diff --git a/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java b/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java index a945c5c..0cdd65d 100644 --- a/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java +++ b/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java @@ -18,6 +18,7 @@ import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.web.cors.CorsUtils; @Configuration @EnableResourceServer @@ -32,15 +33,12 @@ public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter // @formatter:off http .addFilterBefore(loginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class) - // Since we want the protected resources to be accessible in the UI as well we need - // session creation to be allowed (it's disabled by default in 2.0.6) - .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) - .and() - .requestMatchers().anyRequest() - .and() - .anonymous() - .and() - .authorizeRequests() + .csrf().disable().cors() + .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) + .and().authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll() + .and().requestMatchers().anyRequest() + .and().anonymous() + .and().authorizeRequests() .antMatchers( "/webjars/**", "/swagger/**",