我正在尝试使用Spring Security在Spring Boot项目中为特定URL禁用或设置XFrameOptions标头为SAME_ORIGIN。我正在粘贴下面的代码,
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestMatcher matcher = new AntPathRequestMatcher("**/course/embed/**");
DelegatingRequestMatcherHeaderWriter headerWriter =
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
http.headers()
.frameOptions().sameOrigin()
.addHeaderWriter(headerWriter);
}
}
我正在使用AntRequestMatcher,但这不起作用,而是禁用了所有响应的XFrameOptions标头。有一个更好的方法吗?请帮忙。
答案 0 :(得分:2)
您需要配置多个HttpSecurity实例。关键是多次扩展WebSecurityConfigurationAdapter。例如,以下是对与class Filters @Inject() (corsFilter: CORSFilter,
allowedHostsFilter: AllowedHostsFilter,
gzipFilter: GzipFilter,
customSecurityHeadersFilter: ConditionalSecurityHeadersFilter
) extends HttpFilters {
def filters = Seq(corsFilter,
allowedHostsFilter,
gzipFilter,
customSecurityHeadersFilter
)
}
匹配的URL进行不同配置的示例。如果匹配X-Frame-Options将是SAMEORIGIN,否则为DENY。
**/course/embed/**