Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/337.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
禁用URL Spring安全JAVA配置的X-FrameOptions响应头_Java_Spring_Spring Boot_Spring Security_X Frame Options - Fatal编程技术网
Fatal编程技术网
  • java/
  • 禁用URL Spring安全JAVA配置的X-FrameOptions响应头

禁用URL Spring安全JAVA配置的X-FrameOptions响应头

java spring spring-boot spring-security

禁用URL Spring安全JAVA配置的X-FrameOptions响应头,java,spring,spring-boot,spring-security,x-frame-options,Java,Spring,Spring Boot,Spring Security,X Frame Options,我正在尝试禁用XFrameOptions头,或将其设置为具有Spring安全性的Spring引导项目中特定URL的相同来源。我正在粘贴下面的代码 @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) thr

我正在尝试禁用XFrameOptions头,或将其设置为具有Spring安全性的Spring引导项目中特定URL的相同来源。我正在粘贴下面的代码

@Configuration
@EnableWebSecurity    
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {    
    @Override
    protected void configure(HttpSecurity http) throws Exception {            
        RequestMatcher matcher = new AntPathRequestMatcher("**/course/embed/**");

        DelegatingRequestMatcherHeaderWriter headerWriter =
                new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());

        http.headers()
                .frameOptions().sameOrigin()
                .addHeaderWriter(headerWriter);
    }    
}
我正在使用AntRequestMatcher,但这不起作用,它反而禁用了所有响应的XFrameOptions头。有更好的方法吗?请提供帮助。

您需要配置多个HttpSecurity实例。关键是要多次扩展WebSecurity配置适配器。例如,下面是一个示例,其中URL的配置与
**/course/embed/**
匹配。如果与X-Frame匹配,则选项将相同,否则拒绝

@EnableWebSecurity
public class WebMVCSecurity {
    //Configure Authentication as normal, optional, showing just as a sample to indicate you can add other config like this
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("password").roles("USER").and()
                .withUser("admin").password("password").roles("USER", "ADMIN");
    }

    // Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            // The http.antMatcher states that this HttpSecurity will only be applicable to URLs that match with **/course/embed/**
            http.antMatcher("**/course/embed/**").headers().frameOptions().sameOrigin();
        }
    }

    // Create another instance of WebSecurityConfigurerAdapter. 
    // If the URL does not match with **/course/embed/** this configuration will be used. 
    // This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin();

            //bla bla bla ...
        }
    }
}
谢谢,我尝试了多个Web安全配置适配器。在调用“/course/embed”时,我遇到了“拒绝在帧中显示”错误,因为它将“X-frame-Options”设置为“DENY”。因此,antMatcher仍然与模式不匹配。我遗漏了什么吗?如果你的URL是/course/embed,那么模式应该设置为/course/embed*对不起,我遗漏了你的完整URL路径。试试这个/**/course/embed/**谢谢你!,这工作做得很好!!我一直认为这不是模式的问题,所以如果有其他url需要匹配,扩展WebSecurity配置适配器是正确的方法吗?只是为了那个网址。