cors跨域后端服务器配置

exchris · Mar 23, 2022 · 321b0e4 · 321b0e4
1 parent 9e27cbf
commit 321b0e4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 18 deletions.
diff --git a/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java b/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java
@@ -18,6 +18,7 @@
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsUtils;
 
 @Configuration
 @EnableResourceServer
@@ -32,15 +33,12 @@ public void configure(HttpSecurity http) throws Exception {
         // @formatter:off
         http
                 .addFilterBefore(loginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
-                // Since we want the protected resources to be accessible in the UI as well we need
-                // session creation to be allowed (it's disabled by default in 2.0.6)
-                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
-                .and()
-                .requestMatchers().anyRequest()
-                .and()
-                .anonymous()
-                .and()
-                .authorizeRequests()
+                .csrf().disable().cors()
+                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
+                .and().authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
+                .and().requestMatchers().anyRequest()
+                .and().anonymous()
+                .and().authorizeRequests()
                 .antMatchers(
                         "/webjars/**",
                         "/swagger/**",

diff --git a/yami-shop-api/src/main/java/com/yami/shop/api/security/ResourceServerConfiguration.java b/yami-shop-api/src/main/java/com/yami/shop/api/security/ResourceServerConfiguration.java
@@ -17,6 +17,7 @@
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsUtils;
 
 @Configuration
 @EnableResourceServer
@@ -29,15 +30,12 @@ public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
     public void configure(HttpSecurity http) throws Exception {
         http
                 .addFilterBefore(loginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
-                // Since we want the protected resources to be accessible in the UI as well we need
-                // session creation to be allowed (it's disabled by default in 2.0.6)
-                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
-                .and()
-                .requestMatchers().anyRequest()
-                .and()
-                .anonymous()
-                .and()
-                .authorizeRequests()
+                .csrf().disable().cors()
+                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                .and().authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
+                .and().requestMatchers().anyRequest()
+                .and().anonymous()
+                .and().authorizeRequests()
                 //配置/p访问控制，必须认证过后才可以访问
                 .antMatchers("/p/**").authenticated();
     }