From ed66156003f8a5dd8636c946ef39610b7e087240 Mon Sep 17 00:00:00 2001
From: chendt <18902722133@163.com>
Date: Tue, 22 Mar 2022 17:55:33 +0800
Subject: [PATCH] =?UTF-8?q?cors=E8=B7=A8=E5=9F=9F=E5=90=8E=E7=AB=AF?=
 =?UTF-8?q?=E6=9C=8D=E5=8A=A1=E5=99=A8=E9=85=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../security/ResourceServerConfiguration.java    | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java b/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java
index a945c5c..0cdd65d 100644
--- a/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java
+++ b/yami-shop-admin/src/main/java/com/yami/shop/admin/security/ResourceServerConfiguration.java
@@ -18,6 +18,7 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsUtils;
 
 @Configuration
 @EnableResourceServer
@@ -32,15 +33,12 @@ public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
         // @formatter:off
         http
                 .addFilterBefore(loginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
-                // Since we want the protected resources to be accessible in the UI as well we need
-                // session creation to be allowed (it's disabled by default in 2.0.6)
-                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
-                .and()
-                .requestMatchers().anyRequest()
-                .and()
-                .anonymous()
-                .and()
-                .authorizeRequests()
+                .csrf().disable().cors()
+                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
+                .and().authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
+                .and().requestMatchers().anyRequest()
+                .and().anonymous()
+                .and().authorizeRequests()
                 .antMatchers(
                         "/webjars/**",
                         "/swagger/**",