关于前端跨域的一个奇妙问题

首先，我是本地起的后端工程（8080端口）：

然后前端工程（8081端口）访问后端地址，报下面的跨域问题：

Access to XMLHttpRequest at 'http://localhost:8080/sso/auth/login' from origin 'http://localhost:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

检查了下webconfig文件，没发现任何问题，之后发现启动日志里报了security的日志，但是工程中又没有用到security这个依赖，拦截器一般都是权限验证，大概率就是security里面有默认拦截器，才会拦截了跳登录，所以才试着去把security的依赖注释掉：

没用security就把依赖包注释掉，如果有用到的话，则到配置文件SecurityConfig.java里面，改firlwall成default模式：

package com.xmair.core.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.firewall.HttpFirewall;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/metrics/info").permitAll()
                .antMatchers("/metrics/health").permitAll()
                .antMatchers("/metrics/**").authenticated()
                .anyRequest().permitAll()
                .and().httpBasic()
                .and()
                .csrf().disable();
    }

    @Bean
    public HttpFirewall httpFirewall() {
        return new DefaultHttpFirewall();
    }

    @Override
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/themes/**","/script/**");
    }
}

详细问题可参考以下链接：

StrictHttpFirewall (Spring Security 4.2.7.RELEASE API)