问题
I have enabled Spring Security headers.
My code is like this:
<security:headers disabled="false">
<security:content-security-policy policy-directives="script-src 'self' 'unsafe-inline' 'unsafe-eval'" />
<security:cache-control disabled="true"/>
</security:headers>
By default X-FRAME-OPTIONS is DENY.
But some requests I should enable X-FRAME-OPTIONS as SAMEORIGIN. How to do?
回答1:
You can use a DelegatingRequestMatcherHeaderWriter, see Spring Security Reference:
20.2.3 DelegatingRequestMatcherHeaderWriter
At times you may want to only write a header for certain requests. For example, perhaps you want to only protect your log in page from being framed. You could use the
DelegatingRequestMatcherHeaderWriterto do so. When using the XML namespace configuration, this can be done with the following:<http> <!-- ... --> <headers> <frame-options disabled="true"/> <header ref="headerWriter"/> </headers> </http> <beans:bean id="headerWriter" class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter"> <beans:constructor-arg> <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher" c:pattern="/login"/> </beans:constructor-arg> <beans:constructor-arg> <beans:bean class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/> </beans:constructor-arg> </beans:bean>
To use DENYand SAMEORIGIN for different URLs you have to add two header elements with two different DelegatingRequestMatcherHeaderWriter.
来源:https://stackoverflow.com/questions/42111346/how-to-give-request-matcher-in-spring-security-for-x-frame-options