Spring Security中的X-Frame DENY [英] X-Frame DENY in Spring security
问题描述
我正在使用 jQuery下载插件在我的spring项目中,但浏览器给我以下错误:
I'm using jquery download plugin in my spring project but browser give me the following error:
Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'.
我读到的是春季安全中有关Xframe的问题,所以我添加了
I read is a problem about Xframe in spring security so I have added
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
但它不会更改DENY,而是甚至添加SAMEORIGIN,因此我遇到了以下错误:
but it doesn't change DENY but add even SAMEORIGIN so I have he following error:
Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.
这是http请求:
这是我的春季配置:
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatcher("/client/**")
.authorizeRequests()
//Exclude send file from authentication because it doesn't work with spring authentication
.antMatchers(HttpMethod.POST, "/client/file").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
RoleServices roleServices;
@Override
public void configure(WebSecurity web) throws Exception {
web
//Spring Security ignores request to static resources such as CSS or JS files.
.ignoring()
.antMatchers("/static/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
List<Role> roles=roleServices.getRoles();
//Retrieve array of roles(only string field without id)
String[] rolesArray = new String[roles.size()];
int i=0;
for (Role role:roles){
rolesArray[i++] = role.getRole();
}
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
.and()
.authorizeRequests() //Authorize Request Configuration
.anyRequest().hasAnyRole(rolesArray)//.authenticated()
.and() //Login Form configuration for all others
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll();
}
}
如何解决此问题?谢谢(尽管出现错误,下载仍然可以正常工作)
How can I fix this problem?Thanks (the download works fine despite the error)
推荐答案
您可以在您的spring安全配置文件中执行以下操作:
You can do it in your spring security config file like this:
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
您还可以通过以下方式使用Java配置进行操作:
Also you can do it with java configuration in this way:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin();
}
}
对于较早的Spring版本,请使用:
For older spring versions use:
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
代替:
http.headers().frameOptions().sameOrigin();
最后,这些是可用的选项:
Finally., these are the available options:
拒绝::不允许任何域在框架中显示此页面.
DENY: Does not allow any domain to display this page within a frame.
SAMEORIGIN::允许将当前页面显示在另一页的框架中,但只能显示在当前域中.
SAMEORIGIN: Allows the current page to be displayed in a frame on another page, but only within the current domain.
ALLOW-FROM::允许当前页面显示在框架中,但仅显示在特定的URI中.例如www.example.com/frame-page
ALLOW-FROM: Allows the current page to be displayed in a frame, but only in a specific URI. For example www.example.com/frame-page
这篇关于Spring Security中的X-Frame DENY的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
