通过XML

时间:2017-10-26 16:38:43

标签: spring security spring-security

我被要求在REST API的所有响应中设置Content-Security-Policy标题,而无需单独配置它们。

接口本身由saml保护,我添加WebSecurityConfigurerAdapter类的努力产生了干扰spring-security-saml2-core库的不幸影响。 (结果是我的配置器的配置方法从未被调用过)。由于这个库实际上是一个黑盒子,我宁愿不管它

我能看到的唯一选择是使用XML配置添加标头。但是如何?

我看到很多文档建议添加:

<http>
  <!-- ... -->

  <headers>
    <content-security-policy policy-directives="script-src 'self'" />
  </headers>
</http>

但到了哪里?我知道http是Spring安全名称空间的一部分,但是当我收到错误时,标题似乎不是有效的子元素:

ERROR org.springframework.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 35 in XML document from ServletContext resource [/WEB-INF/security-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 35; columnNumber: 13; cvc-complex-type.2.4.a: Invalid content was found starting with element 'headers'. One of '{"http://www.springframework.org/schema/security":intercept-url, "http://www.springframework.org/schema/security":access-denied-handler, "http://www.springframework.org/schema/security":form-login, "http://www.springframework.org/schema/security":openid-login, "http://www.springframework.org/schema/security":x509, "http://www.springframework.org/schema/security":jee, "http://www.springframework.org/schema/security":http-basic, "http://www.springframework.org/schema/security":logout, "http://www.springframework.org/schema/security":session-management, "http://www.springframework.org/schema/security":remember-me, "http://www.springframework.org/schema/security":anonymous, "http://www.springframework.org/schema/security":port-mappings, "http://www.springframework.org/schema/security":custom-filter, "http://www.springframework.org/schema/security":request-cache, "http://www.springframework.org/schema/security":expression-handler, "http://www.springframework.org/schema/security":headers, "http://www.springframework.org/schema/security":csrf, "http://www.springframework.org/schema/security":cors}' is expected.

1 个答案:

答案 0 :(得分:1)

你可以试试:

<security:http entry-point-ref="">
<security:headers>
     <security:content-security-policy policy-directives="default-src 'self'"/>
</security:headers>
</security:http>