config(security): 优化安全配置并添加全局跨域支持

- 在 ResourceServerConfig 中禁用 CSRF 并启用跨域支持
- 新增 WebConfig 类，用于全局跨域配置
- 调整授权请求的配置，使代码更加清晰

src/main/java/com/lqkj/framework/security/ResourceServerConfig.java

@@ -33,7 +33,8 @@ public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
     }
     @Override
     public void configure(HttpSecurity http) throws Exception {
-        http.formLogin()
+        http.cors().and().csrf().disable()
+                .formLogin()
                 .loginProcessingUrl("/login")
                 .successHandler(customAuthenticationSuccessHandler)
                 .failureHandler(customAuthenctiationFailureHandler)
@@ -43,20 +44,19 @@ public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
                 .and()
                 .authorizeRequests()
                 .antMatchers("/oauth/**",
-                "/v1/captchaImage",
-                "/business/cmsNews/front/**",
-                "/business/cmsCategory/front/**",
-                "/login",
-                "/**/*.css",
-                "/**/*.js",
-                "/profile/**").permitAll() //不需要身份认证即可访问
+                        "/v1/captchaImage",
+                        "/business/cmsNews/front/**",
+                        "/business/cmsCategory/front/**",
+                        "/login",
+                        "/**/*.css",
+                        "/**/*.js",
+                        "/profile/**").permitAll() //不需要身份认证即可访问
                 .antMatchers("/swagger-resources/**").anonymous()
                 .antMatchers("/webjars/**").anonymous()
                 .antMatchers("/*/api-docs").anonymous()
                 .anyRequest().authenticated() //其他请求路径都需要身份认证
                 .and().headers().frameOptions().disable()//支持前端vue中iframe中访问
-                .and().cors()
-                .and().csrf().disable();
+                .and().cors(); // 启用跨域支持
     }
 
 

src/main/java/com/lqkj/framework/security/WebConfig.java

@@ -0,0 +1,22 @@
+package com.lqkj.framework.security;
+
+import org.springframework.context.annotation.Bean;
+   import org.springframework.context.annotation.Configuration;
+   import org.springframework.web.cors.CorsConfiguration;
+   import org.springframework.web.cors.CorsConfigurationSource;
+   import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+   @Configuration
+   public class WebConfig {
+
+       @Bean
+       public CorsConfigurationSource corsConfigurationSource() {
+           CorsConfiguration configuration = new CorsConfiguration();
+           configuration.addAllowedOrigin("*"); // 允许所有来源，也可以指定特定的域名
+           configuration.addAllowedMethod("*"); // 允许所有HTTP方法
+           configuration.addAllowedHeader("*"); // 允许所有请求头
+           UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+           source.registerCorsConfiguration("/**", configuration);
+           return source;
+       }
+   }