Spring 安全页面不会在 Chrome 上的 Iframe 中打开 [英] Spring Security Pages don't open in Iframe on Chrome
问题描述
我使用的是 SpringBoot、springsecurity 和 jdk 1.8.当我尝试在 Chrome 上的 iframe 中打开任何安全的 thymleaf 页面时,它每次都将我重定向到登录页面.它在 Firefox 和 IE 上运行良好.当我尝试在没有 iframe 的情况下打开相同的 URL 时,它工作正常.我已经给了很多时间来解决,但可以解决它.下面是我的 spring 安全 conf 文件代码.还有一件事,两个域都不同.
I am using SpringBoot,springsecurity and jdk 1.8. When I am trying to open any secured thymleaf page in iframe on Chrome, then it is rediecting me to login page every time. It is working fine on firefox and IE. And When I try to open the same URL without iframe, it is working fine. I have already given much time to solve ,but could solve it. Below are my spring security conf file code. One more thing both domains are different.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.frameOptions().disable()
.and()
.csrf().disable()/*disbaling csrf here*/
.authorizeRequests()
.antMatchers("/","/login","/css/**", "/js/**", "/fonts/**","/img/**").permitAll()/*do not use spring security on this path*/
.and()
.formLogin()
.successHandler(successHandler) /*after success login on web we are handling the success event*/
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login/?logout") /*defining logout and login url here*/
.permitAll()
/*
* This is for authentication failure handling
* */
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
/*Token based authentication we are handling here*/
http.addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService), BasicAuthenticationFilter.class);
http.addFilterAfter(new SameSiteFilter(), BasicAuthenticationFilter.class)
}
有人可以帮我解决这个问题吗?
Can anyone please help me on this?
推荐答案
首先,我建议您不要禁用 "X-Frame-Options" 标头并在 iframe 中使用您的应用程序.
这会带来安全风险,您可以在这个答案中阅读更多相关信息.
To start off, I would advise you against disabling the "X-Frame-Options" header and using your appication in an iframe.
This poses a security risk, which you can read more about in this answer.
现在解释您所看到的行为.
Spring Security 使用 Session cookie 来存储用户的会话.
Cookie 与域相关联,因此,例如,如果存在与域 stackoverflow.com 相关联的 cookie,则该 cookie 将包含在对 stackoverlow.com 的任何请求中.
Now to explain the behaviour you are seeing.
Spring Security uses a Session cookie to store the user's session.
Cookies are associated with domains, so if, for example, there is a cookie associated with the domain stackoverflow.com then that cookie will be included in any request to stackoverlow.com.
为了控制这种行为,cookies 还有一个名为 SameSite 的属性.SameSite 属性 可以有 3 个值,None, Lax, Strict 或者可以取消设置并且没有值.
当值为 None 时,它的行为如上所述(包括在所有请求中).
当值为 Lax 时,cookie 将只包含在顶级导航 GET 请求中.
In order to control that behaviour, cookies also have an attribute called SameSite.
The SameSite attribute can have 3 values, None, Lax, Strict or it can be unset and have no value.
When the value is None, it behaves as described above (included in all requests).
When the value is Lax, then the cookie will only be included in top level navigation GET requests.
Spring Security 使用的 Session cookie 没有设置 SameSite 属性.
此时(2020 年 3 月),一些浏览器,如 Firefox 和 Edge,将 unset 属性视为 None.
但是,Chrome 正在尝试将 unset 属性与 Lax 相同.
您可以在 Chrome 平台状态中了解更多相关信息.
The Session cookie that Spring Security uses does not set the SameSite attribute.
At this time (March 2020), some browsers, like Firefox and Edge, treat the unset attribute the same as None.
However, Chrome is experimenting with treating the unset attribute the same as Lax.
You can read more about that in the Chrome Platform Status.
总而言之,在使用 Chrome 时,Session cookie 被视为将 SameSite 设置为 Lax.
由于在 iframe 中呈现应用程序不是顶级导航,因此来自 iframe 的请求中不包含 Session cookie,并且应用程序无法知道用户已登录.
In summary, when using Chrome, the Session cookie is treated as if it had SameSite set to Lax.
Since rendering an application in an iframe is not a top level navigation, the Session cookie is not included in the request from the iframe, and the application has no way of knowing that a user is signed in.
您可以使用 Spring Session 将 SameSite 属性显式设置为 None.
同样,我会警告不要这样做,因为它会使您的应用程序容易受到 CSRF 和点击劫持攻击.
如果在考虑安全隐患后,您认为有必要将 SameSite 属性设置为 None,则可以通过在依赖项中包含 Spring Session 并创建一个 CookieSerializer.
You can explicitly set the SameSite attribute to None by using Spring Session.
Again, I would caution against this, since it can make your application vulnerable to CSRF and clickjacking attacks.
If, after consider the security implications, you deem it necessary to set the SameSite attribute to None, you can do so by including Spring Session in your dependencies and creating a custom CookieSerializer.
这篇关于Spring 安全页面不会在 Chrome 上的 Iframe 中打开的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
