background

I made an embed page with Spring-boot. The one to show from other sites with iframe. At this time, Spring Security was introduced and the HTTP header "X-Frame-Options" was set to DENY by default, and the embedded page was not displayed.

Since this X-Frame-Options itself should be DENY in order to suppress clickjacking on ordinary pages, I decided that it is better to set not to send this header only on the embedding page. However, "setting X-Frame-Options only for a specific URL" was a little complicated, so I summarized it.

I think that other HTTP Headers can be set for each URL if necessary (unverified).

Purpose

Target URLX-Frame-Options
example.com/contents/embed/**Do not send the header itself
Other than the above URLDENY (default)

reference

People with the same worries are on Stack overflow. So, this time I referred to this.

Disable X-FrameOptions response header for a URL Spring Security JAVA config https://stackoverflow.com/questions/42257402/disable-x-frameoptions-response-header-for-a-url-spring-security-java-config

Setting

If you set it with the same "configure (HttpSecurity http)", all URLs will be affected. It seems that the key is to prepare multiple extended WebSecurityConfigurerAdapters.

@EnableWebSecurity
public class WebMVCSecurity {
    //Make settings for authentication. option. This is just a sample, X-Frame-It does not affect Options, so you can change it.
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("password").roles("USER").and()
                .withUser("admin").password("password").roles("USER", "ADMIN");
    }

    //This is the most important.
    //Create an instance of WebSecurityConfigurerAdapter.@Set the reading order with the Order annotation.
    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            // 「"/contents/embed/**"Specify the URL you want to apply.
            //This time I wanted to set no header, so ".headers().frameOptions().disable()".
            // 「.headers().frameOptions().sameOrigin()There are also settings such as ", so please check it out.
            http.antMatcher("/contents/embed/**").headers().frameOptions().disable();
        }
    }

    //Create another instance of WebSecurityConfigurerAdapter.
    // 「"/contents/embed/**"The settings here are applied to URLs that do not correspond to.
    // @If you do not add the Order annotation, other@It is said that it will be loaded after Order.
    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin();

            //etc. Please set according to the project.
        }
    }
}

that's all.

[JAVA] Set HTTP headers (X-Frame-Options) only for specific URLs in Spring Security

标签: none

添加新评论