github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

refactor: configure the api request to allow credentials and X-XSRF-TOKEN,COOKIE headers (#2227) 

Signed-off-by: Ryan Wang <i@ryanc.cc>
pull/2234/head
Ryan Wang 2022-07-08 17:44:13 +08:00 committed by GitHub
parent 3e8f8b8789
commit c97804780b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/main/java/run/halo/app/config/WebServerSecurityConfig.java
View File

@ -88,11 +88,12 @@ public class WebServerSecurityConfig {
http.authorizeExchange(exchanges -> exchanges.pathMatchers( http.authorizeExchange(exchanges -> exchanges.pathMatchers(
"/actuator/**" "/actuator/**"
).permitAll()) ).permitAll())
.cors(corsSpec -> corsSpec.configurationSource(apiCorsConfigurationSource()))
.authorizeExchange(exchanges -> exchanges.anyExchange().authenticated()) .authorizeExchange(exchanges -> exchanges.anyExchange().authenticated())
.cors(withDefaults()) .cors(withDefaults())
.httpBasic(withDefaults()) .httpBasic(withDefaults())
.formLogin(withDefaults()) .formLogin(withDefaults())
.csrf().csrfTokenRepository(new CookieServerCsrfTokenRepository()).and() .csrf().csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()).and()
.logout(withDefaults()); .logout(withDefaults());
return http.build(); return http.build();
@ -102,11 +103,14 @@ public class WebServerSecurityConfig {
CorsConfiguration configuration = new CorsConfiguration(); CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(List.of("*")); configuration.setAllowedOriginPatterns(List.of("*"));
configuration.setAllowedHeaders( configuration.setAllowedHeaders(
List.of(HttpHeaders.AUTHORIZATION, HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT)); List.of(HttpHeaders.AUTHORIZATION, HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT,
"X-XSRF-TOKEN", HttpHeaders.COOKIE));
configuration.setAllowCredentials(true);
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH")); configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/api/**", configuration); source.registerCorsConfiguration("/api/**", configuration);
source.registerCorsConfiguration("/apis/**", configuration); source.registerCorsConfiguration("/apis/**", configuration);
source.registerCorsConfiguration("/login", configuration);
return source; return source;
} }