I have CKeditor on my jsp and whenever I upload something, the following error pops out:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.
I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http>
tags
By default X-Frame-Options
is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Here are available options for policy
For more information take a look here .
And here to check how you can configure the headers using either XML or Java configs.
Note, that you might need also to specify appropriate strategy
, based on needs.
如果您使用 Java 配置而不是 XML 配置,请将其放入您的WebSecurityConfigurerAdapter.configure(HttpSecurity http)
方法中:
http.headers().frameOptions().disable();
Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN
. If you are using the Java Configs ( Spring Boot
) and would like to allow the X-Frame-Options: SAMEORIGIN
, then you would need to use the following.
For older Spring Security versions:
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
For newer versions like Spring Security 4.0.2 :
http
.headers()
.frameOptions()
.sameOrigin();
If using XML configuration you can use
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security">
<security:http>
<security:headers>
<security:frame-options disabled="true"></security:frame-options>
</security:headers>
</security:http>
</beans>
If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
...;
}
}
If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.*
properties. In particular, if you want to disable the X-Frame-Options
default header, just add the following to your application.properties
:
security.headers.frame=false
There is also security.headers.cache
, security.headers.content-type
, security.headers.hsts
and security.headers.xss
properties that you can use. For more information, take a look at SecurityProperties
.
You should configure multiple HttpSecurity instances.
Here is my code where only /public/ ** requests are without X-Frame-Options header.
@Configuration
public class SecurityConfig {
/**
* Public part - Embeddable Web Plugin
*/
@Configuration
@Order(1)
public static class EmbeddableWebPluginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// Disable X-Frame-Option Header
http.antMatcher("/public/**").headers().frameOptions().disable();
}
}
/**
* Private part - Web App Paths
*/
@Configuration
@EnableOAuth2Sso
public static class SSOWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/public/**", "/", "/login**", "/webjars/**", "/error**", "/static/**", "/robots", "/robot", "/robot.txt", "/robots.txt")
.permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/bye");
}
/**
* Public API endpoints
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/**");
}
}
}
.csrf().disable()
its to dangerous.
test:
.headers().frameOptions().sameOrigin()
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.