fix: registerStompEndpoints 里保留一次注册即可，一般写法是一次 addEndpoint("/api/ws") + .withSockJS()，并统一用 setAllowedOriginPatterns(...) 配置白名单，避免同一路径双注册引起歧义。

2026-02-21 14:30:59 +08:00 · 2025-08-22 23:35:15 +08:00
parent 1c582fbbf1
commit 3a979277e4
2 changed files with 4 additions and 24 deletions
--- a/backend/src/main/java/com/openisle/config/SecurityConfig.java
+++ b/backend/src/main/java/com/openisle/config/SecurityConfig.java
@@ -99,8 +99,9 @@ public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf(csrf -> csrf.disable())
-                .cors(Customizer.withDefaults())         // 让 Spring 自带 CorsFilter 处理预检
-            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .cors(Customizer.withDefaults())
+                .headers(h -> h.frameOptions(f -> f.sameOrigin()))
+                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .exceptionHandling(eh -> eh.accessDeniedHandler(customAccessDeniedHandler))
            .authorizeHttpRequests(auth -> auth
                    .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
--- a/backend/src/main/java/com/openisle/config/WebSocketConfig.java
+++ b/backend/src/main/java/com/openisle/config/WebSocketConfig.java
@@ -54,28 +54,7 @@ public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
                        "https://www.staging.open-isle.com",
                        websiteUrl,
                        websiteUrl.replace("://www.", "://")
-                );
-
-        // ② SockJS 注册：要单独再配一次，且只能 exact，不支持 patterns
-        registry.addEndpoint("/api/ws")
-                .setAllowedOrigins(
-                        // 本地（端口要写死）
-                        "http://localhost:3000",
-                        "http://localhost:3001",
-                        "http://127.0.0.1:3000",
-                        "http://127.0.0.1:3001",
-                        "http://192.168.7.98",
-                        "http://192.168.7.98:3000",
-                        "http://30.211.97.238",
-                        "http://30.211.97.238:3000",
-                        // 线上
-                        "https://staging.open-isle.com",
-                        "https://www.staging.open-isle.com",
-                        websiteUrl,
-                        websiteUrl.replace("://www.", "://")
-                )                .withSockJS()
-                .setSessionCookieNeeded(false) // 避免强依赖 JSESSIONID
-                .setWebSocketEnabled(true);
+                ).withSockJS().setWebSocketEnabled(true).setSessionCookieNeeded(false);
    }