diff --git a/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java b/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java index 762649a..f4165f0 100644 --- a/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java +++ b/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java @@ -9,7 +9,7 @@ @Configuration public class CorsConfigurer implements WebMvcConfigurer { - @Value("${cors.allowed-origins:http://localhost:3000,https://raibu.app}") + @Value("${cors.allowed-origins:http://localhost:5173,http://localhost:3000,https://raibu.app}") private String allowedOrigins; @Override diff --git a/src/main/java/shi/raibu/shi/security/SecurityConfig.java b/src/main/java/shi/raibu/shi/security/SecurityConfig.java index 4658ec6..cb3e5dc 100644 --- a/src/main/java/shi/raibu/shi/security/SecurityConfig.java +++ b/src/main/java/shi/raibu/shi/security/SecurityConfig.java @@ -1,11 +1,17 @@ package shi.raibu.shi.security; +import java.util.Arrays; +import java.util.List; import lombok.RequiredArgsConstructor; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; @Configuration @EnableWebSecurity @@ -14,21 +20,42 @@ public class SecurityConfig { private final CustomOidcUserService customOidcUserService; + @Value("${app.frontend-url:http://localhost:5173}") + private String frontendUrl; + + @Value("${cors.allowed-origins:http://localhost:5173,http://localhost:3000,https://raibu.app}") + private String allowedOrigins; + @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - http.csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**")) + http.cors(cors -> cors.configurationSource(corsConfigurationSource())) + .csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**")) .authorizeHttpRequests( auth -> - auth.requestMatchers("/ping", "/actuator/**") + auth.requestMatchers("/ping", "/actuator/**", "/ws/**") .permitAll() .anyRequest() .authenticated()) .oauth2Login( oauth2 -> oauth2.userInfoEndpoint( - userInfo -> userInfo.oidcUserService(customOidcUserService))) - .logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl("/")); + userInfo -> userInfo.oidcUserService(customOidcUserService)) + .defaultSuccessUrl(frontendUrl + "/home", true)) + .logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl(frontendUrl + "/login")); return http.build(); } + + @Bean + public CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOrigins( + Arrays.stream(allowedOrigins.split(",")).map(String::trim).toList()); + configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS")); + configuration.setAllowedHeaders(List.of("*")); + configuration.setAllowCredentials(true); + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + return source; + } } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index ae316aa..685a739 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -41,4 +41,4 @@ server: # for WebSocket cors: - allowed-origins: ${ALLOWED_ORIGINS:http://localhost:3000,https://raibu.app} + allowed-origins: ${ALLOWED_ORIGINS:http://localhost:5173,http://localhost:3000,https://raibu.app}