我有一个spring-boot web服务器,它使用httpWebSecurityAdapter。
我正在尝试在我的Angular应用程序的div中显示一些网页(HTMLCSS、javascript(。如果启用了X-frame,则不允许我执行此操作。我只想对特定类型的请求禁用x帧选项。
现在我已经禁用了它。我只想做一个特定的网址。
http.headers().frameOptions().disable()
您需要提供多个WebSecurityConfigurerAdapter配置。换句话说,每个url模式都有多个安全配置。
下面是一个示例配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
// @Order is to specify which WebSecurityConfigurerAdapter should be considered first. This configuration has the highest priority.
// This configuration is activated for url pattern: /home/**
@Order(1)
@Configuration
public static class DefaultSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/home/**")
.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
.and().httpBasic();
}
}
// This configuration is considered after DefaultSecurityConfiguration since it has @Order(2).
// This configuration is activated for url pattern: /registerUser/**
@Order(2)
@Configuration
public static class DisabledFrameOptionsSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/registerUser/**")
.authorizeRequests()
.anyRequest().permitAll();
http.headers().frameOptions().sameOrigin();
}
}
}