将X-Frame-Options的配置更改为ALLOW-FROM时,Spring Boot中出现异常
[英]Exception in Spring Boot when changing configuration of X-Frame-Options to ALLOW-FROM
问题描述
I've been working for a while in a project that uses Spring Boot and now, as a requirement, I'm using some html files that I will need to render, one of them uses an iframe to display the information of another web page (from another business unit of the same company but in a different domain). 
我在使用Spring Boot的项目中工作了一段时间,现在,根据需要,我使用了一些需要渲染的html文件,其中一个使用iframe来显示另一个网页的信息。 (来自同一公司但位于不同域中的另一个业务部门)。
So far, what I did in the SpringConfiguration is the following: 到目前为止,我在SpringConfiguration中所做的工作如下:
@EnableWebSecurity
@Configuration
public class MyApplicationConfiguration extends WebSecurityConfigurerAdapter {
@Value("${company.domain}")
private String companyDomain;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable().addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(URI.create(this.companyDomain))));
}
}
It should work fine according to what I checked on the Internet and forums, but it is failing mentioning the following: 根据我在Internet和论坛上查看的内容,它应该可以正常工作,但是未能提及以下内容:
Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used on com.sampleapp.myapp.ecards.MyApplicationConfiguration$$EnhancerBySpringCGLIB$$24364a75@13ecedf6, so it cannot be used on com.sampleapp.dep.dsp.core.autoconfigure.DsfCoreAutoConfiguration$DSFServerWebSecurityConfig$$EnhancerBySpringCGLIB$$a540fd8@7ec416a0 too.
Just to mention, I see that the solution would be to remove the @Order annotation in the context of my project, but I do not have any @Order annotation in my project. 只需提一下,我看到解决方案是在项目的上下文中删除@Order批注,但是我的项目中没有任何@Order批注。 Additionally, the projects in this company are created using some pre-defined maven archetypes that will create a custom folder structure for all the Software components as well as the creation of the pom.xml with all the required dependencies (using those dependencies is a must, so I cannot remove any of them, just add). 此外,该公司的项目是使用一些预定义的Maven原型创建的,这些原型将为所有软件组件创建自定义文件夹结构,并创建具有所有必需依赖项的pom.xml(必须使用这些依赖项) ,因此我无法删除其中任何一个,只需添加)。 Furthermore, I cannot edit or remove annotation on components that are being used as dependencies of my project. 此外,我无法编辑或删除用作项目依赖项的组件上的注释。
What other solution would you recommend? 您还建议其他什么解决方案? Or if there's any workaround to fix this problem? 或是否有解决此问题的解决方法?
Thanks in advance for your time and help. 在此先感谢您的时间和帮助。
1 个解决方案
解决方案1
1 已采纳 2017-11-29 21:15:30
The default order for a WebSecurityConfigurer adapter is 100 and you appear to have two in your application: WebSecurityConfigurer适配器的默认顺序为100,并且您的应用程序中似乎有两个:
-
com.sampleapp.myapp.ecards.MyApplicationConfiguration -
com.sampleapp.dep.dsp.core.autoconfigure.DsfCoreAutoConfiguration$DSFServerWebSecurityConfig
You should update one of them to be explicitly annotated with @Order , specifying a value other than 100. Given the limitations you've described, adding @Order to com.sampleapp.myapp.ecards.MyApplicationConfiguration seems to be more likely to be ok. 您应该更新其中一个以@Order显式注释,并指定一个非100的值。鉴于您已描述的限制,将@Order添加到com.sampleapp.myapp.ecards.MyApplicationConfiguration似乎更可能。 Whether its order should be higher or lower will depend on the relationship between the the different parts of your security configuration and, if that configuration overlaps, which one you want to take precedence. 其顺序是高还是低取决于安全配置的不同部分之间的关系,如果该配置重叠,则要优先使用哪一个。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.