禁用URL Spring安全JAVA配置的X-FrameOptions响应头
我正在尝试禁用XFrameOptions头,或将其设置为具有Spring安全性的Spring引导项目中特定URL的相同来源。我正在粘贴下面的代码禁用URL Spring安全JAVA配置的X-FrameOptions响应头,java,spring,spring-boot,spring-security,x-frame-options,Java,Spring,Spring Boot,Spring Security,X Frame Options,我正在尝试禁用XFrameOptions头,或将其设置为具有Spring安全性的Spring引导项目中特定URL的相同来源。我正在粘贴下面的代码 @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) thr
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestMatcher matcher = new AntPathRequestMatcher("**/course/embed/**");
DelegatingRequestMatcherHeaderWriter headerWriter =
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
http.headers()
.frameOptions().sameOrigin()
.addHeaderWriter(headerWriter);
}
}
我正在使用AntRequestMatcher,但这不起作用,它反而禁用了所有响应的XFrameOptions头。有更好的方法吗?请提供帮助。您需要配置多个HttpSecurity实例。关键是要多次扩展WebSecurity配置适配器。例如,下面是一个示例,其中URL的配置与
**/course/embed/**
匹配。如果与X-Frame匹配,则选项将相同,否则拒绝
@EnableWebSecurity
public class WebMVCSecurity {
//Configure Authentication as normal, optional, showing just as a sample to indicate you can add other config like this
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
// Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// The http.antMatcher states that this HttpSecurity will only be applicable to URLs that match with **/course/embed/**
http.antMatcher("**/course/embed/**").headers().frameOptions().sameOrigin();
}
}
// Create another instance of WebSecurityConfigurerAdapter.
// If the URL does not match with **/course/embed/** this configuration will be used.
// This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
//bla bla bla ...
}
}
}
谢谢,我尝试了多个Web安全配置适配器。在调用“/course/embed”时,我遇到了“拒绝在帧中显示”错误,因为它将“X-frame-Options”设置为“DENY”。因此,antMatcher仍然与模式不匹配。我遗漏了什么吗?如果你的URL是/course/embed,那么模式应该设置为/course/embed*对不起,我遗漏了你的完整URL路径。试试这个/**/course/embed/**谢谢你!,这工作做得很好!!我一直认为这不是模式的问题,所以如果有其他url需要匹配,扩展WebSecurity配置适配器是正确的方法吗?只是为了那个网址。