[英]How to disable 'X-Frame-Options' response header in Spring Security?
I have CKeditor on my jsp and whenever I upload something, the following error pops out:我的 jsp 上有 CKeditor,每当我上传内容时,都会弹出以下错误:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.
I have tried removing Spring Security and everything works like a charm.我试过删除 Spring Security,一切都很顺利。 How can I disable this in spring security xml file?
如何在 spring 安全 xml 文件中禁用此功能? What should I write between
<http>
tags <http>
标签之间应该写什么
By default X-Frame-Options
is set to denied, to prevent clickjacking attacks.默认情况下,
X-Frame-Options
设置为拒绝,以防止点击劫持攻击。 To override this, you can add the following into your spring security config要覆盖它,您可以将以下内容添加到您的 spring 安全配置中
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Here are available options for policy以下是可用的政策选项
For more information take a look here .有关更多信息,请查看此处。
And here to check how you can configure the headers using either XML or Java configs. 在这里检查如何使用 XML 或 Java 配置来配置标头。
Note, that you might need also to specify appropriate strategy
, based on needs.请注意,您可能还需要根据需要指定适当的
strategy
。
如果您使用 Java 配置而不是 XML 配置,请将其放入您的WebSecurityConfigurerAdapter.configure(HttpSecurity http)
方法中:
http.headers().frameOptions().disable();
Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN
.您很可能不想完全停用此 Header,而是使用
SAMEORIGIN
。 If you are using the Java Configs ( Spring Boot
) and would like to allow the X-Frame-Options: SAMEORIGIN
, then you would need to use the following.如果您正在使用 Java 配置 (
Spring Boot
) 并希望允许 X-Frame-Options: SAMEORIGIN
,那么您需要使用以下内容。
For older Spring Security versions:对于较旧的 Spring Security 版本:
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
For newer versions like Spring Security 4.0.2 :对于较新的版本,如Spring Security 4.0.2 :
http
.headers()
.frameOptions()
.sameOrigin();
If using XML configuration you can use如果使用 XML 配置,您可以使用
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security">
<security:http>
<security:headers>
<security:frame-options disabled="true"></security:frame-options>
</security:headers>
</security:http>
</beans>
If you are using Spring Security's Java configuration, all of the default security headers are added by default.如果您使用的是 Spring Security 的 Java 配置,则默认情况下会添加所有默认安全标头。 They can be disabled using the Java configuration below:
可以使用以下 Java 配置禁用它们:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
...;
}
}
If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.*
properties.如果您使用 Spring Boot,禁用 Spring Security 默认标头的最简单方法是使用
security.headers.*
属性。 In particular, if you want to disable the X-Frame-Options
default header, just add the following to your application.properties
:特别是,如果您想禁用
X-Frame-Options
默认标头,只需将以下内容添加到您的application.properties
:
security.headers.frame=false
There is also security.headers.cache
, security.headers.content-type
, security.headers.hsts
and security.headers.xss
properties that you can use.您还可以使用
security.headers.cache
、 security.headers.content-type
、 security.headers.hsts
和security.headers.xss
属性。 For more information, take a look at SecurityProperties
.有关更多信息,请查看
SecurityProperties
。
You should configure multiple HttpSecurity instances.您应该配置多个 HttpSecurity 实例。
Here is my code where only /public/ ** requests are without X-Frame-Options header.这是我的代码,其中只有/public/ ** 请求没有X-Frame-Options标头。
@Configuration
public class SecurityConfig {
/**
* Public part - Embeddable Web Plugin
*/
@Configuration
@Order(1)
public static class EmbeddableWebPluginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// Disable X-Frame-Option Header
http.antMatcher("/public/**").headers().frameOptions().disable();
}
}
/**
* Private part - Web App Paths
*/
@Configuration
@EnableOAuth2Sso
public static class SSOWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/public/**", "/", "/login**", "/webjars/**", "/error**", "/static/**", "/robots", "/robot", "/robot.txt", "/robots.txt")
.permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/bye");
}
/**
* Public API endpoints
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/**");
}
}
}
.csrf().disable()
its to dangerous. .csrf().disable()
它很危险。
test:测试:
.headers().frameOptions().sameOrigin()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.