Menu
I'm using jquery download plugin in my spring project but browser give me the following error:
Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'.
I read is a problem about Xframe in spring security so I have added
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
but it doesn't change DENY but add even SAMEORIGIN so I have he following error:
Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.
and this is the http request:
this is my spring configuration:
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatcher("/client/**")
.authorizeRequests()
//Exclude send file from authentication because it doesn't work with spring authentication
.antMatchers(HttpMethod.POST, "/client/file").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
RoleServices roleServices;
@Override
public void configure(WebSecurity web) throws Exception {
web
//Spring Security ignores request to static resources such as CSS or JS files.
.ignoring()
.antMatchers("/static/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
List<Role> roles=roleServices.getRoles();
//Retrieve array of roles(only string field without id)
String[] rolesArray = new String[roles.size()];
int i=0;
for (Role role:roles){
rolesArray[i++] = role.getRole();
}
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
.and()
.authorizeRequests() //Authorize Request Configuration
.anyRequest().hasAnyRole(rolesArray)//.authenticated()
.and() //Login Form configuration for all others
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll();
}
}
How can I fix this problem?Thanks (the download works fine despite the error)
435
You can do it in your spring security config file like this:
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Also you can do it with java configuration in this way:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin();
}
}
For older spring versions use:
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
Instead of:
http.headers().frameOptions().sameOrigin();
Finally., these are the available options:
DENY: Does not allow any domain to display this page within a frame.
SAMEORIGIN: Allows the current page to be displayed in a frame on another page, but only within the current domain.
ALLOW-FROM: Allows the current page to be displayed in a frame, but only in a specific URI. For example www.example.com/frame-page
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
