feat(security): 添加CORS配置并调整跨域策略

- 在SecurityConfig中添加CORS配置，允许所有源、方法和头部 - 设置CORS凭证为false以避免与通配符冲突 - 在WebConfig中将allowCredentials设置为false - 更新注释说明凭证配置的变更原因
2026-01-08 18:07:20 +08:00
parent bd0188605d
commit 363918b3f7
2 changed files with 10 additions and 2 deletions
--- a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
+++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
@@ -72,6 +72,14 @@ public class SecurityConfig {
                };
        http
                .cors(cors -> cors.configurationSource(request -> {
                    org.springframework.web.cors.CorsConfiguration config = new org.springframework.web.cors.CorsConfiguration();
                    config.addAllowedOriginPattern("*");
                    config.addAllowedMethod("*");
                    config.addAllowedHeader("*");
                    config.setAllowCredentials(false); // 与CORS配置保持一致
                    return config;
                }))
                .csrf(csrf -> csrf.disable())   // 配置了 CSRF 禁用、无状态会话管理
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(authz -> authz
--- a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/WebConfig.java
+++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/WebConfig.java
@@ -11,10 +11,10 @@ public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
-                .allowedOriginPatterns("*") // 使用allowedOriginPatterns
+                .allowedOriginPatterns("*") // 允许所有源
                .allowedMethods("*")
                .allowedHeaders("*")
-                .allowCredentials(true) // 允许凭证
+                .allowCredentials(false) // 不允许凭证，否则与通配符冲突
                .maxAge(3600); // 预检请求缓存时间
    }