Fix: cors without nginx (#32)

* feat: cors custom filter * feat: cors custom filter 적용
gdsc-konkuk · Aug 19, 2024 · 218cf2a · 218cf2a
1 parent 170f5ec
commit 218cf2a
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/src/main/java/gdsc/konkuk/platformcore/global/configs/SecurityConfig.java b/src/main/java/gdsc/konkuk/platformcore/global/configs/SecurityConfig.java
@@ -3,6 +3,7 @@
 import static gdsc.konkuk.platformcore.global.consts.PlatformConstants.*;
 import static org.springframework.security.config.Customizer.withDefaults;
 
+import gdsc.konkuk.platformcore.global.filters.CorsFilter;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -23,6 +24,7 @@
 import gdsc.konkuk.platformcore.application.auth.CustomAuthenticationFailureHandler;
 import gdsc.konkuk.platformcore.application.auth.CustomAuthenticationSuccessHandler;
 import lombok.RequiredArgsConstructor;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
@@ -38,9 +40,9 @@ public class SecurityConfig {
   @Order(2)
   public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
     httpSecurity
-        // TODO: csrf 및 cors, dev에서만 disable
+        // TODO: csrf, dev에서만 disable
         .csrf(AbstractHttpConfigurer::disable)
-        .cors(AbstractHttpConfigurer::disable)
+        .addFilterBefore(new CorsFilter(), UsernamePasswordAuthenticationFilter.class)
         .securityMatcher(
             apiPath("/members/**"),
             apiPath("/events/**"),
@@ -80,9 +82,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws
   @Order(1)
   public SecurityFilterChain googleOidcFilterChain(HttpSecurity httpSecurity) throws Exception {
     httpSecurity
-        // TODO: csrf 및 cors, dev에서만 disable
+        // TODO: csrf, dev에서만 disable
         .csrf(AbstractHttpConfigurer::disable)
-        .cors(AbstractHttpConfigurer::disable)
         .securityMatcher(
             apiPath("/attendances/attend/**"),
             "/oauth2/authorization/google",

diff --git a/src/main/java/gdsc/konkuk/platformcore/global/filters/CorsFilter.java b/src/main/java/gdsc/konkuk/platformcore/global/filters/CorsFilter.java
@@ -0,0 +1,31 @@
+package gdsc.konkuk.platformcore.global.filters;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class CorsFilter implements Filter {
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
+        response.setHeader("Access-Control-Allow-Origin", "http://localhost:*");
+        response.setHeader("Access-Control-Allow-Credentials", "true");
+        response.setHeader("Access-Control-Allow-Methods","GET, POST, PUT, DELETE, PATCH, OPTIONS");
+        response.setHeader("Access-Control-Max-Age", "3600");
+        response.setHeader("Access-Control-Allow-Headers",
+                "Origin, X-Requested-With, Content-Type, Accept, Authorization, Location, Range, Cache-Control, User-Agent, DNT");
+
+        if("OPTIONS".equalsIgnoreCase(request.getMethod())) {
+            response.setStatus(HttpServletResponse.SC_OK);
+        }else {
+            chain.doFilter(req, res);
+        }
+    }
+}