fix: WebSocketConfig：同时给 SockJS 注册设置允许的 Origin（endpoint 用 patterns，SockJS 用 exact）

2026-06-09 19:47:39 +08:00 · 2025-08-22 23:18:05 +08:00
parent 92452da19a
commit 1c582fbbf1
1 changed files with 30 additions and 10 deletions
--- a/backend/src/main/java/com/openisle/config/WebSocketConfig.java
+++ b/backend/src/main/java/com/openisle/config/WebSocketConfig.java
@@ -41,24 +41,44 @@ public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        // ① 原生 WebSocket 端点：用 patterns，抗 www/端口漂移
        registry.addEndpoint("/api/ws")
-                // 安全改进：使用具体的允许源，而不是通配符
+                .setAllowedOriginPatterns(
-                .setAllowedOrigins(
+                        // 本地
                        // 本地开发
                        "http://localhost:*",
                        "http://127.0.0.1:*",
                        "http://192.168.7.98:*",
                        "http://30.211.97.238:*",
-                        websiteUrl,
+                        // 线上
                        websiteUrl.replace("://www.", "://"),
                        // 线上域名（务必是 https）
                        "https://staging.open-isle.com",
-                        "https://www.staging.open-isle.com"
+                        "https://www.staging.open-isle.com",
-                )
+                        websiteUrl,
-                .withSockJS();
+                        websiteUrl.replace("://www.", "://")
                );
        // ② SockJS 注册：要单独再配一次，且只能 exact，不支持 patterns
        registry.addEndpoint("/api/ws")
                .setAllowedOrigins(
                        // 本地（端口要写死）
                        "http://localhost:3000",
                        "http://localhost:3001",
                        "http://127.0.0.1:3000",
                        "http://127.0.0.1:3001",
                        "http://192.168.7.98",
                        "http://192.168.7.98:3000",
                        "http://30.211.97.238",
                        "http://30.211.97.238:3000",
                        // 线上
                        "https://staging.open-isle.com",
                        "https://www.staging.open-isle.com",
                        websiteUrl,
                        websiteUrl.replace("://www.", "://")
                )                .withSockJS()
                .setSessionCookieNeeded(false) // 避免强依赖 JSESSIONID
                .setWebSocketEnabled(true);
    }
    @Override
    public void configureClientInboundChannel(ChannelRegistration registration) {
        registration.interceptors(new ChannelInterceptor() {