * 用于全局配置跨域资源共享（CORS），允许前端应用访问后端 API。
- *
+ * <p>
 * 此配置适用于前后端分离架构中常见的跨域请求问题。
 */
@Slf4j // 使用 Lombok 提供的日志记录器
@@ -48,29 +50,23 @@ public class CorsConfig {
     */
    private CorsConfiguration buildConfig() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
-        corsConfiguration.addAllowedOrigin(DEFAULT_ALLOWED_ORIGINS); // 允许任意来源
        corsConfiguration.addAllowedHeader(DEFAULT_ALLOWED_HEADERS); // 允许任意请求头
        corsConfiguration.addAllowedMethod(DEFAULT_ALLOWED_METHODS); // 允许指定的方法
        corsConfiguration.setMaxAge(Long.parseLong(DEFAULT_MAX_AGE)); // 设置预检请求缓存时间
+        corsConfiguration.setAllowedOrigins(List.of(DEFAULT_ALLOWED_ORIGINS)); // 允许任意来源
+        corsConfiguration.setAllowCredentials(false); // 是否允许发送 Cookie（跨域请求中携带认证信息） // 如果是 true，allowedOrigins 不能设为 "*"
+        // 设置暴露给客户端的响应头（可选）
+        corsConfiguration.setExposedHeaders(List.of("X-Custom-Header"));
+        // 记录日志信息
+        log.debug("Initializing CorsFilter , the default allowed origins is `{}`, allowed headers is `{}`, allowed methods is `{}`, max age is `{}`",
+                DEFAULT_ALLOWED_ORIGINS, DEFAULT_ALLOWED_HEADERS, DEFAULT_ALLOWED_METHODS, DEFAULT_MAX_AGE);
        return corsConfiguration;
    }

-    /**
-     * 创建并注册一个全局的 CorsFilter Bean。
-     * 该过滤器将上述 CORS 策略应用到所有路径（/**）上。
-     *
-     * @return CorsFilter 实例
-     */
-//    @Bean
-    public CorsFilter corsFilter() {
+    @Bean
+    UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", buildConfig()); // 对所有路径启用 CORS 配置
-
-        // 记录日志信息
-        log.debug("Initializing CorsFilter , the default allowed origins is `{}`," +
-                        " allowed headers is `{}`, allowed methods is `{}`, max age is `{}`",
-                DEFAULT_ALLOWED_ORIGINS, DEFAULT_ALLOWED_HEADERS, DEFAULT_ALLOWED_METHODS, DEFAULT_MAX_AGE);
-
-        return new CorsFilter(source);
+        return source;
    }
 }
--- a/src/main/java/com/arrokoth/standalone/authorization/config/SecurityWebAutoConfigurer.java
+++ b/src/main/java/com/arrokoth/standalone/authorization/config/SecurityWebAutoConfigurer.java
@@ -16,11 +16,6 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHt
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-
-import java.util.List;

@Slf4j
@Configuration
@@ -37,7 +32,7 @@ public class SecurityWebAutoConfigurer {
        log.debug("Configuring default security filter chain");
        http
                .csrf(AbstractHttpConfigurer::disable) // 前后端分离通常关闭CSRF
-                .cors(AbstractHttpConfigurer::disable) // 前后端分离通常关闭CSRF
+                .cors(AbstractHttpConfigurer::disable)
                .sessionManagement(session -> session
                        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)) // 无状态Session
                .authorizeHttpRequests(auth -> auth
@@ -71,20 +66,5 @@ public class SecurityWebAutoConfigurer {
        return authenticationConfiguration.getAuthenticationManager();
    }

-    @Bean
-    public CorsConfigurationSource corsConfigurationSource() {
-        log.info("Configuring cors configuration source");
-        CorsConfiguration configuration = new CorsConfiguration();

-
-        configuration.addAllowedOrigin(CorsConfig.DEFAULT_ALLOWED_ORIGINS); // 允许任意来源
-        configuration.addAllowedHeader(CorsConfig.DEFAULT_ALLOWED_HEADERS); // 允许任意请求头
-        configuration.addAllowedMethod(CorsConfig.DEFAULT_ALLOWED_METHODS); // 允许指定的方法
-        configuration.setMaxAge(Long.parseLong(CorsConfig.DEFAULT_MAX_AGE)); // 设置预检请求缓存时间
-        configuration.setAllowedOrigins(List.of("*")); // 替换为前端域名
-        configuration.setAllowCredentials(false);
-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
-    }
 }