Feat: 배포 CORS 설정 추가

devbattery · devbattery · commit 1079aa349a20 · 2025-11-30T21:15:27.000+09:00
diff --git a/src/main/java/wonjun/stiky/global/config/SecurityConfig.java b/src/main/java/wonjun/stiky/global/config/SecurityConfig.java
@@ -1,6 +1,9 @@
 package wonjun.stiky.global.config;
 
+import java.util.Arrays;
+import java.util.List;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -11,6 +14,9 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import wonjun.stiky.auth.config.CustomOAuth2UserService;
 import wonjun.stiky.auth.config.CustomUserDetailsService;
 import wonjun.stiky.auth.config.JwtAuthenticationFilter;
@@ -27,9 +33,13 @@ public class SecurityConfig {
     private final OAuth2SuccessHandler oAuth2SuccessHandler;
     private final JwtTokenProvider jwtTokenProvider;
 
+    @Value("${cors.allowed-origins}")
+    private List<String> allowedOrigins;
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
+                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                 .csrf(AbstractHttpConfigurer::disable)
                 .formLogin(AbstractHttpConfigurer::disable)
                 .httpBasic(AbstractHttpConfigurer::disable)
@@ -58,4 +68,20 @@ public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
     }
 
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+
+        configuration.setAllowedOrigins(allowedOrigins);
+        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
+        configuration.setAllowedHeaders(List.of("*"));
+        configuration.setAllowCredentials(true);
+        configuration.setExposedHeaders(List.of("Authorization"));
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+
+        return source;
+    }
+
 }
diff --git a/src/main/resources/application-prod.yml b/src/main/resources/application-prod.yml
@@ -34,4 +34,10 @@ openapi:
   server-url: https://www.stiky.site
 
 jwt:
-  secret: ${JWT_SECRET}
+  secret: ${JWT_SECRET}
+
+cors:
+  allowed-origins:
+    - "https://www.stiky.site"
+    - "https://stiky.site"
+    - "http://localhost:5173"
