From 8a0698238fc02c69dff5225fd66024f2a37d2ff4 Mon Sep 17 00:00:00 2001 From: rlarlgnszx Date: Wed, 25 Sep 2024 19:09:04 +0900 Subject: [PATCH] [fix] cors (#351) --- .../app/common/config/WebSecurityConfig.java | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/src/main/java/org/sopt/app/common/config/WebSecurityConfig.java b/src/main/java/org/sopt/app/common/config/WebSecurityConfig.java index 6944be42..b4365c8b 100755 --- a/src/main/java/org/sopt/app/common/config/WebSecurityConfig.java +++ b/src/main/java/org/sopt/app/common/config/WebSecurityConfig.java @@ -2,15 +2,12 @@ import jakarta.servlet.http.HttpServletResponse; import java.util.Arrays; -import java.util.Collections; import lombok.RequiredArgsConstructor; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -24,8 +21,7 @@ @EnableWebSecurity @Configuration public class WebSecurityConfig { - @Value("${app.base.url}") - private String domain; + private static final String[] SwaggerPatterns = { "/docs/**", "/swagger-resources/**", @@ -49,10 +45,9 @@ public class WebSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http - .csrf(AbstractHttpConfigurer::disable) - .cors(cors-> cors.configurationSource(customconfigurationSource())) .httpBasic(AbstractHttpConfigurer::disable) - .requestCache(RequestCacheConfigurer::disable) + .cors(cors-> cors.configurationSource(corsConfigurationSource())) + .csrf(AbstractHttpConfigurer::disable) .formLogin(AbstractHttpConfigurer::disable) .sessionManagement(sessionManagementConfigurer -> sessionManagementConfigurer @@ -68,8 +63,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { auth.anyRequest().authenticated(); }); // 필터 체인에 필터 추가 - http.addFilterAfter(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); - http.addFilterAfter(jwtExceptionFilter, JwtAuthenticationFilter.class); + http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); + http.addFilterBefore(jwtExceptionFilter, JwtAuthenticationFilter.class); return http.build(); } @@ -79,14 +74,21 @@ public HttpFirewall defaultHttpFirewall() { } @Bean - public CorsConfigurationSource customconfigurationSource() { - CorsConfiguration configuration = new CorsConfiguration(); - configuration.setAllowedHeaders(Collections.singletonList("*")); - configuration.setAllowedMethods(Arrays.asList("HEAD", "POST", "GET", "DELETE", "PUT", "UPDATE", "OPTIONS")); - configuration.setAllowedOriginPatterns(Arrays.asList("*")); - configuration.setAllowCredentials(false); + protected CorsConfigurationSource corsConfigurationSource() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); - source.registerCorsConfiguration("/**", configuration); + source.registerCorsConfiguration("/**", getDefaultCorsConfiguration()); + return source; } + + private CorsConfiguration getDefaultCorsConfiguration() { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOriginPatterns(Arrays.asList("*")); + configuration.setAllowedHeaders(Arrays.asList("*")); + configuration.setAllowedMethods(Arrays.asList("*")); + configuration.setAllowCredentials(true); + configuration.setMaxAge(3600L); + + return configuration; + } }