From 3a979277e4c66544c74f1764c54a49c604c8cf08 Mon Sep 17 00:00:00 2001
From: tim <nagisa12164@163.com>
Date: Fri, 22 Aug 2025 23:35:15 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20registerStompEndpoints=20=E9=87=8C?=
 =?UTF-8?q?=E4=BF=9D=E7=95=99=E4=B8=80=E6=AC=A1=E6=B3=A8=E5=86=8C=E5=8D=B3?=
 =?UTF-8?q?=E5=8F=AF=EF=BC=8C=E4=B8=80=E8=88=AC=E5=86=99=E6=B3=95=E6=98=AF?=
 =?UTF-8?q?=E4=B8=80=E6=AC=A1=20addEndpoint("/api/ws")=20+=20.withSockJS()?=
 =?UTF-8?q?=EF=BC=8C=E5=B9=B6=E7=BB=9F=E4=B8=80=E7=94=A8=20setAllowedOrigi?=
 =?UTF-8?q?nPatterns(...)=20=E9=85=8D=E7=BD=AE=E7=99=BD=E5=90=8D=E5=8D=95?=
 =?UTF-8?q?=EF=BC=8C=E9=81=BF=E5=85=8D=E5=90=8C=E4=B8=80=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E5=8F=8C=E6=B3=A8=E5=86=8C=E5=BC=95=E8=B5=B7=E6=AD=A7=E4=B9=89?=
 =?UTF-8?q?=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../com/openisle/config/SecurityConfig.java   |  5 ++--
 .../com/openisle/config/WebSocketConfig.java  | 23 +------------------
 2 files changed, 4 insertions(+), 24 deletions(-)

diff --git a/backend/src/main/java/com/openisle/config/SecurityConfig.java b/backend/src/main/java/com/openisle/config/SecurityConfig.java
index 9f654427e..5cbd069fb 100644
--- a/backend/src/main/java/com/openisle/config/SecurityConfig.java
+++ b/backend/src/main/java/com/openisle/config/SecurityConfig.java
@@ -99,8 +99,9 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf(csrf -> csrf.disable())
-                .cors(Customizer.withDefaults())         // 让 Spring 自带 CorsFilter 处理预检
-            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .cors(Customizer.withDefaults())
+                .headers(h -> h.frameOptions(f -> f.sameOrigin()))
+                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .exceptionHandling(eh -> eh.accessDeniedHandler(customAccessDeniedHandler))
             .authorizeHttpRequests(auth -> auth
                     .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
diff --git a/backend/src/main/java/com/openisle/config/WebSocketConfig.java b/backend/src/main/java/com/openisle/config/WebSocketConfig.java
index 73e455bf3..1a8dc23df 100644
--- a/backend/src/main/java/com/openisle/config/WebSocketConfig.java
+++ b/backend/src/main/java/com/openisle/config/WebSocketConfig.java
@@ -54,28 +54,7 @@ public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
                         "https://www.staging.open-isle.com",
                         websiteUrl,
                         websiteUrl.replace("://www.", "://")
-                );
-
-        // ② SockJS 注册：要单独再配一次，且只能 exact，不支持 patterns
-        registry.addEndpoint("/api/ws")
-                .setAllowedOrigins(
-                        // 本地（端口要写死）
-                        "http://localhost:3000",
-                        "http://localhost:3001",
-                        "http://127.0.0.1:3000",
-                        "http://127.0.0.1:3001",
-                        "http://192.168.7.98",
-                        "http://192.168.7.98:3000",
-                        "http://30.211.97.238",
-                        "http://30.211.97.238:3000",
-                        // 线上
-                        "https://staging.open-isle.com",
-                        "https://www.staging.open-isle.com",
-                        websiteUrl,
-                        websiteUrl.replace("://www.", "://")
-                )                .withSockJS()
-                .setSessionCookieNeeded(false) // 避免强依赖 JSESSIONID
-                .setWebSocketEnabled(true);
+                ).withSockJS().setWebSocketEnabled(true).setSessionCookieNeeded(false);
     }