如何在 Spring 安全中禁用“X-Frame-Options”响应 header?
[英]How to disable 'X-Frame-Options' response header in Spring Security?
问题描述
I have CKeditor on my jsp and whenever I upload something, the following error pops out:
我的 jsp 上有 CKeditor,每当我上传内容时,都会弹出以下错误:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.
I have tried removing Spring Security and everything works like a charm.我试过删除 Spring Security,一切都很顺利。 How can I disable this in spring security xml file?如何在 spring 安全 xml 文件中禁用此功能? What should I write between <http> tags <http>标签之间应该写什么
8 个解决方案
解决方案1
115 已采纳 2015-02-21 17:57:31
By default X-Frame-Options is set to denied, to prevent clickjacking attacks.默认情况下, X-Frame-Options设置为拒绝,以防止点击劫持攻击。 To override this, you can add the following into your spring security config要覆盖它,您可以将以下内容添加到您的 spring 安全配置中
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Here are available options for policy以下是可用的政策选项
- DENY - is a default value. DENY - 是默认值。 With this the page cannot be displayed in a frame, regardless of the site attempting to do so.有了这个,页面不能显示在框架中,无论站点试图这样做。
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself SAMEORIGIN - 我假设这就是您要查找的内容,以便页面将(并且可以)显示在与页面本身相同的框架中
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame. ALLOW-FROM - 允许您指定一个原点,页面可以显示在一个框架中。
For more information take a look here .有关更多信息,请查看此处。
And here to check how you can configure the headers using either XML or Java configs. 在这里检查如何使用 XML 或 Java 配置来配置标头。
Note, that you might need also to specify appropriate strategy , based on needs.请注意,您可能还需要根据需要指定适当的strategy 。
解决方案2
113 2015-04-10 19:53:11
如果您使用 Java 配置而不是 XML 配置,请将其放入您的WebSecurityConfigurerAdapter.configure(HttpSecurity http)方法中:
http.headers().frameOptions().disable();
解决方案3
67 2015-08-04 14:02:06
Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN .您很可能不想完全停用此 Header,而是使用SAMEORIGIN 。 If you are using the Java Configs ( Spring Boot ) and would like to allow the X-Frame-Options: SAMEORIGIN , then you would need to use the following.如果您正在使用 Java 配置 ( Spring Boot ) 并希望允许 X-Frame-Options: SAMEORIGIN ,那么您需要使用以下内容。
For older Spring Security versions:对于较旧的 Spring Security 版本:
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
For newer versions like Spring Security 4.0.2 :对于较新的版本,如Spring Security 4.0.2 :
http
.headers()
.frameOptions()
.sameOrigin();
解决方案4
18 2016-04-14 17:15:10
If using XML configuration you can use如果使用 XML 配置,您可以使用
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security">
<security:http>
<security:headers>
<security:frame-options disabled="true"></security:frame-options>
</security:headers>
</security:http>
</beans>
解决方案5
12 2016-09-30 10:32:21
If you are using Spring Security's Java configuration, all of the default security headers are added by default.如果您使用的是 Spring Security 的 Java 配置,则默认情况下会添加所有默认安全标头。 They can be disabled using the Java configuration below:可以使用以下 Java 配置禁用它们:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
...;
}
}
解决方案6
9 2016-07-01 18:56:28
If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.* properties.如果您使用 Spring Boot,禁用 Spring Security 默认标头的最简单方法是使用security.headers.*属性。 In particular, if you want to disable the X-Frame-Options default header, just add the following to your application.properties :特别是,如果您想禁用X-Frame-Options默认标头,只需将以下内容添加到您的application.properties :
security.headers.frame=false
There is also security.headers.cache , security.headers.content-type , security.headers.hsts and security.headers.xss properties that you can use.您还可以使用security.headers.cache 、 security.headers.content-type 、 security.headers.hsts和security.headers.xss属性。 For more information, take a look at SecurityProperties .有关更多信息,请查看SecurityProperties 。
解决方案7
0 2021-03-11 10:36:01
You should configure multiple HttpSecurity instances.您应该配置多个 HttpSecurity 实例。
Here is my code where only /public/ ** requests are without X-Frame-Options header.这是我的代码,其中只有/public/ ** 请求没有X-Frame-Options标头。
@Configuration
public class SecurityConfig {
/**
* Public part - Embeddable Web Plugin
*/
@Configuration
@Order(1)
public static class EmbeddableWebPluginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// Disable X-Frame-Option Header
http.antMatcher("/public/**").headers().frameOptions().disable();
}
}
/**
* Private part - Web App Paths
*/
@Configuration
@EnableOAuth2Sso
public static class SSOWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/public/**", "/", "/login**", "/webjars/**", "/error**", "/static/**", "/robots", "/robot", "/robot.txt", "/robots.txt")
.permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/bye");
}
/**
* Public API endpoints
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/**");
}
}
}
解决方案8
0 2022-10-07 14:41:13
.csrf().disable() its to dangerous. .csrf().disable()它很危险。
test:测试:
.headers().frameOptions().sameOrigin()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.