WhiteListedAllowFromStrategy 不起作用
WhiteListedAllowFromStrategy does not work
我正在使用 Spring Security 5.1.5.RELEASE 并尝试将 ALLOW FROM
设置为 X-Frame-Options
我使用 WhiteListedAllowFromStrategy
并将 URL 列表传递给白名单,尽管发送的 header
是 X-Frame-Options: DENY
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
String permittedRoutes [] = {"/", "/register"};
http
.headers()
.frameOptions()
.disable()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("https://google.com"))));
http
.authorizeRequests()
.antMatchers(permittedRoutes).permitAll()
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.and()
.formLogin()
.loginPage("/")
.defaultSuccessUrl("/home", true)
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll()
.invalidateHttpSession(true)
.clearAuthentication(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/?logout");
}
@Override
public void configure(WebSecurity web) {
web
.ignoring()
.antMatchers("/assets/**", "/css/**", "/images/**", "/js/**", "/fonts/**", "fonts.googleapis.com/**", "fonts.gstatic.com/**");
}
}
有线索吗?
要使用 WhiteListedAllowFromStrategy
,您必须将 x-frames-allow-from
参数(以原点作为值)添加到您的请求中,请参阅 XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work:
rwinch commented on 21 Oct 2014
You need to ensure that you have provided the origin using the x-frames-allow-from parameter and that origin must match one of the whitelisted origins.
另见 WhiteListedAllowFromStrategy#setAllowFromParameterName
:
public void setAllowFromParameterName(java.lang.String allowFromParameterName)
Sets the HTTP parameter used to retrieve the value for the origin that is allowed from. The value of the parameter should be a valid URL. The default parameter name is "x-frames-allow-from".
如果您只想允许一个来源,您可以使用 StaticAllowFromStrategy
而不是 WhiteListedAllowFromStrategy
。
我正在使用 Spring Security 5.1.5.RELEASE 并尝试将 ALLOW FROM
设置为 X-Frame-Options
我使用 WhiteListedAllowFromStrategy
并将 URL 列表传递给白名单,尽管发送的 header
是 X-Frame-Options: DENY
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
String permittedRoutes [] = {"/", "/register"};
http
.headers()
.frameOptions()
.disable()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("https://google.com"))));
http
.authorizeRequests()
.antMatchers(permittedRoutes).permitAll()
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.and()
.formLogin()
.loginPage("/")
.defaultSuccessUrl("/home", true)
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll()
.invalidateHttpSession(true)
.clearAuthentication(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/?logout");
}
@Override
public void configure(WebSecurity web) {
web
.ignoring()
.antMatchers("/assets/**", "/css/**", "/images/**", "/js/**", "/fonts/**", "fonts.googleapis.com/**", "fonts.gstatic.com/**");
}
}
有线索吗?
要使用 WhiteListedAllowFromStrategy
,您必须将 x-frames-allow-from
参数(以原点作为值)添加到您的请求中,请参阅 XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work:
rwinch commented on 21 Oct 2014
You need to ensure that you have provided the origin using the x-frames-allow-from parameter and that origin must match one of the whitelisted origins.
另见 WhiteListedAllowFromStrategy#setAllowFromParameterName
:
public void setAllowFromParameterName(java.lang.String allowFromParameterName)
Sets the HTTP parameter used to retrieve the value for the origin that is allowed from. The value of the parameter should be a valid URL. The default parameter name is "x-frames-allow-from".
如果您只想允许一个来源,您可以使用 StaticAllowFromStrategy
而不是 WhiteListedAllowFromStrategy
。