fix(private): 私有化部署 CORS 放开所有 Origin

私有化部署时客户使用自定义域名，原硬编码的 *.xuqinmin.com 白名单导致 WebSocket 握手和跨域请求被 Spring Security CORS 过滤器拒绝（426/403）。检测 DEPLOYMENT_MODE=PRIVATE 环境变量，私有化模式下允许所有 Origin。影响范围：im-service / file-service / license-service / update-service。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 10:44:33 +08:00 · 2026-05-21 10:44:33 +08:00 · 02ad5aad06
--- a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
+++ b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
@ -54,12 +54,17 @@ public class SecurityConfig {
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
-        config.setAllowedOriginPatterns(List.of(
+        String deployMode = System.getenv("DEPLOYMENT_MODE");
-                "http://localhost:*",
+        if ("PRIVATE".equalsIgnoreCase(deployMode)) {
-                "http://127.0.0.1:*",
+            config.setAllowedOriginPatterns(List.of("*"));
-                "http://*.xuqinmin.com",
+        } else {
-                "https://*.xuqinmin.com"
+            config.setAllowedOriginPatterns(List.of(
-        ));
+                    "http://localhost:*",
                    "http://127.0.0.1:*",
                    "http://*.xuqinmin.com",
                    "https://*.xuqinmin.com"
            ));
        }
        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
        config.setAllowedHeaders(List.of("*"));
        config.setExposedHeaders(List.of("Content-Disposition", "Location"));
--- a/im-service/src/main/java/com/xuqm/im/config/SecurityConfig.java
+++ b/im-service/src/main/java/com/xuqm/im/config/SecurityConfig.java
@ -59,12 +59,17 @@ public class SecurityConfig {
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
-        config.setAllowedOriginPatterns(List.of(
+        String deployMode = System.getenv("DEPLOYMENT_MODE");
-                "http://localhost:*",
+        if ("PRIVATE".equalsIgnoreCase(deployMode)) {
-                "http://127.0.0.1:*",
+            config.setAllowedOriginPatterns(List.of("*"));
-                "http://*.xuqinmin.com",
+        } else {
-                "https://*.xuqinmin.com"
+            config.setAllowedOriginPatterns(List.of(
-        ));
+                    "http://localhost:*",
                    "http://127.0.0.1:*",
                    "http://*.xuqinmin.com",
                    "https://*.xuqinmin.com"
            ));
        }
        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
        config.setAllowedHeaders(List.of("*"));
        config.setExposedHeaders(List.of("Location"));
--- a/license-service/src/main/java/com/xuqm/license/config/SecurityConfig.java
+++ b/license-service/src/main/java/com/xuqm/license/config/SecurityConfig.java
@ -51,12 +51,17 @@ public class SecurityConfig {
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
-        config.setAllowedOriginPatterns(List.of(
+        String deployMode = System.getenv("DEPLOYMENT_MODE");
-                "http://localhost:*",
+        if ("PRIVATE".equalsIgnoreCase(deployMode)) {
-                "http://127.0.0.1:*",
+            config.setAllowedOriginPatterns(List.of("*"));
-                "http://*.xuqinmin.com",
+        } else {
-                "https://*.xuqinmin.com"
+            config.setAllowedOriginPatterns(List.of(
-        ));
+                    "http://localhost:*",
                    "http://127.0.0.1:*",
                    "http://*.xuqinmin.com",
                    "https://*.xuqinmin.com"
            ));
        }
        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
        config.setAllowedHeaders(List.of("*"));
        config.setExposedHeaders(List.of("Location"));
--- a/update-service/src/main/java/com/xuqm/update/config/SecurityConfig.java
+++ b/update-service/src/main/java/com/xuqm/update/config/SecurityConfig.java
@ -60,12 +60,17 @@ public class SecurityConfig {
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
-        config.setAllowedOriginPatterns(List.of(
+        String deployMode = System.getenv("DEPLOYMENT_MODE");
-                "http://localhost:*",
+        if ("PRIVATE".equalsIgnoreCase(deployMode)) {
-                "http://127.0.0.1:*",
+            config.setAllowedOriginPatterns(List.of("*"));
-                "http://*.xuqinmin.com",
+        } else {
-                "https://*.xuqinmin.com"
+            config.setAllowedOriginPatterns(List.of(
-        ));
+                    "http://localhost:*",
                    "http://127.0.0.1:*",
                    "http://*.xuqinmin.com",
                    "https://*.xuqinmin.com"
            ));
        }
        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
        config.setAllowedHeaders(List.of("*"));
        config.setExposedHeaders(List.of("Location"));