[英]How does .headers().frameOptions().disable() work?
About Spring Security
to let, control and get access to the h2
web console关于Spring Security
允许、控制和访问h2
web 控制台的安全性
I read these two posts:我读了这两个帖子:
In conclusion is mandatory use the following ("improved" in someway):总之,强制使用以下内容(以某种方式“改进”):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.mvcMatchers("/admin/**").hasRole("ADMIN")
...
.mvcMatchers("/h2-console/**").hasRole("ADMIN")
.and()
.csrf().ignoringAntMatchers("/h2-console/**")
.and()
.headers().frameOptions().disable()
.and()
From above is better use .csrf().ignoringAntMatchers("/h2-console/**")
instead of csrf().disable()
it for security reasons because the disable point applies only to /h2-console/
, the latter is global and is not recommended.出于安全原因,从上面最好使用.csrf().ignoringAntMatchers("/h2-console/**")
而不是csrf().disable()
它,因为禁用点仅适用于/h2-console/
,后者是全局的,不推荐。
Until here I am fine.直到这里我都很好。 And I am able to see the H2 web console once the login process happened and the user has the required role.一旦登录过程发生并且用户具有所需的角色,我就能看到 H2 web 控制台。
Now is mandatory use .headers().frameOptions().disable()
, if is not used happens the following:现在强制使用.headers().frameOptions().disable()
,如果不使用会发生以下情况:
The localhost refused to connect
message appears to any inner block when the mouse's cursor is over any of them当鼠标的 cursor 在其中任何一个上时, localhost refused to connect
消息出现在任何内部块上
My doubts are:我的疑问是:
.headers().frameOptions().disable()
work? .headers().frameOptions().disable()
是如何工作的?.csrf().ignoringAntMatchers("/h2-console/**")
and csrf().disable()
, where the former is specific and the latter is "global" (and is not recommended).考虑.csrf().ignoringAntMatchers("/h2-console/**")
和csrf().disable()
之间的区别,前者是特定的,后者是“全局的”(不推荐)。 Therefore perhaps would be available a specific configuration much better than .headers().frameOptions().disable()
(at a first glance for me is a "global" configuration) to only apply to /h2-console/
因此,可能会提供比.headers().frameOptions().disable()
更好的特定配置(乍一看对我来说是“全局”配置)仅适用于/h2-console/
.headers().frameOptions().disable()
have any negative effect, directly or indirectly, for other configure(HttpSecurity http)
configuration? .headers().frameOptions().disable()
是否会对其他configure(HttpSecurity http)
配置产生直接或间接的负面影响? (Mostly for Production) (主要用于生产) First, let's look at the X-Frame-Options response header.首先,让我们看一下X-Frame-Options响应 header。
This header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>
or <iframe>
.这个 header 可用于指示是否应允许浏览器在<frame>
或<iframe>
中呈现页面。
Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.网站可以使用它来避免点击劫持攻击,方法是确保其内容不会嵌入到其他网站中。
Spring Security sets the X-Frame-Options response header to DENY
by default. Spring Security 默认将 X-Frame-Options 响应 header 设置为DENY
。
This tells the browser that the page cannot be displayed in a frame, regardless of the site attempting to do so.这告诉浏览器该页面不能显示在框架中,无论站点是否尝试这样做。
Since the H2 console UI is using <frame>
elements, these will not be rendered and you will see the error screen that you shared in your question.由于 H2 控制台 UI 使用<frame>
元素,因此不会呈现这些元素,您将看到您在问题中共享的错误屏幕。
Spring Security allows you to customise this behaviour using .headers().frameOptions()
in the Security DSL. Spring Security 允许您使用安全 DSL 中的.headers().frameOptions()
自定义此行为。
If you choose to disable the X-Frame-Options header (not recommended) by setting .headers().frameOptions().disable()
, then Spring Security will not add the X-Frame-Options header to the response.如果您选择通过设置.headers().frameOptions().disable()
来禁用 X-Frame-Options header(不推荐),那么 Spring Security 将不会将 X-Frame-Options Z099EFB965346F339E7 添加到响应中。
This means your application could be rendered in a frame, and also could be vulnerable to Clickjacking attacks .这意味着您的应用程序可以在一个框架中呈现,也可能容易受到 Clickjacking 攻击。
Instead of disabling it, it is sufficient to set X-Frame-Options to SAMEORIGIN
, for this use case.对于这个用例,将 X-Frame-Options 设置为SAMEORIGIN
而不是禁用它就足够了。
http
.headers(headers -> headers
.frameOptions(frameOptions -> frameOptions
.sameOrigin()
)
)
This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.这告诉浏览器页面只能显示在与页面本身同源的框架中。
Since the frames in the H2 console UI (such as http://localhost:8080/h2-console/tables.do
) are on the same origin as the the H2 console ( http://localhost:8080/h2-console
), the browser will allow them to be displayed.由于 H2 控制台 UI 中的框架(例如http://localhost:8080/h2-console/tables.do
)与 H2 控制台( http://localhost:8080/h2-console
)位于同一来源,浏览器将允许它们显示。
However, if a different (potentially malicious) website tried to embed one the pages, the browser would not allow it.但是,如果一个不同的(可能是恶意的)网站试图嵌入一个页面,浏览器将不允许它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.