Spring安全中的X-Frame DENY
我在我的spring项目中使用jquery下载插件 ,但是浏览器给出了以下错误:
Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'. 我读到的是弹簧安全性方面的Xframe问题,所以我补充说
http .headers() .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
但它不会改变DENY但是甚至添加SAMEORIGIN所以我有他跟随错误:
Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.
这是http请求:
这是我的弹簧配置:
@Configuration @Order(1) public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .antMatcher("/client/**") .authorizeRequests() //Exclude send file from authentication because it doesn't work with spring authentication .antMatchers(HttpMethod.POST, "/client/file").permitAll() .anyRequest().authenticated() .and() .httpBasic(); } } @Configuration @Order(2) public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired RoleServices roleServices; @Override public void configure(WebSecurity web) throws Exception { web //Spring Security ignores request to static resources such as CSS or JS files. .ignoring() .antMatchers("/static/**"); } @Override protected void configure(HttpSecurity http) throws Exception { List roles=roleServices.getRoles(); //Retrieve array of roles(only string field without id) String[] rolesArray = new String[roles.size()]; int i=0; for (Role role:roles){ rolesArray[i++] = role.getRole(); } http .headers() .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)) .and() .authorizeRequests() //Authorize Request Configuration .anyRequest().hasAnyRole(rolesArray)//.authenticated() .and() //Login Form configuration for all others .formLogin() .loginPage("/login") .permitAll() .and() .exceptionHandling().accessDeniedPage("/403") .and() .logout() .logoutSuccessUrl("/login?logout") .permitAll(); } }
我该如何解决这个问题?谢谢(尽管出现错误,下载工作正常)
尝试
http .headers() .frameOptions() .sameOrigin();