perf: 跨域支持

common/core/src/main/java/org/funcode/portal/server/common/core/config/ApplicationConfig.java

@@ -32,7 +32,7 @@ public class ApplicationConfig {
      * @param weChat                     微信小程序
      * @param logoutSuccessUrl           注销成功跳转地址
      * @param loginPage                  登录页地址，默认：/login
-     * @param corsAllowedOrigins         允许跨域的域名
+     * @param corsAllowedHeaders         允许跨域的请求头
      * @param corsAllowedOriginPatterns  允许跨域的域名Pattern
      * @param corsAllowedMethods         允许跨域的请求方法
      * @param corsAllowCredentials       是否允许跨域携带cookie
@@ -43,7 +43,7 @@ public record Security(String adminUsername,
                            @NestedConfigurationProperty WeChat weChat,
                            String logoutSuccessUrl,
                            String loginPage,
-                           List<String> corsAllowedOrigins,
+                           List<String> corsAllowedHeaders,
                            List<String> corsAllowedOriginPatterns,
                            List<String> corsAllowedMethods,
                            boolean corsAllowCredentials) {

common/core/src/main/java/org/funcode/portal/server/common/core/config/security/DefaultSecurityConfig.java

@@ -36,8 +36,10 @@
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+import java.util.List;
 
-import static org.funcode.portal.server.common.core.constant.SecurityConstant.TOKEN_HEADER_KEY;
 import static org.funcode.portal.server.common.core.security.filter.WechatAuthenticationFilter.WECHAT_LOGIN_PATH;
 import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
 import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
@@ -138,15 +140,31 @@ public PasswordEncoder passwordEncoder() {
     }
 
     private CorsConfigurationSource corsWebsiteConfigurationSource() {
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", corsConfiguration());
+        return source;
+    }
+
+    @Bean
+    public CorsConfiguration corsConfiguration() {
         CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedOrigins(applicationConfig.getSecurity().corsAllowedOrigins());
         configuration.setAllowedOriginPatterns(applicationConfig.getSecurity().corsAllowedOriginPatterns());
         configuration.setAllowedMethods(applicationConfig.getSecurity().corsAllowedMethods());
         configuration.setAllowCredentials(applicationConfig.getSecurity().corsAllowCredentials());
-        configuration.addAllowedHeader(TOKEN_HEADER_KEY);
+        configuration.setAllowedHeaders(applicationConfig.getSecurity().corsAllowedHeaders());
+        configuration.setMaxAge(3600L);
+        configuration.setExposedHeaders(List.of(
+                "Access-Control-Allow-Origin",
+                "Access-Control-Allow-Methods",
+                "Access-Control-Allow-Credentials"));
+        return configuration;
+    }
+
+    @Bean
+    public CorsFilter corsFilter() {
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
+        source.registerCorsConfiguration("/**", corsConfiguration());
+        return new CorsFilter(source);
     }
 
 }

common/core/src/main/java/org/funcode/portal/server/common/core/security/filter/JwtTokenFilter.java

@@ -11,6 +11,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
+import org.funcode.portal.server.common.core.config.ApplicationConfig;
 import org.funcode.portal.server.common.core.constant.SecurityConstant;
 import org.funcode.portal.server.common.core.security.service.IJwtService;
 import org.funcode.portal.server.common.core.util.CookieUtils;
@@ -29,12 +30,19 @@
 @RequiredArgsConstructor
 public class JwtTokenFilter extends OncePerRequestFilter {
     private final IJwtService jwtService;
+    private final ApplicationConfig applicationConfig;
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request,
                                     @NonNull HttpServletResponse response,
                                     @NonNull FilterChain filterChain)
             throws ServletException, IOException {
+        // 跨域支持
+        response.setHeader("Access-Control-Allow-Origin", String.join(",", applicationConfig.getSecurity().corsAllowedOriginPatterns()));
+        response.setHeader("Access-Control-Allow-Credentials", String.valueOf(applicationConfig.getSecurity().corsAllowCredentials()));
+        response.setHeader("Access-Control-Allow-Methods", String.join(",", applicationConfig.getSecurity().corsAllowedMethods()));
+        response.setHeader("Access-Control-Max-Age", "3600");
+        response.setHeader("Access-Control-Allow-Headers", String.join(",", applicationConfig.getSecurity().corsAllowedHeaders()));
         // 获取 token，优先从 cookie 获取，其次从 header 获取
         String accessTokenCookie = CookieUtils.getCookieValue(request, SecurityConstant.TOKEN_COOKIE_KEY);
         final String accessToken = StringUtils.isBlank(accessTokenCookie) ? request.getHeader(SecurityConstant.TOKEN_HEADER_KEY) : accessTokenCookie;

starter/src/main/resources/application.yml

@@ -24,11 +24,14 @@ application:
       refresh-expiration: 10080
     cors-allowed-origin-patterns:
       - '*'
-    cors-allowed-origins:
-      - '*'
     cors-allowed-methods:
       - '*'
-    cors-allow-credentials: false
+    cors-allowed-headers:
+      - 'Content-Type'
+      - 'Access-Control-Request-Method'
+      - 'Access-Control-Request-Headers'
+      - 'Fa'
+    cors-allow-credentials: true
   cos:
     secret-id: ${COS_SECRET_ID}
     secret-key: ${COS_SECRET_KEY}