From 6a5d7a6be4cd43960d52a12c6c925f9f3a7e5d72 Mon Sep 17 00:00:00 2001
From: wangjianhong <546732225seven@gmail.com>
Date: Thu, 17 Jul 2025 16:19:29 +0800
Subject: [PATCH] =?UTF-8?q?=E9=85=8D=E7=BD=AEcors?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../authorization/config/CorsConfig.java      | 32 ++++++++-----------
 .../config/SecurityWebAutoConfigurer.java     | 22 +------------
 2 files changed, 15 insertions(+), 39 deletions(-)

diff --git a/src/main/java/com/arrokoth/standalone/authorization/config/CorsConfig.java b/src/main/java/com/arrokoth/standalone/authorization/config/CorsConfig.java
index 6653519..137d1db 100644
--- a/src/main/java/com/arrokoth/standalone/authorization/config/CorsConfig.java
+++ b/src/main/java/com/arrokoth/standalone/authorization/config/CorsConfig.java
@@ -1,15 +1,17 @@
 package com.arrokoth.standalone.authorization.config;
 
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.filter.CorsFilter;
+
+import java.util.List;
 
 /**
  * CorsConfig 是一个 Spring 配置类。
  * 用于全局配置跨域资源共享（CORS），允许前端应用访问后端 API。
- *
+ * <p>
  * 此配置适用于前后端分离架构中常见的跨域请求问题。
  */
 @Slf4j // 使用 Lombok 提供的日志记录器
@@ -48,29 +50,23 @@ public class CorsConfig {
      */
     private CorsConfiguration buildConfig() {
         CorsConfiguration corsConfiguration = new CorsConfiguration();
-        corsConfiguration.addAllowedOrigin(DEFAULT_ALLOWED_ORIGINS); // 允许任意来源
         corsConfiguration.addAllowedHeader(DEFAULT_ALLOWED_HEADERS); // 允许任意请求头
         corsConfiguration.addAllowedMethod(DEFAULT_ALLOWED_METHODS); // 允许指定的方法
         corsConfiguration.setMaxAge(Long.parseLong(DEFAULT_MAX_AGE)); // 设置预检请求缓存时间
+        corsConfiguration.setAllowedOrigins(List.of(DEFAULT_ALLOWED_ORIGINS)); // 允许任意来源
+        corsConfiguration.setAllowCredentials(false); // 是否允许发送 Cookie（跨域请求中携带认证信息） // 如果是 true，allowedOrigins 不能设为 "*"
+        // 设置暴露给客户端的响应头（可选）
+        corsConfiguration.setExposedHeaders(List.of("X-Custom-Header"));
+        // 记录日志信息
+        log.debug("Initializing CorsFilter , the default allowed origins is `{}`, allowed headers is `{}`, allowed methods is `{}`, max age is `{}`",
+                DEFAULT_ALLOWED_ORIGINS, DEFAULT_ALLOWED_HEADERS, DEFAULT_ALLOWED_METHODS, DEFAULT_MAX_AGE);
         return corsConfiguration;
     }
 
-    /**
-     * 创建并注册一个全局的 CorsFilter Bean。
-     * 该过滤器将上述 CORS 策略应用到所有路径（/**）上。
-     *
-     * @return CorsFilter 实例
-     */
-//    @Bean
-    public CorsFilter corsFilter() {
+    @Bean
+    UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource() {
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", buildConfig()); // 对所有路径启用 CORS 配置
-
-        // 记录日志信息
-        log.debug("Initializing CorsFilter , the default allowed origins is `{}`," +
-                        " allowed headers is `{}`, allowed methods is `{}`, max age is `{}`",
-                DEFAULT_ALLOWED_ORIGINS, DEFAULT_ALLOWED_HEADERS, DEFAULT_ALLOWED_METHODS, DEFAULT_MAX_AGE);
-
-        return new CorsFilter(source);
+        return source;
     }
 }
\ No newline at end of file
diff --git a/src/main/java/com/arrokoth/standalone/authorization/config/SecurityWebAutoConfigurer.java b/src/main/java/com/arrokoth/standalone/authorization/config/SecurityWebAutoConfigurer.java
index d6c877b..61de936 100644
--- a/src/main/java/com/arrokoth/standalone/authorization/config/SecurityWebAutoConfigurer.java
+++ b/src/main/java/com/arrokoth/standalone/authorization/config/SecurityWebAutoConfigurer.java
@@ -16,11 +16,6 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHt
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-
-import java.util.List;
 
 @Slf4j
 @Configuration
@@ -37,7 +32,7 @@ public class SecurityWebAutoConfigurer {
         log.debug("Configuring default security filter chain");
         http
                 .csrf(AbstractHttpConfigurer::disable) // 前后端分离通常关闭CSRF
-                .cors(AbstractHttpConfigurer::disable) // 前后端分离通常关闭CSRF
+                .cors(AbstractHttpConfigurer::disable)
                 .sessionManagement(session -> session
                         .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)) // 无状态Session
                 .authorizeHttpRequests(auth -> auth
@@ -71,20 +66,5 @@ public class SecurityWebAutoConfigurer {
         return authenticationConfiguration.getAuthenticationManager();
     }
 
-    @Bean
-    public CorsConfigurationSource corsConfigurationSource() {
-        log.info("Configuring cors configuration source");
-        CorsConfiguration configuration = new CorsConfiguration();
 
-
-        configuration.addAllowedOrigin(CorsConfig.DEFAULT_ALLOWED_ORIGINS); // 允许任意来源
-        configuration.addAllowedHeader(CorsConfig.DEFAULT_ALLOWED_HEADERS); // 允许任意请求头
-        configuration.addAllowedMethod(CorsConfig.DEFAULT_ALLOWED_METHODS); // 允许指定的方法
-        configuration.setMaxAge(Long.parseLong(CorsConfig.DEFAULT_MAX_AGE)); // 设置预检请求缓存时间
-        configuration.setAllowedOrigins(List.of("*")); // 替换为前端域名
-        configuration.setAllowCredentials(false);
-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
-    }
 }
\ No newline at end of file