禁用URL Spring Security JAVA配置的X-FrameOptions响应标头
[英]Disable X-FrameOptions response header for a URL Spring Security JAVA config
问题描述
I am trying to disable or set the XFrameOptions header to SAME_ORIGIN for a particular URL in my Spring Boot project with Spring Security. 
我正在尝试使用Spring Security在Spring Boot项目中为特定URL禁用XFrameOptions标头或将其设置为SAME_ORIGIN。 I am pasting the code below, 我要粘贴下面的代码,
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestMatcher matcher = new AntPathRequestMatcher("**/course/embed/**");
DelegatingRequestMatcherHeaderWriter headerWriter =
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
http.headers()
.frameOptions().sameOrigin()
.addHeaderWriter(headerWriter);
}
}
I am using AntRequestMatcher but that does not work, it instead disabled the XFrameOptions header for all the responses. 我使用的是AntRequestMatcher,但无法正常工作,而是禁用了所有响应的XFrameOptions标头。 Is there a better way to do this? 有一个更好的方法吗? Please help. 请帮忙。
1 个解决方案
解决方案1
2 已采纳 2017-02-15 21:01:00
You need to configure multiple HttpSecurity instances. 您需要配置多个HttpSecurity实例。 The key is to extend the WebSecurityConfigurationAdapter multiple times. 关键是多次扩展WebSecurityConfigurationAdapter。 For example, the following is an example of having a different configuration for URL's that match with **/course/embed/** . 例如,以下是对具有与**/course/embed/**匹配的URL进行不同配置的示例。 If matches X-Frame-Options will be SAMEORIGIN, otherwise DENY. 如果匹配,则X-Frame-Options将为SAMEORIGIN,否则为DENY。
@EnableWebSecurity
public class WebMVCSecurity {
//Configure Authentication as normal, optional, showing just as a sample to indicate you can add other config like this
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
// Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// The http.antMatcher states that this HttpSecurity will only be applicable to URLs that match with **/course/embed/**
http.antMatcher("**/course/embed/**").headers().frameOptions().sameOrigin();
}
}
// Create another instance of WebSecurityConfigurerAdapter.
// If the URL does not match with **/course/embed/** this configuration will be used.
// This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
//bla bla bla ...
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.