Jquery Spring security中的X帧拒绝
我正在spring项目中使用,但浏览器显示以下错误:Jquery Spring security中的X帧拒绝,jquery,ajax,spring,spring-security,x-frame-options,Jquery,Ajax,Spring,Spring Security,X Frame Options,我正在spring项目中使用,但浏览器显示以下错误: Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'. Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when
Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'.
Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.
我在spring security中读到一个关于Xframe的问题,所以我添加了
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
但它并没有改变,而是添加了相同的元素,所以我有以下错误:
Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'.
Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.
这是http请求:
这是我的spring配置:
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatcher("/client/**")
.authorizeRequests()
//Exclude send file from authentication because it doesn't work with spring authentication
.antMatchers(HttpMethod.POST, "/client/file").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
RoleServices roleServices;
@Override
public void configure(WebSecurity web) throws Exception {
web
//Spring Security ignores request to static resources such as CSS or JS files.
.ignoring()
.antMatchers("/static/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
List<Role> roles=roleServices.getRoles();
//Retrieve array of roles(only string field without id)
String[] rolesArray = new String[roles.size()];
int i=0;
for (Role role:roles){
rolesArray[i++] = role.getRole();
}
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
.and()
.authorizeRequests() //Authorize Request Configuration
.anyRequest().hasAnyRole(rolesArray)//.authenticated()
.and() //Login Form configuration for all others
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll();
}
}
@配置
@订单(1)
公共静态类ApiWebSecurityConfig扩展了WebSecurityConfigureAdapter{
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http.csrf().disable()
.antMatcher(“/client/**”)
.授权请求()
//将发送文件从身份验证中排除,因为它不适用于spring身份验证
.antMatchers(HttpMethod.POST,“/client/file”).permitAll()
.anyRequest().authenticated()
.及()
.httpBasic();
}
}
@配置
@订单(2)
公共静态类FormWebSecurityConfig扩展了WebSecurityConfigureAdapter{
@自动连线
角色服务角色服务;
@凌驾
public void configure(WebSecurity web)引发异常{
网状物
//SpringSecurity忽略对静态资源(如CSS或JS文件)的请求。
.忽略()
.antMatchers(“/static/**”);
}
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
List roles=roleServices.getRoles();
//检索角色数组(只有不带id的字符串字段)
String[]rolesArray=新字符串[roles.size()];
int i=0;
for(角色:角色){
rolesArray[i++]=role.getRole();
}
http
.headers()
.addHeaderWriter(新的XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
.及()
.authorizeRequests()//授权请求配置
.anyRequest().hasAnyRole(rolesArray)/.authenticated()
.and()//所有其他用户的登录表单配置
.formLogin()
.login页面(“/login”)
.permitAll()
.及()
.exceptionHandling().accessDeniedPage(“/403”)
.及()
.logout()
.logout成功URL(“/login?logout”)
.permitAll();
}
}
如何解决此问题?谢谢(尽管有错误,但下载效果良好)试试看
http
.headers()
.frameOptions()
.sameOrigin();
您可以在spring安全配置文件中这样做:
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
对于较旧的spring版本,请使用:
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
而不是:
http.headers().frameOptions().sameOrigin();
最后,以下是可用选项:
拒绝:不允许任何域在框架内显示此页面
SAMEORIGIN:允许当前页面显示在另一页面的框架中,但仅显示在当前域中
ALLOW-FROM:允许在一个框架中显示当前页面,但只能在特定的URI中显示。例如www.example.com/frame page您能提供与您的代码相关的更多详细信息吗。?感谢you@Robert我已经详细回答了这个问题,以防万一。