我启用了Spring Security标头。默认情况下,X-FRAME-OPTIONS为DENY。但对于某些回复,我应将X-FRAME-OPTIONS设为SAMEORIGIN。我试过添加请求匹配器。但它添加为X-Frame-Options(DENY,SAMEORIGIN)。如何避免请求匹配器的默认值(DENY)?
我的代码是这样的:
<security:headers disabled="false">
<security:header ref="xFrameOptionsHeaderWriter"/>
<security:content-security-policy policy-directives="script-src 'self' 'unsafe-inline' 'unsafe-eval'" />
<security:cache-control disabled="true"/>
</security:headers>
<bean id="xFrameOptionsHeaderWriter" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
<constructor-arg>
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
<constructor-arg>
<list>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/**/flows/javax.faces.resource/dynamiccontent.properties/**" />
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter">
<constructor-arg value="SAMEORIGIN"/>
</bean>
</constructor-arg>
</bean>
答案 0 :(得分:2)
Spring Security的name元素添加新的HTTP标头,但不替换HTTP标头,请参阅Spring Security Reference:
41.1.16&lt; header&gt;
向响应添加其他标头,需要指定名称和值。
您必须停用相框选项,请参阅Spring Security Reference:
41.1.13&lt; frame-options&gt;
启用后,会将X-Frame-Options标头添加到响应中,这样新的浏览器就可以进行一些安全检查并防止点击劫持攻击。
您修改的Spring Security标头配置:
weight_filler {
type: "gaussian"
std: 0.01
}
bias_filler {
type: "constant"
value: 0
}