From 9099e915dbbcf021ca5e58bfd6f93bf6a1c919b4 Mon Sep 17 00:00:00 2001
From: ovo <ovo@ovo.com>
Date: Sat, 7 Dec 2024 22:15:48 +0800
Subject: [PATCH] feat:

---
 .../com/guwan/backend/config/CorsConfig.java    |  4 ++++
 .../guwan/backend/config/SecurityConfig.java    | 17 ++++++++++-------
 .../security/JwtAuthenticationFilter.java       | 10 +++++++---
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/src/main/java/com/guwan/backend/config/CorsConfig.java b/src/main/java/com/guwan/backend/config/CorsConfig.java
index a0d5ca3..9aff36f 100644
--- a/src/main/java/com/guwan/backend/config/CorsConfig.java
+++ b/src/main/java/com/guwan/backend/config/CorsConfig.java
@@ -18,6 +18,10 @@ public class CorsConfig  {
         config.setAllowCredentials(true); // 允许凭证
         config.addAllowedMethod("*"); // 允许所有方法
         config.addAllowedHeader("*"); // 允许所有头
+        // 允许跨域的头
+        config.addExposedHeader("Authorization");
+        // 预检请求的缓存时间
+        config.setMaxAge(3600L);
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", config); // 对所有路径应用配置
diff --git a/src/main/java/com/guwan/backend/config/SecurityConfig.java b/src/main/java/com/guwan/backend/config/SecurityConfig.java
index 2b71ca0..c38ada1 100644
--- a/src/main/java/com/guwan/backend/config/SecurityConfig.java
+++ b/src/main/java/com/guwan/backend/config/SecurityConfig.java
@@ -5,6 +5,7 @@ import com.guwan.backend.security.JwtAuthenticationFilter;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -15,6 +16,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.config.Customizer;
 
 /**
  * Spring Security 安全配置类
@@ -38,16 +40,17 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
-            .csrf(AbstractHttpConfigurer::disable)      // 禁用CSRF保护
-            .cors(AbstractHttpConfigurer::disable)      // 禁用CORS保护
+            .cors(Customizer.withDefaults())  // 启用CORS
+            .csrf(AbstractHttpConfigurer::disable)
             .sessionManagement(session -> 
-                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))  // 使用无状态会话
+                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .authorizeHttpRequests(auth -> auth
-                .requestMatchers(SecurityConstants.WHITE_LIST.toArray(new String[0])).permitAll()        // 配置API白名单
-                .requestMatchers(SecurityConstants.STATIC_RESOURCES.toArray(new String[0])).permitAll()  // 配置静态资源白名单
-                .anyRequest().authenticated()  // 其他所有请求都需要认证
+                .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()  // 允许所有OPTIONS请求
+                .requestMatchers(SecurityConstants.WHITE_LIST.toArray(new String[0])).permitAll()
+                .requestMatchers(SecurityConstants.STATIC_RESOURCES.toArray(new String[0])).permitAll()
+                .anyRequest().authenticated()
             )
-            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);  // 添加JWT过滤器
+            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }
diff --git a/src/main/java/com/guwan/backend/security/JwtAuthenticationFilter.java b/src/main/java/com/guwan/backend/security/JwtAuthenticationFilter.java
index 4eb8689..45ba11d 100644
--- a/src/main/java/com/guwan/backend/security/JwtAuthenticationFilter.java
+++ b/src/main/java/com/guwan/backend/security/JwtAuthenticationFilter.java
@@ -52,6 +52,13 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
     protected void doFilterInternal(HttpServletRequest request, 
                                   HttpServletResponse response, 
                                   FilterChain chain) throws ServletException, IOException {
+        // 处理OPTIONS请求
+        if (request.getMethod().equals(HttpMethod.OPTIONS.name())) {
+            response.setStatus(HttpServletResponse.SC_OK);
+            chain.doFilter(request, response);
+            return;
+        }
+
         String path = request.getServletPath();
         
         // 如果是白名单路径，直接放行
@@ -61,9 +68,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
         }
 
         try {
-            if (HttpMethod.OPTIONS.toString().equals(request.getMethod())) {
-                return;
-            }
             // 验证token
             String authHeader = request.getHeader("Authorization");
             if (authHeader == null || !authHeader.startsWith("Bearer ")) {