我正在使用Spring Security 5.1.5.RELEASE并尝试将ALLOW FROM设置为X-Frame-Options
我使用WhiteListedAllowFromStrategy并将URL列表传递给白名单,尽管发送的header是X-Frame-Options: DENY
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
String permittedRoutes [] = {"/", "/register"};
http
.headers()
.frameOptions()
.disable()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("https://google.com"))));
http
.authorizeRequests()
.antMatchers(permittedRoutes).permitAll()
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.and()
.formLogin()
.loginPage("/")
.defaultSuccessUrl("/home", true)
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll()
.invalidateHttpSession(true)
.clearAuthentication(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/?logout");
}
@Override
public void configure(WebSecurity web) {
web
.ignoring()
.antMatchers("/assets/**", "/css/**", "/images/**", "/js/**", "/fonts/**", "fonts.googleapis.com/**", "fonts.gstatic.com/**");
}
}
有线索吗?
答案 0 :(得分:3)
要使用WhiteListedAllowFromStrategy,必须在请求中添加x-frames-allow-from参数(以原点为值),请参见XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work:
rwinch于2014年10月21日发表了评论
您需要确保已使用x-frames-allow-from参数提供了原点,并且该原点必须与列入白名单的原点之一匹配。
另请参阅WhiteListedAllowFromStrategy#setAllowFromParameterName:
public void setAllowFromParameterName(java.lang.String allowFromParameterName)设置HTTP参数,该参数用于检索允许的来源的值。参数的值应为有效的URL。默认参数名称是“ x-frames-allow-from”。
如果您只允许一个原点,则可以使用StaticAllowFromStrategy而不是WhiteListedAllowFromStrategy。